[openstack-dev] [keystone] Keystone Team Update - Week of 6 August 2018

Lance Bragstad lbragstad at gmail.com
Sat Aug 11 09:14:15 UTC 2018


On Fri, Aug 10, 2018, 23:47 Colleen Murphy <colleen at gazlene.net> wrote:

> # Keystone Team Update - Week of 6 August 2018
>
> ## News
>
> ### RC1
>
> We released RC1 this week[1]. Please try it out and be on the lookout for
> critical bugs. As of yet we don't seem to have any showstoppers that would
> require another RC.


Should we rev the keystone version for the inclusion of the new default
roles?


> [1] https://releases.openstack.org/rocky/index.html#rocky-keystone
>
> ### Edge Discussions
>
> The OpenNFV Edge Cloud group and the Edge Computing Group are ramping up
> implementations of proofs of concept for the potential keystone
> architectures for edge cloud scenarios. Some of the models under
> investigation or that we've suggested[2] are keystone-to-keystone
> federation, regular federation with an external identity provider, database
> synchronization via database replication[3] and database synchronization
> via an agent. One idea to enhance the federation-based models is to make
> application credentials refreshable, which Kristi is going to write a spec
> for[4]. I encourage the team to join the meeting calls[5][6], to help the
> people working on implementations, and volunteer for technical work items.
> It would be great to be at a point where we can discuss design details for
> the next cycle at the PTG.
>
> [2] https://wiki.openstack.org/wiki/Keystone_edge_architectures
> [3] https://review.openstack.org/566448
> [4]
> http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-07.log.html#t2018-08-07T15:34:54
> [5] https://wiki.openstack.org/wiki/Edge_Computing_Group#Meetings
> [6] https://wiki.opnfv.org/display/PROJ/Edge+cloud
>
> ### Flask Work
>
> Morgan has been diligently working on converting our APIs to Flask, please
> see the many outstanding reviews[7]. Some of these conversions should be
> parallelizeable so if you'd like to help him out I'm sure he would
> appreciate it, just coordinate with him[8].
>
> [7] https://review.openstack.org/#/q/status:open+topic:bug/1776504
> [8]
> http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-06.log.html#t2018-08-06T20:31:19
>
> ### Self-Service Keystone
>
> At the weekly meeting Adam suggested we make self-service keystone a focus
> point of the PTG[9]. Currently, policy limitations make it difficult for an
> unprivileged keystone user to get things done or to get information without
> the help of an administrator. There are some other projects that have been
> created to act as workflow proxies to mitigate keystone's limitations, such
> as Adjutant[10] (now an official OpenStack project) and Ksproj[11] (written
> by Kristi). The question is whether the primitives offered by keystone are
> sufficient building blocks for these external tools to leverage, or if we
> should be doing more of this logic within keystone. Certainly improving our
> RBAC model is going to be a major part of improving the self-service user
> experience.
>
> [9]
> http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-08-07-16.00.log.html#l-121
> [10] https://adjutant.readthedocs.io/en/latest/
> [11] https://github.com/CCI-MOC/ksproj
>
> ### Standalone Keystone
>
> Also at the meeting and during office hours, we revived the discussion of
> what it would take to have a standalone keystone be a useful identity
> provider for non-OpenStack projects[12][13]. First up we'd need to turn
> keystone into a fully-fledged SAML IdP, which it's not at the moment (which
> is a point of confusion in our documentation), or even add support for it
> to act as an OpenID Connect IdP. This would be relatively easy to do (or at
> least not impossible). Then the application would have to use
> keystonemiddleware or its own middleware to route requests to keystone to
> issue and validate tokens (this is one aspect where we've previously
> discussed whether JWT could benefit us). Then the question is what should a
> not-OpenStack application do with keystone's "scoped RBAC"? It would all
> depend on how the resources of the application are grouped and whether they
> care about multitenancy in some form. Likely each application would have
> different needs and it would be difficult to find a one-size-fits-all
> approach. We're interested to know whether anyone has a burning use case
> for something like this.
>
> [12]
> http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-08-07-16.00.log.html#l-192
> [13]
> http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-07.log.html#t2018-08-07T17:01:30
>
> ### PTG Planning
>
> We're in the brainstorming phase for the PTG, please add topics to the
> etherpad[14]. Lance will organize these into an agenda soonish.
>
> [14] https://etherpad.openstack.org/p/keystone-stein-ptg
>
> ## Recently Merged Changes
>
> Search query: https://bit.ly/2IACk3F
>
> We merged 16 changes this week.
>
> ## Changes that need Attention
>
> Search query: https://bit.ly/2wv7QLK
>
> There are 54 changes that are passing CI, not in merge conflict, have no
> negative reviews and aren't proposed by bots. Special attention should be
> given to patches that close bugs, and we should make sure we backport any
> critical bugfixes to stable/rocky.
>
> ## Bugs
>
> This week we opened 2 new bugs and closed 3. There don't currently seem to
> be any showstopper bugs for Rocky. orange_julius has been chasing a fun,
> apparently longstanding bug in ldappool[15], our traditionally low-effort
> adopted project.
>
> Bugs opened (2)
> Bug #1786383 (keystone:Undecided) opened by Liyingjun
> https://bugs.launchpad.net/keystone/+bug/1786383
> Bug #1785898 (ldappool:Undecided) opened by Nick Wilburn
> https://bugs.launchpad.net/ldappool/+bug/1785898
>
> Bugs fixed (3)
> Bug #1782704 (keystone:High) fixed by Lance Bragstad
> https://bugs.launchpad.net/keystone/+bug/1782704
> Bug #1780503 (keystone:Medium) fixed by Gage Hugo
> https://bugs.launchpad.net/keystone/+bug/1780503
> Bug #1785164 (keystone:Undecided) fixed by wangxiyuan
> https://bugs.launchpad.net/keystone/+bug/1785164
>
> [15] https://bugs.launchpad.net/ldappool/+bug/1785898
>
> ## Milestone Outlook
>
> https://releases.openstack.org/rocky/schedule.html
>
> This week was the RC1 deadline as well as the string freeze, so we should
> not be merging any changes to strings for Rocky. We have two weeks to
> release another RC if we need to.
>
> ## Help with this newsletter
>
> Help contribute to this newsletter by editing the etherpad:
> https://etherpad.openstack.org/p/keystone-team-newsletter
> Dashboard generated using gerrit-dash-creator and
> https://gist.github.com/lbragstad/9b0477289177743d1ebfc276d1697b67
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180811/b7139f77/attachment.html>


More information about the OpenStack-dev mailing list