[dev][keystone][ptg] Keystone team action items
Hi everyone, I will write an in-depth summary of the Forum and PTG some time in the coming week, but I wanted to quickly capture all the action items that came out of the last six days so that we don't lose too much focus: Colleen * move "Expand endpoint filters to Service Providers" spec[1] to attic * review "Policy Goals"[2] and "Policy Security Roadmap"[3] specs with Lance, refresh and possibly combine them * move "Unified model for assignments, OAuth, and trusts" spec[4] from ongoing to backlog, and circle up with Adam about refreshing it * update app creds spec[5] to defer access_rules_config * review app cred documentation with regard to proactive rotation * follow up with nova/other service teams on need for microversion support in access rules * circle up with Guang on fixing autoprovisioning for tokenless auth * keep up to date with IEEE/NIST efforts on standardizing federation * investigate undoing the foreign key constraint that breaks the pluggable resource driver * propose governance change to add caching as a base service * clean out deprecated cruft from keystonemiddleware * write up Outreachy/other internship application tasks [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/s... [2] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/p... [3] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/p... [4] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/u... [5] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/cap... Lance * write up plan for tempest testing of system scope * break up unified limits testing plan into separate items, one for CRUD in keystone and one for quota and limit validation in oslo.limit[6] * write up spec for assigning roles on root domain * (with Morgan) check for and add interface in oslo.policy to see if policy has been overridden [6] https://trello.com/c/kbKvhYBz/20-test-unified-limits-in-tempest Kristi * finish mutable config patch * propose "model-timestamps" spec for Train[7] * move "Add Multi-Version Support to Federation Mappings" spec[8] to attic * review and possibly complete "Devstack Plugin for Keystone" spec[9] * look into "RFE: Improved OpenID Connect Support" spec[10] * update refreshable app creds spec[11] to make federated users expire rather then app creds * deprecate federated_domain_name [7] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/m... [8] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/v... [9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/d... [10] https://bugs.launchpad.net/keystone/+bug/1815971 [11] https://review.opendev.org/604201 Vishakha * investigate effort needed for Alembic migrations spec[12] (with help from Morgan) * merge "RFE: Retrofit keystone-manage db_* commands to work with Alembic"[13] into "Use Alembic for database migrations" spec * remove deprecated [signing] config * remove deprecated [DEFAULT]/admin_endpoint config * remove deprecated [token]/infer_roles config [12] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/a... [13] https://bugs.launchpad.net/keystone/+bug/1816158 Morgan * review "Materialize Project Hierarchy" spec[14] and make sure it reflects the current state of the world, keep it in the backlog * move "Functional Testing" spec[15] to attic * move "Object Dependency Lifecycle" spec[16] to complete * move "Add Endpoint Filter Enforcement to Keystonemiddleware" spec[17] to attic * move "Request Helpers" spec[18] to attic * create PoC of external IdP proxy component * (with Lance) check for and add interface in oslo.policy to see if policy has been overridden * investigate removing [eventlet_server] config section * remove remaining PasteDeploy things * remove PKI(Z) cruft from keystonemiddleware * refactor keystonemiddleware to have functional components instead of needing keystone to instantiate keystonemiddleware objects for auth [14] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/m... [15] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/f... [16] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/o... [17] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware... [18] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware... Gage * investigate with operators about specific use case behind "RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance"[19] request * follow up on "RFE: Token returns Project's tag properties"[20] * remove use of keystoneclient from keystonemiddleware [19] https://bugs.launchpad.net/keystone/+bug/1637146 [20] https://bugs.launchpad.net/keystone/+bug/1807697 Rodrigo * Propose finishing "RFE: Project Tree Deletion/Disabling"[21] as an Outreachy project [21] https://bugs.launchpad.net/keystone/+bug/1816105 Adam * write up super-spec on explicit project IDs plus predictable IDs Thanks everyone for a productive week and for all your hard work! Colleen
Thanks for the summary, Colleen. On Sun, May 5, 2019 at 8:59 AM Colleen Murphy <colleen@gazlene.net> wrote:
Hi everyone,
I will write an in-depth summary of the Forum and PTG some time in the coming week, but I wanted to quickly capture all the action items that came out of the last six days so that we don't lose too much focus:
Colleen * move "Expand endpoint filters to Service Providers" spec[1] to attic * review "Policy Goals"[2] and "Policy Security Roadmap"[3] specs with Lance, refresh and possibly combine them * move "Unified model for assignments, OAuth, and trusts" spec[4] from ongoing to backlog, and circle up with Adam about refreshing it * update app creds spec[5] to defer access_rules_config * review app cred documentation with regard to proactive rotation * follow up with nova/other service teams on need for microversion support in access rules * circle up with Guang on fixing autoprovisioning for tokenless auth * keep up to date with IEEE/NIST efforts on standardizing federation * investigate undoing the foreign key constraint that breaks the pluggable resource driver * propose governance change to add caching as a base service * clean out deprecated cruft from keystonemiddleware * write up Outreachy/other internship application tasks
[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/s... [2] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/p... [3] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/p... [4] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/u... [5] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/cap...
Lance * write up plan for tempest testing of system scope * break up unified limits testing plan into separate items, one for CRUD in keystone and one for quota and limit validation in oslo.limit[6] * write up spec for assigning roles on root domain * (with Morgan) check for and add interface in oslo.policy to see if policy has been overridden
[6] https://trello.com/c/kbKvhYBz/20-test-unified-limits-in-tempest
Kristi * finish mutable config patch * propose "model-timestamps" spec for Train[7] * move "Add Multi-Version Support to Federation Mappings" spec[8] to attic * review and possibly complete "Devstack Plugin for Keystone" spec[9] * look into "RFE: Improved OpenID Connect Support" spec[10] * update refreshable app creds spec[11] to make federated users expire rather then app creds * deprecate federated_domain_name
[7] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/m... [8] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/v... [9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/d... [10] https://bugs.launchpad.net/keystone/+bug/1815971 [11] https://review.opendev.org/604201
Vishakha * investigate effort needed for Alembic migrations spec[12] (with help from Morgan) * merge "RFE: Retrofit keystone-manage db_* commands to work with Alembic"[13] into "Use Alembic for database migrations" spec * remove deprecated [signing] config * remove deprecated [DEFAULT]/admin_endpoint config * remove deprecated [token]/infer_roles config
[12] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/a... [13] https://bugs.launchpad.net/keystone/+bug/1816158
Morgan * review "Materialize Project Hierarchy" spec[14] and make sure it reflects the current state of the world, keep it in the backlog * move "Functional Testing" spec[15] to attic * move "Object Dependency Lifecycle" spec[16] to complete * move "Add Endpoint Filter Enforcement to Keystonemiddleware" spec[17] to attic * move "Request Helpers" spec[18] to attic * create PoC of external IdP proxy component * (with Lance) check for and add interface in oslo.policy to see if policy has been overridden * investigate removing [eventlet_server] config section * remove remaining PasteDeploy things * remove PKI(Z) cruft from keystonemiddleware * refactor keystonemiddleware to have functional components instead of needing keystone to instantiate keystonemiddleware objects for auth
[14] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/m... [15] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/f... [16] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/o... [17] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware... [18] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware...
Gage * investigate with operators about specific use case behind "RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance"[19] request * follow up on "RFE: Token returns Project's tag properties"[20] * remove use of keystoneclient from keystonemiddleware
[19] https://bugs.launchpad.net/keystone/+bug/1637146 [20] https://bugs.launchpad.net/keystone/+bug/1807697
Rodrigo * Propose finishing "RFE: Project Tree Deletion/Disabling"[21] as an Outreachy project
[21] https://bugs.launchpad.net/keystone/+bug/1816105
Adam * write up super-spec on explicit project IDs plus predictable IDs
Thanks everyone for a productive week and for all your hard work!
Colleen
-- Rodrigo http://rodrigods.com
participants (2)
-
Colleen Murphy
-
Rodrigo Duarte