[dev][keystone] Keystone Team Update - Week of 10 December 2018
Colleen Murphy
colleen at gazlene.net
Fri Dec 14 15:58:19 UTC 2018
# Keystone Team Update - Week of 10 December 2018
## News
### Policy questions
We had some topics related to RBAC and policy come up in discussions this week. We had an exchange over whether the reader role is really sufficient to describe the ability to read resources currently restricted to admins as well as resources currently restricted to members, or if those are really two different kinds of read levels[1][2]. We also discussed our current work on default roles with the cinder team[3] in light of their work on documenting some best practices for policy configuration in cinder[4]. Finally, in our efforts to convert our own policies to use the default roles[5], we're starting to deep-dive into the APIs to uncover their intentions, their current protections, and the most sensible default policies for them.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000888.html
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-12-13.log.html#t2018-12-13T18:03:51
[3] http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000875.html
[4] https://review.openstack.org/624424
[5] https://review.openstack.org/#/q/status:open+topic:implement-default-roles
### Cleaning up old specs
At the weekly meeting we tangented from another topic to note that we've been doing a bad job of pruning the specs backlog and that we should organize some process around regularly reevaluating and prioritizing things in it[6].
[6] http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-12-11-16.00.log.html#l-88
### Immutable Roles and Resource Options for All
Morgan proposed a new spec[7] to lay the ground work for implementing resource options for most or all resources in keystone, similar to the user options we have now that lets us control MFA rights and PCI-DSS restrictions. We'd then like to build on this to make some resources, especially roles, immutable[8] or locked in order to prevent accidentally deleting deployment-critical resources, which we know has happened to more than one person.
[7] https://review.openstack.org/624692
[8] https://review.openstack.org/624162
## Open Specs
Stein specs: https://bit.ly/2Pi6dGj
Ongoing specs: https://bit.ly/2OyDLTh
We merged the JWT spec[9] and the domain limits spec[10]. Morgan proposed a new spec for Stein[11] although we are past the spec proposal freeze date. We may decide to push it to Train, but that will also delay starting on the new immutable resources spec[12].
[9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/json-web-tokens.html
[10] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/domain-level-limit.html
[11] https://review.openstack.org/624162
[12] https://review.openstack.org/624692
## Recently Merged Changes
Search query: https://bit.ly/2pquOwT
We merged 38 changes this week. These included cleanup work to finish the documentation consolidation that we started a while ago, as well as several patches for default roles policy updates.
## Changes that need Attention
Search query: https://bit.ly/2RLApdA
There are 98 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots. These are mainly still the default roles policy changes from Lance.
## Bugs
This week we opened 5 new bugs and closed 5.
Bugs opened (5)
Bug #1807751 (keystone:Wishlist) opened by Morgan Fainberg https://bugs.launchpad.net/keystone/+bug/1807751
Bug #1807697 (keystone:Undecided) opened by Yang Youseok https://bugs.launchpad.net/keystone/+bug/1807697
Bug #1807805 (keystone:Undecided) opened by Zhongcheng Lao https://bugs.launchpad.net/keystone/+bug/1807805
Bug #1808059 (keystone:Undecided) opened by David Vallee Delisle https://bugs.launchpad.net/keystone/+bug/1808059
Bug #1808305 (python-keystoneclient:Undecided) opened by Neha Alhat https://bugs.launchpad.net/python-keystoneclient/+bug/1808305
Bugs closed (2)
Bug #1802136 (keystone:Undecided) https://bugs.launchpad.net/keystone/+bug/1802136
Bug #1808059 (keystone:Undecided) https://bugs.launchpad.net/keystone/+bug/1808059
Bugs fixed (3)
Bug #1794376 (keystone:High) fixed by Lance Bragstad https://bugs.launchpad.net/keystone/+bug/1794376
Bug #1803780 (keystone:Low) fixed by Adam Young https://bugs.launchpad.net/keystone/+bug/1803780
Bug #1803940 (keystonemiddleware:Wishlist) fixed by Artem Vasilyev https://bugs.launchpad.net/keystonemiddleware/+bug/1803940
## Milestone Outlook
https://releases.openstack.org/stein/schedule.html
## Help with this newsletter
Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter
Dashboard generated using gerrit-dash-creator and https://gist.github.com/lbragstad/9b0477289177743d1ebfc276d1697b67
More information about the openstack-discuss
mailing list