# Keystone Team Update - Week of 21 January 2019 ## News ### Technical Vision Statement >From time to time we talk about writing a mission statement for keystone, and then the idea always loses steam due to unfocused motivation. Luckily the TC has now given us some excellent starting points[1] and has requested we publish a similar team statement and/or update the overall guiding document[2]. We started taking notes on how keystone measures up with the overall vision[3] and whoever finds time first will write up an addition to the keystone contributor guide, where we can further discuss on the review. [1] https://governance.openstack.org/tc/reference/technical-vision.html [2] http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001417.html [3] https://etherpad.openstack.org/p/keystone-technical-vision-notes ### External and Tokenless Auth (What's old is new again) In working with the Edge computing group and the engineers at Oath we've been revisiting external authentication with X.509 as well as tokenless authentication[4][5], both ancient features in keystone. Though they are under-tested and have suffered mild bitrot they are still useful features. External authentication with mod_ssl can potentially be used as a drop-in replacement for the custom authentication plugin that Oath currently uses for their IdP Athenz. It does not on its own solve the Edge use case in which a client may be unable to connect to the keystone server for long periods of time, but the ideas can be used as a starting point for proper offline authentication. Tokenless authentication is closely tied to X.509 authentication and was a useful idea for starting to reduce the security impact of bearer tokens, but it was never fully implemented. We have been discussing revamping that feature and will be working on cleaning up the bitrot and the documentation around these features. [4] http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-01-22-16.00.log.html#l-227 [5] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-01-22.log.html#t2019-01-22T17:09:52 ## Open Specs Stein specs: https://bit.ly/2Pi6dGj Ongoing specs: https://bit.ly/2OyDLTh ## Recently Merged Changes Search query: https://bit.ly/2pquOwT We merged 16 changes this week. ## Changes that need Attention Search query: https://bit.ly/2RLApdA There are 80 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots. ## Bugs This week we opened 4 new bugs and closed 2. Bug #1813057 (keystone:Medium) opened by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1813057 Bug #1813085 (keystone:Undecided) opened by Tim Buckley https://bugs.launchpad.net/keystone/+bug/1813085 Bug #1813183 (keystone:Undecided) opened by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1813183 Bug #1813265 (keystone:Undecided) opened by Colleen Murphy https://bugs.launchpad.net/keystone/+bug/1813265 Bugs fixed (2) Bug #1794864 (keystone:Medium) fixed by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1794864 Bug #1804522 (keystone:Medium) fixed by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1804522 ## Milestone Outlook https://releases.openstack.org/stein/schedule.html Feature proposal freeze happens next week, if you are working on a feature for Stein please have at least a WIP on Gerrit ASAP. The feature freeze is five weeks after that, so major features that are not already fairly far along may have to be pushed to Train. ## Shout-outs Thanks Guang for being super helpful with all of our X.509 and tokenless auth questions! ## Help with this newsletter Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter Dashboard generated using gerrit-dash-creator and https://gist.github.com/lbragstad/9b0477289177743d1ebfc276d1697b67