# Keystone Team Update - Week of 10 December 2018 ## News ### Policy questions We had some topics related to RBAC and policy come up in discussions this week. We had an exchange over whether the reader role is really sufficient to describe the ability to read resources currently restricted to admins as well as resources currently restricted to members, or if those are really two different kinds of read levels[1][2]. We also discussed our current work on default roles with the cinder team[3] in light of their work on documenting some best practices for policy configuration in cinder[4]. Finally, in our efforts to convert our own policies to use the default roles[5], we're starting to deep-dive into the APIs to uncover their intentions, their current protections, and the most sensible default policies for them. [1] http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000888.... [2] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-ke... [3] http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000875.... [4] https://review.openstack.org/624424 [5] https://review.openstack.org/#/q/status:open+topic:implement-default-roles ### Cleaning up old specs At the weekly meeting we tangented from another topic to note that we've been doing a bad job of pruning the specs backlog and that we should organize some process around regularly reevaluating and prioritizing things in it[6]. [6] http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-12-11-16... ### Immutable Roles and Resource Options for All Morgan proposed a new spec[7] to lay the ground work for implementing resource options for most or all resources in keystone, similar to the user options we have now that lets us control MFA rights and PCI-DSS restrictions. We'd then like to build on this to make some resources, especially roles, immutable[8] or locked in order to prevent accidentally deleting deployment-critical resources, which we know has happened to more than one person. [7] https://review.openstack.org/624692 [8] https://review.openstack.org/624162 ## Open Specs Stein specs: https://bit.ly/2Pi6dGj Ongoing specs: https://bit.ly/2OyDLTh We merged the JWT spec[9] and the domain limits spec[10]. Morgan proposed a new spec for Stein[11] although we are past the spec proposal freeze date. We may decide to push it to Train, but that will also delay starting on the new immutable resources spec[12]. [9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/jso... [10] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/dom... [11] https://review.openstack.org/624162 [12] https://review.openstack.org/624692 ## Recently Merged Changes Search query: https://bit.ly/2pquOwT We merged 38 changes this week. These included cleanup work to finish the documentation consolidation that we started a while ago, as well as several patches for default roles policy updates. ## Changes that need Attention Search query: https://bit.ly/2RLApdA There are 98 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots. These are mainly still the default roles policy changes from Lance. ## Bugs This week we opened 5 new bugs and closed 5. Bugs opened (5) Bug #1807751 (keystone:Wishlist) opened by Morgan Fainberg https://bugs.launchpad.net/keystone/+bug/1807751 Bug #1807697 (keystone:Undecided) opened by Yang Youseok https://bugs.launchpad.net/keystone/+bug/1807697 Bug #1807805 (keystone:Undecided) opened by Zhongcheng Lao https://bugs.launchpad.net/keystone/+bug/1807805 Bug #1808059 (keystone:Undecided) opened by David Vallee Delisle https://bugs.launchpad.net/keystone/+bug/1808059 Bug #1808305 (python-keystoneclient:Undecided) opened by Neha Alhat https://bugs.launchpad.net/python-keystoneclient/+bug/1808305 Bugs closed (2) Bug #1802136 (keystone:Undecided) https://bugs.launchpad.net/keystone/+bug/1802136 Bug #1808059 (keystone:Undecided) https://bugs.launchpad.net/keystone/+bug/1808059 Bugs fixed (3) Bug #1794376 (keystone:High) fixed by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1794376 Bug #1803780 (keystone:Low) fixed by Adam Young https://bugs.launchpad.net/keystone/+bug/1803780 Bug #1803940 (keystonemiddleware:Wishlist) fixed by Artem Vasilyev https://bugs.launchpad.net/keystonemiddleware/+bug/1803940 ## Milestone Outlook https://releases.openstack.org/stein/schedule.html ## Help with this newsletter Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter Dashboard generated using gerrit-dash-creator and https://gist.github.com/lbragstad/9b0477289177743d1ebfc276d1697b67