2020-05-19 Security Subcommittee Meeting Notes
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 19th of May 2020.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
| SECCOM Non functional requirements for Guilin release | Wiki to be updated by each requirement leader by 27th of May. Additionally Jira requirement Epics will have to be created. | Ongoing | Amy already fulfilled packages upgrade requirement. |
| AAF removal proposal | Following the discussions SECCOM team agreed with the following statment proposal: AAF is a default security mechanizm for ONAP, it should be possible to replace AAF with an alternative solution. OOF is the only project that is using AAF SMS. | Done
Done - waiting for a feedback from Taka. | To be shared with Sylvain.
Taka do be contacted to check in what context AAF is used by APPC. |
| Guilin Integration non-functional requirements | Amy presented slides with Sylvain's proposal. 2 blockers identified:
Components may use http = to have ability to run without https Applications come with hadcoded passwordsand then when we try to replace it with something else, if it fails appliction is using default insecure passwords. Many applications fail without any message - if you put special character inside the sed, it would not fail but produce result that you would not expect and then application configuration is broken. We ask PTLs to update their code to comply with those requirements. When TSC decides to put lower priority to some of those, we might have not being able to force for the existing code (we may try to achieve it gradually). Any new code should comply with those regulations that we have here. Nginx ingress is already part of the deployment. |
|
|
| IAM requirement | Waiting for Fabian's feedback. |
| SECCOM-136: Review ONAP security req [idam-1]Open SECCOM-172: Review ONAP security req [analytics-11]Open to be reviewed by Fabian. |
| Logging proposal at the last PTL call | Christophe provided a proposal on logging. Action plan is more short term and definitely a path forward. |
|
|
| AAF status | Not clear if we have a new PTL - John Franey. New commiters (Pawel, John and Gerard) were only temporary or Frankfurt release. |
| To be checked with John or Pawel. B. |
| Content for Jira's for CII Badging | Conversation on Security documentation meeting next week. |
|
|
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 26th OF MAY'20. |
|
|
|