Open Stack

# Keystone Team Update - Week of 5 March 2018

## News

### PTG Summaries

Last week many of us attended the PTG in Dublin and made significant progress on a lot of keystone topics. Here are some recaps:
    
- https://www.lbragstad.com/blog/keystone-rocky-ptg-summary
- http://www.gazlene.net/dublin-ptg.html

### URL whitelisting for application credentials

One of the major topics at the PTG was the next steps for application credentials. To make them truly useful we need to enable finer-grained access control than what we can currently provide with our traditional "scope RBAC" system. It turns out we already had a spec proposed[1] that predated application credentials but that largely fills the gaps here. A lot of the elements in this proposal were very similar to the RBAC in middleware proposal[2] and Adam had major concerns that the approach taken here would conflict with the path to eventually properly fixing RBAC in keystone. We were able to get on a call together and come to a compromise, which is that operators must be able to pre-approve allowed API paths that a user can add to their application credential whitelists, but allowing wildcards in the pre-approved list is acceptable. This can enable a safety net for users to avoid them accidentally enabling something they didn't intend, and it will put us on a path toward fully managed policy mappings in keystone eventually.

### Unified Limits next steps

Lance proposed creating a new Oslo library[3] to continue the next stage of work of unifying quota implementations in keystone. We will also need to propose an Oslo spec[4] to coordinate this work with the Oslo team. We're also trying to work out some of the oddities in the current API implementation and hoping to come out with a consistent and useful interface[5].

### Changing meeting time

We proposed changing the meeting time[6] to make it easier for one of our newer contributors to join. The meeting change was merged[7] so next week's meeting will be at 1600 UTC in #openstack-meeting-alt.

### Domain and Project scope

Adrian brought us a fun puzzle[8][9][10] involving ambiguity between how role assignments are handled between domains and projects. Some bugs were opened to correct some logic errors but the open question is what kind of future we see for domains and projects.

[1] https://review.openstack.org/#/c/396331/
[2] https://review.openstack.org/#/c/391624/
[3] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128006.html
[4] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128032.html
[5] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128027.html
[6] http://lists.openstack.org/pipermail/openstack-dev/2018-March/127970.html
[7] https://review.openstack.org/#/c/550260/
[8] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-03-08.log.html#t2018-03-08T23:43:31
[9] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-03-09.log.html#t2018-03-09T02:49:24
[10] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128093.html

## Open Specs

Search query: https://goo.gl/eyTktx

We have four specs proposed for the Rocky cycle so far.

### Repropose JWT specification for Rocky[11]

We already wrote a "this would be nice" spec about implementing JSON Web Tokens as a new token format, and this cycle we have some of the token provider refactoring far enough along that we're ready to commit to implementing it.

### Add whitelist-extension-for-app-creds[12]

As discussed above, this was a major topic at the PTG and the next logical step in making application credentials useful.

### Add specification for a capabilities API[13]

Another topic we discussed at the PTG was expanding on our JSON-home document to provide a way for users to query what they have permissions to do within keystone.

### Hierarchical Unified Limits[14]

With our initial limtis API supporting a flat project structure, the next step is supporting hierarchical project models.

[11] https://review.openstack.org/541903
[12] https://review.openstack.org/396331
[13] https://review.openstack.org/547162
[14] https://review.openstack.org/540803

## Recently Merged Changes

Search query: https://goo.gl/hdD9Kw

We merged 4 changes this week.

Might be a bit unfair to count this week since many of us are still recovering from travel and digesting the events of the PTG.

## Changes that need Attention

Search query: https://goo.gl/tW5PiH

There are 41 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots.

## Milestone Outlook

https://releases.openstack.org/rocky/schedule.html

Welcome to the new cycle! We haven't proposed deadlines yet, but at the PTG we discussed moving our feature freeze deadline up to avoid the rush, as well as aiming for finishing client work earlier in order to avoid pressuring the OSC team at the end of the cycle.

## Shout-outs

Thanks to Johannes Grassler for stepping up to work on the application credentials whitelist effort after we failed to give adequate attention to his proposal in earlier cycles.

## Help with this newsletter

Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter