Hi all, Keystone recently took a big step in implementing the default roles work that's been a hot topic over the past year [0][1][2][3][4], and a big piece in making RBAC more robust across OpenStack. We merged a patch [5] that ensures the roles described in the specification [6] exist. This was formally a cross-project specification [7], but rescoped to target keystone directly in hopes of making it a future community goal [8]. If you've noticed issues with various CI infrastructure, it could be due to the fact a couple new roles are being populated by keystone's bootstrap command. For example, if your testing infrastructure creates a role named 'Member' or 'member', you could see HTTP 409s since keystone is now creating that role by default. You can safely remove code that ensures that role exists, since keystone will now handle that for you. These types of changes have been working their way into infrastructure and deployment projects [9] this week. If you're seeing something that isn't an HTTP 409 and suspect it is related to these changes, come find us in #openstack-keystone. We'll be around to answer questions about the changes in keystone and can assist in straightening things out. [0] https://etherpad.openstack.org/p/policy-queens-ptg Queens PTG Policy Session [1] https://etherpad.openstack.org/p/queens-PTG-keystone-policy-roadmap Queens PTG Roadmap Outline [2] https://etherpad.openstack.org/p/rbac-and-policy-rocky-ptg Rocky PTG Policy Session [3] https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg Rocky PTG Identity Integration Track [4] https://etherpad.openstack.org/p/YVR-rocky-default-roles Rocky Forum Default Roles Forum Session [5] https://review.openstack.org/#/c/572243/ [6] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [7] https://review.openstack.org/#/c/523973/ [8] http://lists.openstack.org/pipermail/openstack-dev/2018-May/130208.html [9] https://review.openstack.org/#/q/(status:open+OR+status:merged)+branch:master+topic:fix-member -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180619/b924d298/attachment.sig>