[openstack-dev] Keystone Grizzly Planning

heckj heckj at mac.com
Tue Nov 6 21:13:41 UTC 2012


Howdy all,

Like the other projects, I wanted to provide an overview of what's looking to happen in Keystone over the grizzly release cycle.

>From the summit, we had the state of the project slides, which might be of interest: http://www.slideshare.net/ccjoe/oct-2012-state-of-project-keystone

Since then, we've been working on fleshing out more details around those initial discussions, and we've been correlating who's working on what to get an overview of what's coming up for Keystone. If you're into reading raw notes, take a look at https://etherpad.openstack.org/keystone-grizzly-plans. For those looking for more of a tl;dr:

grizzly-1 plans:
 * merging in V3 API work - "tech preview"
https://blueprints.launchpad.net/keystone/+spec/implement-v3-core-api

 * move auth_token middleware to keystoneclient repo
https://blueprints.launchpad.net/keystone/+spec/authtoken-to-keystoneclient-repo

 * AD LDAP extensions
https://blueprints.launchpad.net/keystone/+spec/ad-ldap-identity-backend

 * enabling policy & RBAC access for V3 API
https://blueprints.launchpad.net/keystone/+spec/rbac-keystone-api

grizzly-2 plans:
* pre-authenticated token
 https://blueprints.launchpad.net/keystone/+spec/pre-auth

* plugable authentication handlers
https://blueprints.launchpad.net/keystone/+spec/pluggable-identity-authentication-handlers

* consolidated policy documentation/recommendations
https://blueprints.launchpad.net/keystone/+spec/document-deployment-suggestions-policy

* PKI future work
https://blueprints.launchpad.net/keystone/+spec/delegation
  - starting into delegation, signing of tokens
  - annotations on signing for authorization

grizzly-3 plans:
* delegation
https://blueprints.launchpad.net/keystone/+spec/delegation

* multifactor authN
https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn

Much of the work and desires around Delegation  has yet to be fully defined and nailed down, and relies on a lot of additions in making PKI based tokens a stable, solid, default mechanism. I'm sure there will be some redirection once we get a few weeks down the road and see what's happening with the V3 API rollout and PKI token extensions to support delegation, pre-auth, and so forth. 



More information about the OpenStack-dev mailing list