Open Stack

# Keystone Team Update - Week of 6 August 2018

## News

### RC1

We released RC1 this week[1]. Please try it out and be on the lookout for critical bugs. As of yet we don't seem to have any showstoppers that would require another RC.

[1] https://releases.openstack.org/rocky/index.html#rocky-keystone

### Edge Discussions

The OpenNFV Edge Cloud group and the Edge Computing Group are ramping up implementations of proofs of concept for the potential keystone architectures for edge cloud scenarios. Some of the models under investigation or that we've suggested[2] are keystone-to-keystone federation, regular federation with an external identity provider, database synchronization via database replication[3] and database synchronization via an agent. One idea to enhance the federation-based models is to make application credentials refreshable, which Kristi is going to write a spec for[4]. I encourage the team to join the meeting calls[5][6], to help the people working on implementations, and volunteer for technical work items. It would be great to be at a point where we can discuss design details for the next cycle at the PTG.

[2] https://wiki.openstack.org/wiki/Keystone_edge_architectures
[3] https://review.openstack.org/566448
[4] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-07.log.html#t2018-08-07T15:34:54
[5] https://wiki.openstack.org/wiki/Edge_Computing_Group#Meetings
[6] https://wiki.opnfv.org/display/PROJ/Edge+cloud

### Flask Work

Morgan has been diligently working on converting our APIs to Flask, please see the many outstanding reviews[7]. Some of these conversions should be parallelizeable so if you'd like to help him out I'm sure he would appreciate it, just coordinate with him[8].

[7] https://review.openstack.org/#/q/status:open+topic:bug/1776504
[8] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-06.log.html#t2018-08-06T20:31:19

### Self-Service Keystone

At the weekly meeting Adam suggested we make self-service keystone a focus point of the PTG[9]. Currently, policy limitations make it difficult for an unprivileged keystone user to get things done or to get information without the help of an administrator. There are some other projects that have been created to act as workflow proxies to mitigate keystone's limitations, such as Adjutant[10] (now an official OpenStack project) and Ksproj[11] (written by Kristi). The question is whether the primitives offered by keystone are sufficient building blocks for these external tools to leverage, or if we should be doing more of this logic within keystone. Certainly improving our RBAC model is going to be a major part of improving the self-service user experience.

[9] http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-08-07-16.00.log.html#l-121
[10] https://adjutant.readthedocs.io/en/latest/
[11] https://github.com/CCI-MOC/ksproj

### Standalone Keystone

Also at the meeting and during office hours, we revived the discussion of what it would take to have a standalone keystone be a useful identity provider for non-OpenStack projects[12][13]. First up we'd need to turn keystone into a fully-fledged SAML IdP, which it's not at the moment (which is a point of confusion in our documentation), or even add support for it to act as an OpenID Connect IdP. This would be relatively easy to do (or at least not impossible). Then the application would have to use keystonemiddleware or its own middleware to route requests to keystone to issue and validate tokens (this is one aspect where we've previously discussed whether JWT could benefit us). Then the question is what should a not-OpenStack application do with keystone's "scoped RBAC"? It would all depend on how the resources of the application are grouped and whether they care about multitenancy in some form. Likely each application would have different needs and it would be difficult to find a one-size-fits-all approach. We're interested to know whether anyone has a burning use case for something like this.

[12] http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-08-07-16.00.log.html#l-192
[13] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-07.log.html#t2018-08-07T17:01:30

### PTG Planning

We're in the brainstorming phase for the PTG, please add topics to the etherpad[14]. Lance will organize these into an agenda soonish.

[14] https://etherpad.openstack.org/p/keystone-stein-ptg

## Recently Merged Changes

Search query: https://bit.ly/2IACk3F

We merged 16 changes this week.

## Changes that need Attention

Search query: https://bit.ly/2wv7QLK

There are 54 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots. Special attention should be given to patches that close bugs, and we should make sure we backport any critical bugfixes to stable/rocky.

## Bugs

This week we opened 2 new bugs and closed 3. There don't currently seem to be any showstopper bugs for Rocky. orange_julius has been chasing a fun, apparently longstanding bug in ldappool[15], our traditionally low-effort adopted project.

Bugs opened (2) 
Bug #1786383 (keystone:Undecided) opened by Liyingjun https://bugs.launchpad.net/keystone/+bug/1786383 
Bug #1785898 (ldappool:Undecided) opened by Nick Wilburn https://bugs.launchpad.net/ldappool/+bug/1785898

Bugs fixed (3) 
Bug #1782704 (keystone:High) fixed by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1782704 
Bug #1780503 (keystone:Medium) fixed by Gage Hugo https://bugs.launchpad.net/keystone/+bug/1780503 
Bug #1785164 (keystone:Undecided) fixed by wangxiyuan https://bugs.launchpad.net/keystone/+bug/1785164

[15] https://bugs.launchpad.net/ldappool/+bug/1785898

## Milestone Outlook

https://releases.openstack.org/rocky/schedule.html

This week was the RC1 deadline as well as the string freeze, so we should not be merging any changes to strings for Rocky. We have two weeks to release another RC if we need to.

## Help with this newsletter

Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter
Dashboard generated using gerrit-dash-creator and https://gist.github.com/lbragstad/9b0477289177743d1ebfc276d1697b67