[keystone] Keystone Team Update - Week of 12 August 2019

Colleen Murphy colleen at gazlene.net
Fri Aug 16 23:34:09 UTC 2019 

# Keystone Team Update - Week of 12 August 2019

## News

### Feature Proposal Freeze

This week is our scheduled feature proposal freeze[1], see status summary post[2].

[1] https://releases.openstack.org/train/schedule.html
[2] http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008549.html

### Trusts API

While implementing system scope and default roles for the trusts API we discovered an inconsistency in the error handling for the GET trust details request: most of our APIs do RBAC enforcement first thing, and return a 403 if the resource is missing so as not to divulge whether there's a record in the database for the requested resource. The GET trust details request does the database lookup first and exposes a 404 to the user if the record is missing. We discussed in the bug report[3] whether this is desireable, intended, acceptable, or dangerous behavior, and so far have converged on not fixing the issue in the interest of not breaking the API contract. If you have feelings to the contrary, please speak up in the bug report.

[3] https://bugs.launchpad.net/bugs/1840288

## Action Items

* knikolla to finish initial implementation proposal of renewable group membership next week
* kmalloc to finish initial implementation proposal of resource options migration next week

## Office Hours

When there are topics to cover, the keystone team holds office hours on Tuesdays at 17:00 UTC.

The topic for next week's office hour will be: feature proposal review - we'll walk through code implementations (if available) and answer any questions, or discuss design details if code is not available yet

The location for next week's office hour will be: https://meet.jit.si/keystone-office-hours

Add topics you would like to see covered during office hours to the etherpad: https://etherpad.openstack.org/p/keystone-office-hours-topics

## Open Specs

Ongoing specs: https://bit.ly/2OyDLTh

## Recently Merged Changes

Search query: https://bit.ly/2pquOwT

We merged 15 changes this week, which included support for auth receipts in keystoneauth[4], the IPv6 community goal work[5], and some more changes to implement access rules in application credentials[6].

[4] https://review.opendev.org/675049
[5] https://review.opendev.org/671903
[6] https://review.opendev.org/#/q/status:merged+topic:bp/whitelist-extension-for-app-creds+-age:1week

## Changes that need Attention

Search query: https://bit.ly/2tymTje

There are 47 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots.

### Priority Reviews

* Train Roadmap Stories

- System scope/default roles (https://trello.com/c/ERo50T7r , https://trello.com/c/RlYyb4DU)
  + https://review.opendev.org/#/q/status:open+topic:implement-default-roles+label:verified%253D%252B1
  + https://review.opendev.org/#/q/status:open+topic:trust-policies
  + https://review.opendev.org/#/q/topic:bug/1805409
- Federated attributes for users (https://trello.com/c/dEmSumDQ)
  + https://review.opendev.org/#/q/status:open+topic:bp/support-federated-attr
- Application credential access rules (https://trello.com/c/dJsWMI4W)
  + https://review.opendev.org/#/q/status:open+topic:bp/whitelist-extension-for-app-creds

* Closes bugs

- Honor group_members_are_ids for user_enabled_emulation https://review.opendev.org/674782
- Cleanup session on delete https://review.opendev.org/674139
- token: consistently decode binary types https://review.opendev.org/665617

* Oldest

- OpenID Connect improved support https://review.opendev.org/373983

## Bugs

This week we opened 6 new bugs and closed 3.

Bugs opened (6) 
Bug #1840288 (keystone:High) opened by Colleen Murphy https://bugs.launchpad.net/keystone/+bug/1840288 
Bug #1840291 (keystone:Medium) opened by Rabi Mishra https://bugs.launchpad.net/keystone/+bug/1840291 
Bug #1840090 (keystone:Undecided) opened by Adrian Turjak https://bugs.launchpad.net/keystone/+bug/1840090 
Bug #1840403 (keystone:Undecided) opened by Ariya Jantaravises https://bugs.launchpad.net/keystone/+bug/1840403 
Bug #1839748 (keystoneauth:High) opened by Adrian Turjak https://bugs.launchpad.net/keystoneauth/+bug/1839748 
Bug #1840235 (keystoneauth:Undecided) opened by Rabi Mishra https://bugs.launchpad.net/keystoneauth/+bug/1840235 

Bugs closed (1) 
Bug #1840288 (keystone:High) https://bugs.launchpad.net/keystone/+bug/1840288 

Bugs fixed (2) 
Bug #1839577 (keystone:Medium) fixed by Adrian Turjak https://bugs.launchpad.net/keystone/+bug/1839577 
Bug #1839748 (keystoneauth:High) fixed by Adrian Turjak https://bugs.launchpad.net/keystoneauth/+bug/1839748

## Milestone Outlook

https://releases.openstack.org/train/schedule.html

This week is feature proposal freeze week for the keystone team, which as mentioned previously is being extended for some initiatives.

Oslo feature freeze is in two weeks: anything we need to complete for oslo.policy needs to be merged before then. Oslo.limit is still pre-1.0 so feature freeze won't apply to it.

The PTL nomination period is also in two weeks: while I intend to run again I'm also happy to answer questions about the role if anyone wants to also put their name in.

Final release for non-client libraries (keystonemiddleware, keystoneauth) is in three weeks. 

Feature freeze and client library freeze is in four weeks. This is also the soft string freeze and the requirements freeze and the community goals deadline.

## Shout-outs

Keystoneauth now supports multi-factor authentication and auth receipts[7]. Thanks to Adrian for tackling this ahead of the library freeze deadline!

[7] https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#multi-factor-with-v3-identity-plugins

## Help with this newsletter

Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter

More information about the openstack-discuss mailing list