[dev][keystone] Keystone Team Update - Week of 10 December 2018

Colleen Murphy colleen at gazlene.net
Fri Dec 14 15:58:19 UTC 2018 

# Keystone Team Update - Week of 10 December 2018

## News

### Policy questions

We had some topics related to RBAC and policy come up in discussions this week. We had an exchange over whether the reader role is really sufficient to describe the ability to read resources currently restricted to admins as well as resources currently restricted to members, or if those are really two different kinds of read levels[1][2]. We also discussed our current work on default roles with the cinder team[3] in light of their work on documenting some best practices for policy configuration in cinder[4]. Finally, in our efforts to convert our own policies to use the default roles[5], we're starting to deep-dive into the APIs to uncover their intentions, their current protections, and the most sensible default policies for them.

[1] http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000888.html
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-12-13.log.html#t2018-12-13T18:03:51
[3] http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000875.html
[4] https://review.openstack.org/624424
[5] https://review.openstack.org/#/q/status:open+topic:implement-default-roles

### Cleaning up old specs

At the weekly meeting we tangented from another topic to note that we've been doing a bad job of pruning the specs backlog and that we should organize some process around regularly reevaluating and prioritizing things in it[6].

[6] http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-12-11-16.00.log.html#l-88

### Immutable Roles and Resource Options for All

Morgan proposed a new spec[7] to lay the ground work for implementing resource options for most or all resources in keystone, similar to the user options we have now that lets us control MFA rights and PCI-DSS restrictions. We'd then like to build on this to make some resources, especially roles, immutable[8] or locked in order to prevent accidentally deleting deployment-critical resources, which we know has happened to more than one person.

[7] https://review.openstack.org/624692
[8] https://review.openstack.org/624162

## Open Specs

Stein specs: https://bit.ly/2Pi6dGj

Ongoing specs: https://bit.ly/2OyDLTh

We merged the JWT spec[9] and the domain limits spec[10]. Morgan proposed a new spec for Stein[11] although we are past the spec proposal freeze date. We may decide to push it to Train, but that will also delay starting on the new immutable resources spec[12].

[9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/json-web-tokens.html
[10] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/domain-level-limit.html
[11] https://review.openstack.org/624162
[12] https://review.openstack.org/624692

## Recently Merged Changes

Search query: https://bit.ly/2pquOwT

We merged 38 changes this week. These included cleanup work to finish the documentation consolidation that we started a while ago, as well as several patches for default roles policy updates.

## Changes that need Attention

Search query: https://bit.ly/2RLApdA

There are 98 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots. These are mainly still the default roles policy changes from Lance.

## Bugs

This week we opened 5 new bugs and closed 5.

Bugs opened (5) 
Bug #1807751 (keystone:Wishlist) opened by Morgan Fainberg https://bugs.launchpad.net/keystone/+bug/1807751 
Bug #1807697 (keystone:Undecided) opened by Yang Youseok https://bugs.launchpad.net/keystone/+bug/1807697 
Bug #1807805 (keystone:Undecided) opened by Zhongcheng Lao https://bugs.launchpad.net/keystone/+bug/1807805 
Bug #1808059 (keystone:Undecided) opened by David Vallee Delisle https://bugs.launchpad.net/keystone/+bug/1808059 
Bug #1808305 (python-keystoneclient:Undecided) opened by Neha Alhat https://bugs.launchpad.net/python-keystoneclient/+bug/1808305 

Bugs closed (2) 
Bug #1802136 (keystone:Undecided) https://bugs.launchpad.net/keystone/+bug/1802136 
Bug #1808059 (keystone:Undecided) https://bugs.launchpad.net/keystone/+bug/1808059 

Bugs fixed (3) 
Bug #1794376 (keystone:High) fixed by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1794376 
Bug #1803780 (keystone:Low) fixed by Adam Young https://bugs.launchpad.net/keystone/+bug/1803780 
Bug #1803940 (keystonemiddleware:Wishlist) fixed by Artem Vasilyev https://bugs.launchpad.net/keystonemiddleware/+bug/1803940

## Milestone Outlook

https://releases.openstack.org/stein/schedule.html

## Help with this newsletter

Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter
Dashboard generated using gerrit-dash-creator and https://gist.github.com/lbragstad/9b0477289177743d1ebfc276d1697b67

More information about the openstack-discuss mailing list