[openstack-dev] [keystone] deprecating the policy and credential APIs

Lance Bragstad lbragstad at gmail.com
Fri May 26 15:21:45 UTC 2017

At the PTG in Atlanta, we talked about deprecating the policy and
credential APIs. The policy API doesn't do anything and secrets shouldn't
be stored in credential API. Reasoning and outcomes can be found in the
etherpad from the session [0]. There was some progress made on the policy
API [1], but it's missing a couple patches to tempest. Is anyone willing to
carry the deprecation over the finish line for Pike?

According to the outcomes from the session, the credential API needs a
little bit of work before we can deprecate it. It was determined at the PTG
that we if keystone absolutely has to store ec2 and totp secrets, they
should be formal first-class attributes of the user (i.e. like how we treat
passwords `user.password`). This would require refactoring the existing
totp and ec2 implementations to use user attributes. Then we could move
forward with deprecating the actual credential API. Depending on the amount
of work required to make .totp and .ec2 formal user attributes, I'd be fine
with pushing the deprecation to Queens if needed.

Does this interest anyone?

[0] https://etherpad.openstack.org/p/pike-ptg-keystone-deprecations
[1] https://review.openstack.org/#/c/438096/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170526/12528a1d/attachment.html>

More information about the OpenStack-dev mailing list