[dev][keystone][ptg] Keystone team action items

Colleen Murphy colleen at gazlene.net
Sun May 5 15:58:22 UTC 2019

Hi everyone,

I will write an in-depth summary of the Forum and PTG some time in the coming week, but I wanted to quickly capture all the action items that came out of the last six days so that we don't lose too much focus:

* move "Expand endpoint filters to Service Providers" spec[1] to attic
* review "Policy Goals"[2] and "Policy Security Roadmap"[3] specs with Lance, refresh and possibly combine them
* move "Unified model for assignments, OAuth, and trusts" spec[4] from ongoing to backlog, and circle up with Adam about refreshing it
* update app creds spec[5] to defer access_rules_config
* review app cred documentation with regard to proactive rotation
* follow up with nova/other service teams on need for microversion support in access rules
* circle up with Guang on fixing autoprovisioning for tokenless auth
* keep up to date with IEEE/NIST efforts on standardizing federation
* investigate undoing the foreign key constraint that breaks the pluggable resource driver
* propose governance change to add caching as a base service
* clean out deprecated cruft from keystonemiddleware
* write up Outreachy/other internship application tasks

[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/service-providers-filters.html
[2] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html
[3] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html
[4] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html
[5] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html

* write up plan for tempest testing of system scope
* break up unified limits testing plan into separate items, one for CRUD in keystone and one for quota and limit validation in oslo.limit[6]
* write up spec for assigning roles on root domain
* (with Morgan) check for and add interface in oslo.policy to see if policy has been overridden

[6] https://trello.com/c/kbKvhYBz/20-test-unified-limits-in-tempest

* finish mutable config patch
* propose "model-timestamps" spec for Train[7]
* move "Add Multi-Version Support to Federation Mappings" spec[8] to attic
* review and possibly complete "Devstack Plugin for Keystone" spec[9]
* look into "RFE: Improved OpenID Connect Support" spec[10]
* update refreshable app creds spec[11] to make federated users expire rather then app creds
* deprecate federated_domain_name

[7] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/model-timestamps.html
[8] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/versioned-mappings.html
[9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/devstack-plugin.html
[10] https://bugs.launchpad.net/keystone/+bug/1815971
[11] https://review.opendev.org/604201

* investigate effort needed for Alembic migrations spec[12] (with help from Morgan)
* merge "RFE: Retrofit keystone-manage db_* commands to work with Alembic"[13] into "Use Alembic for database migrations" spec
* remove deprecated [signing] config
* remove deprecated [DEFAULT]/admin_endpoint config
* remove deprecated [token]/infer_roles config

[12] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/alembic.html
[13] https://bugs.launchpad.net/keystone/+bug/1816158

* review "Materialize Project Hierarchy" spec[14] and make sure it reflects the current state of the world, keep it in the backlog
* move "Functional Testing" spec[15] to attic
* move "Object Dependency Lifecycle" spec[16] to complete
* move "Add Endpoint Filter Enforcement to Keystonemiddleware" spec[17] to attic
* move "Request Helpers" spec[18] to attic
* create PoC of external IdP proxy component
* (with Lance) check for and add interface in oslo.policy to see if policy has been overridden
* investigate removing [eventlet_server] config section
* remove remaining PasteDeploy things
* remove PKI(Z) cruft from keystonemiddleware
* refactor keystonemiddleware to have functional components instead of needing keystone to instantiate keystonemiddleware objects for auth

[14] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/materialize-project-hierarchy.html
[15] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/functional-testing.html
[16] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/object-dependency-lifecycle.html
[17] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/endpoint-enforcement-middleware.html
[18] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/request-helpers.html

* investigate with operators about specific use case behind "RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance"[19] request
* follow up on "RFE: Token returns Project's tag properties"[20]
* remove use of keystoneclient from keystonemiddleware

[19] https://bugs.launchpad.net/keystone/+bug/1637146
[20] https://bugs.launchpad.net/keystone/+bug/1807697

* Propose finishing "RFE: Project Tree Deletion/Disabling"[21] as an Outreachy project

[21] https://bugs.launchpad.net/keystone/+bug/1816105

* write up super-spec on explicit project IDs plus predictable IDs

Thanks everyone for a productive week and for all your hard work!


More information about the openstack-discuss mailing list