<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt><font size="-1">Yesterday, in the keystone meeting [0], we
talked about what we want to do with the remaining scope and
default roles work in keystone. With all the patches proposed,
merged, and reviewed around this work, I thought a summary might
be beneficial for everyone. Besides, despite my best efforts I
still don't share the same polarity with buses. So, getting this
information out is probably best for everyone, including other
developers looking to do something similar in their services.<br>
<br>
For context, we landed a major refactor in Rocky allowing
keystone to consume different scopes (e.g., project, domain, and
system), making the entire keystone API more self-serviceable.
We also decided to implement default roles since we already
planned on making policy changes, which gives us things like
read-only support out-of-the-box.<br>
<br>
Right around the time Stein opened for development, I took an
initial pass at opening bugs to track this work. Turns out
refactoring the authorization of an entire API is a significant
amount of work, especially to track in a single bug report [1].
We kept new bug reports specific to one resource at a time. If
the API made sense to expose with multiple scopes (e.g.,
allowing project users, domain users, and system users to all
access the API) we opened a bug, specifically to implement those
scopes. We tagged these bugs with the `system-scope` tag in
Launchpad [2]. Resources in keystone that needed to implement
support for default roles required separate bug reports. We
tagged these bugs with the `default-roles` tag in Launchpad [3].
All bugs that fell into these two camps also received the
`policy` tag.<br>
<br>
Altogether, we broke the work to implement scope types and
default roles across keystone's API into 39 different bug
reports [4].<br>
<br>
Of those 39 bug reports, 13 are for correcting scope behavior,
which exposes more functionality to end users, safely. The
remaining 26 are for implementing default roles, which gives us
things like read-only support.<br>
<br>
Of the 13 scope bugs we:<br>
- fixed 2<br>
- have 7 in progress<br>
- have 4 awaiting fixes<br>
<br>
Note that some of the fixes above are dependent on a devstack
patch to correct what tempest assumes about certain scopes [5].
Of the 26 bugs for default roles we:<br>
- fixed 14<br>
- have 12 awaiting fixes<br>
<br>
In total, of the 39 bugs we opened for the entirety of this work
in Stein we:<br>
- fixed 16 (~41%)<br>
- have 7 in progress (~17%)<br>
- have 16 awaiting fixes (~41%)<br>
<br>
I took one final pass through all of keystone's policies
yesterday to make sure we have everything captured in bug
reports. If you see something that I missed, let me know or open
a bug report so that we can capture the information.<br>
<br>
To highlight the work required to get us this far, as of
e8d9791c6ecea1bf5fd4878b57c892b0a4c8a19e, we've merged [6] 259
tests [7]. These tests are reused to execute 593 functional
protection tests [8] that exercise the default roles against
various scopes and ensures users can do what we expect. These
number don't include the patches that are still in review [9]
that implement more protection testing.<br>
<br>
I think it's safe to say that we're not going to get the
remaining work merged into Stein. However, are there specific
resources we want to prioritize for Stein of the remaining bug
reports [10]?<br>
<br>
Thanks,<br>
<br>
Lance<br>
<br>
[0]
<a class="moz-txt-link-freetext" href="http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-03-05-16.00.log.html#l-52">http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-03-05-16.00.log.html#l-52</a><br>
[1] <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/keystone/+bug/968696">https://bugs.launchpad.net/keystone/+bug/968696</a><br>
[2] <a class="moz-txt-link-freetext" href="http://tinyurl.com/y3ux97ma">http://tinyurl.com/y3ux97ma</a><br>
[3] <a class="moz-txt-link-freetext" href="http://tinyurl.com/y3y779e8">http://tinyurl.com/y3y779e8</a><br>
[4] <a class="moz-txt-link-freetext" href="http://tinyurl.com/y649w43n">http://tinyurl.com/y649w43n</a><br>
[5] <a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/624794/">https://review.openstack.org/#/c/624794/</a><br>
[6]
<a class="moz-txt-link-freetext" href="https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:master+(topic:implement-default-roles+OR+topic:clean-up-v3-cloud-sample)">https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:master+(topic:implement-default-roles+OR+topic:clean-up-v3-cloud-sample)</a><br>
[7] grep -R 'def test_' keystone/tests/unit/protection/ | wc -l<br>
[8] tox -e py37 -- keystone.tests.unit.protection<br>
[9]
<a class="moz-txt-link-freetext" href="https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+(topic:implement-default-roles+OR+topic:clean-up-v3-cloud-sample)">https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+(topic:implement-default-roles+OR+topic:clean-up-v3-cloud-sample)</a><br>
[10] <a class="moz-txt-link-freetext" href="http://tinyurl.com/y4vwdsjz">http://tinyurl.com/y4vwdsjz</a><br>
</font></tt>
</body>
</html>