<div dir="ltr">Thanks for the summary, Colleen.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, May 5, 2019 at 8:59 AM Colleen Murphy <<a href="mailto:colleen@gazlene.net">colleen@gazlene.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi everyone,<br>
<br>
I will write an in-depth summary of the Forum and PTG some time in the coming week, but I wanted to quickly capture all the action items that came out of the last six days so that we don't lose too much focus:<br>
<br>
Colleen<br>
* move "Expand endpoint filters to Service Providers" spec[1] to attic<br>
* review "Policy Goals"[2] and "Policy Security Roadmap"[3] specs with Lance, refresh and possibly combine them<br>
* move "Unified model for assignments, OAuth, and trusts" spec[4] from ongoing to backlog, and circle up with Adam about refreshing it<br>
* update app creds spec[5] to defer access_rules_config<br>
* review app cred documentation with regard to proactive rotation<br>
* follow up with nova/other service teams on need for microversion support in access rules<br>
* circle up with Guang on fixing autoprovisioning for tokenless auth<br>
* keep up to date with IEEE/NIST efforts on standardizing federation<br>
* investigate undoing the foreign key constraint that breaks the pluggable resource driver<br>
* propose governance change to add caching as a base service<br>
* clean out deprecated cruft from keystonemiddleware<br>
* write up Outreachy/other internship application tasks<br>
<br>
[1] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/service-providers-filters.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/service-providers-filters.html</a><br>
[2] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html</a><br>
[3] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html</a><br>
[4] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html</a><br>
[5] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html</a><br>
<br>
Lance<br>
* write up plan for tempest testing of system scope<br>
* break up unified limits testing plan into separate items, one for CRUD in keystone and one for quota and limit validation in oslo.limit[6]<br>
* write up spec for assigning roles on root domain<br>
* (with Morgan) check for and add interface in oslo.policy to see if policy has been overridden<br>
<br>
[6] <a href="https://trello.com/c/kbKvhYBz/20-test-unified-limits-in-tempest" rel="noreferrer" target="_blank">https://trello.com/c/kbKvhYBz/20-test-unified-limits-in-tempest</a><br>
<br>
Kristi<br>
* finish mutable config patch<br>
* propose "model-timestamps" spec for Train[7]<br>
* move "Add Multi-Version Support to Federation Mappings" spec[8] to attic<br>
* review and possibly complete "Devstack Plugin for Keystone" spec[9]<br>
* look into "RFE: Improved OpenID Connect Support" spec[10]<br>
* update refreshable app creds spec[11] to make federated users expire rather then app creds<br>
* deprecate federated_domain_name<br>
<br>
[7] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/model-timestamps.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/model-timestamps.html</a><br>
[8] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/versioned-mappings.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/versioned-mappings.html</a><br>
[9] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/devstack-plugin.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/devstack-plugin.html</a><br>
[10] <a href="https://bugs.launchpad.net/keystone/+bug/1815971" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/1815971</a><br>
[11] <a href="https://review.opendev.org/604201" rel="noreferrer" target="_blank">https://review.opendev.org/604201</a><br>
<br>
Vishakha<br>
* investigate effort needed for Alembic migrations spec[12] (with help from Morgan)<br>
* merge "RFE: Retrofit keystone-manage db_* commands to work with Alembic"[13] into "Use Alembic for database migrations" spec<br>
* remove deprecated [signing] config<br>
* remove deprecated [DEFAULT]/admin_endpoint config<br>
* remove deprecated [token]/infer_roles config<br>
<br>
[12] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/alembic.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/alembic.html</a><br>
[13] <a href="https://bugs.launchpad.net/keystone/+bug/1816158" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/1816158</a><br>
<br>
Morgan<br>
* review "Materialize Project Hierarchy" spec[14] and make sure it reflects the current state of the world, keep it in the backlog<br>
* move "Functional Testing" spec[15] to attic<br>
* move "Object Dependency Lifecycle" spec[16] to complete<br>
* move "Add Endpoint Filter Enforcement to Keystonemiddleware" spec[17] to attic<br>
* move "Request Helpers" spec[18] to attic<br>
* create PoC of external IdP proxy component<br>
* (with Lance) check for and add interface in oslo.policy to see if policy has been overridden<br>
* investigate removing [eventlet_server] config section<br>
* remove remaining PasteDeploy things<br>
* remove PKI(Z) cruft from keystonemiddleware<br>
* refactor keystonemiddleware to have functional components instead of needing keystone to instantiate keystonemiddleware objects for auth<br>
<br>
[14] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/materialize-project-hierarchy.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/materialize-project-hierarchy.html</a><br>
[15] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/functional-testing.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/functional-testing.html</a><br>
[16] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/object-dependency-lifecycle.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/object-dependency-lifecycle.html</a><br>
[17] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/endpoint-enforcement-middleware.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/endpoint-enforcement-middleware.html</a><br>
[18] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/request-helpers.html" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/request-helpers.html</a><br>
<br>
Gage<br>
* investigate with operators about specific use case behind "RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance"[19] request<br>
* follow up on "RFE: Token returns Project's tag properties"[20]<br>
* remove use of keystoneclient from keystonemiddleware<br>
<br>
[19] <a href="https://bugs.launchpad.net/keystone/+bug/1637146" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/1637146</a><br>
[20] <a href="https://bugs.launchpad.net/keystone/+bug/1807697" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/1807697</a><br>
<br>
Rodrigo<br>
* Propose finishing "RFE: Project Tree Deletion/Disabling"[21] as an Outreachy project<br>
<br>
[21] <a href="https://bugs.launchpad.net/keystone/+bug/1816105" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/1816105</a><br>
<br>
Adam<br>
* write up super-spec on explicit project IDs plus predictable IDs<br>
<br>
<br>
Thanks everyone for a productive week and for all your hard work!<br>
<br>
Colleen<br>
<br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font color="#666666">Rodrigo</font></div><div dir="ltr"><div><div><font color="#3333ff"><a href="http://rodrigods.com" target="_blank">http://<font color="#3333ff">rodrigods.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div>