Open Stack

# Keystone Team Update - Week of 19 August 2019

## News

### Development focus

Feature freeze as well as a number of other deadlines are fast approaching. The development focus for the next three weeks should be:

* reviews for changes implementing specs:
    - app cred access rules[1]
    - resource options for all resources[2]
    - immutable resources[3]
    - renewable group membership[4]
* finish implementing and reviewing remaining system-scope[5]/default roles[6] migrations (deadline is feature freeze, Sept 9-13)
* reviews for keystonemiddleware and keystoneauth[7] (final release Sept 2-6)
* reviews for python-keystoneclient[8] (final release Sept 9-13)
* helping the requirements team with any requirements issues[9] before requirements freeze (Sept 9-13)
* completing community goals (follow the PDF generation news[10])

Additionally, we're still facing issues with instability of our unit test jobs. Improving the efficiency of our unit tests in order to avoid frequent timeouts would go a long way to helping avoid the feature freeze gate crunch.

[1] https://review.opendev.org/#/q/is:open+topic:bp/whitelist-extension-for-app-creds
[2] https://review.opendev.org/678322
[3] https://review.opendev.org/#/q/is:open+topic:immutable-resources
[4] https://review.opendev.org/677469
[5] https://bugs.launchpad.net/keystone/+bugs?field.tag=system-scope
[6] https://bugs.launchpad.net/keystone/+bugs?field.tag=default-roles
[7] https://review.opendev.org/#/q/is:open+(project:openstack/keystoneauth+OR+project:openstack/keystonemiddleware)
[8] https://review.opendev.org/#/q/is:open+project:openstack/python-keystoneclient
[9] https://bugs.launchpad.net/keystone/+bug/1839393
[10] http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008506.html

### keystoneauth session retries

The heat team reported an issue in keystoneauth[11] where the way in which heat currently uses keystoneauth sessions is unable to take advantage of the request retry logic that is currently exposed only in the adapter. The proposal to fix the issue[12] exposes one of the retry options (connect_retries) in the session object. We've been in discussions on the bug report, on the patch, and in IRC[13][14] about whether this is the best approach and whether it would be better to change the way heat uses keystoneauth (would require a massive rewrite) or to expose the request retry options on the auth plugin in order to localize it to keystone requests (but that's an awkward home for it too). We've also been in disagreement about whether this change constitutes a feature or a bugfix with regards to backportability.

[11] https://bugs.launchpad.net/keystoneauth/+bug/1840235
[12] https://review.opendev.org/676648
[13] http://eavesdrop.openstack.org/irclogs/%23openstack-sdks/%23openstack-sdks.2019-08-16.log.html#t2019-08-16T15:04:39
[14] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-08-23.log.html#t2019-08-23T15:55:10

## Action Items

* Vishakha to look into oauthlib requirements issue[15]
* Kristi to propose spec to backlog about merging federation and identity backends

[16] https://bugs.launchpad.net/keystone/+bug/1839393

## Office Hours

When there are topics to cover, the keystone team holds office hours on Tuesdays at 17:00 UTC.

There will be no office hours this week or next week.

Add topics you would like to see covered during office hours to the etherpad: https://etherpad.openstack.org/p/keystone-office-hours-topics

## Open Specs

Train specs: https://bit.ly/2uZ2tRl

Ongoing specs: https://bit.ly/2OyDLTh

## Recently Merged Changes

Search query: https://bit.ly/2pquOwT

We merged 13 changes this week, including changes to implement system scope for the endpoint groups API.

## Changes that need Attention

Search query: https://bit.ly/2tymTje

There are 68 changes that are passing CI, not in merge conflict, have no negative reviews and aren't proposed by bots.

### Priority Reviews

* Train Roadmap Stories

- System scope/default roles (https://trello.com/c/ERo50T7r , https://trello.com/c/RlYyb4DU)
  + https://review.opendev.org/#/q/status:open+topic:implement-default-roles+label:verified%253D%252B1
  + https://review.opendev.org/#/q/status:open+topic:trust-policies
  + https://review.opendev.org/#/q/topic:bug/1805409
- Federated attributes for users (https://trello.com/c/dEmSumDQ)
  + https://review.opendev.org/#/q/status:open+topic:bp/support-federated-attr
- Application credential access rules (https://trello.com/c/dJsWMI4W)
  + https://review.opendev.org/#/q/status:open+topic:bp/whitelist-extension-for-app-creds
- Immutable resources (https://trello.com/c/clIb4qMq)
  + https://review.opendev.org/#/q/topic:immutable-resources
- Resource options for all (https://trello.com/c/8ML6kvig)
  + https://review.opendev.org/678322

* Needs Discussion

- Allow initializing session with connection retries https://review.opendev.org/676648

* Oldest

- OpenID Connect improved support (spec) https://review.opendev.org/373983

* Closes bugs

- Cleanup session on delete https://review.opendev.org/674139

## Bugs

This week we opened 1 new bugs and closed 2.

Bugs opened (1) 
Bug #1840647 (keystone:Undecided) opened by Nikita Kalyanov https://bugs.launchpad.net/keystone/+bug/1840647 ) 

Bugs fixed (2) 
Bug #1840291 (keystone:Medium) fixed by Rabi Mishra https://bugs.launchpad.net/keystone/+bug/1840291 
Bug #1818734 (keystone:Low) fixed by Colleen Murphy https://bugs.launchpad.net/keystone/+bug/1818734

## Milestone Outlook

https://releases.openstack.org/train/schedule.html

Final release for non-client libraries (keystoneauth, keystonemiddleware) is in two weeks.

Feature freeze and final client release is in three weeks.

## Help with this newsletter

Help contribute to this newsletter by editing the etherpad: https://etherpad.openstack.org/p/keystone-team-newsletter