Hi everyone, I will write an in-depth summary of the Forum and PTG some time in the coming week, but I wanted to quickly capture all the action items that came out of the last six days so that we don't lose too much focus: Colleen * move "Expand endpoint filters to Service Providers" spec[1] to attic * review "Policy Goals"[2] and "Policy Security Roadmap"[3] specs with Lance, refresh and possibly combine them * move "Unified model for assignments, OAuth, and trusts" spec[4] from ongoing to backlog, and circle up with Adam about refreshing it * update app creds spec[5] to defer access_rules_config * review app cred documentation with regard to proactive rotation * follow up with nova/other service teams on need for microversion support in access rules * circle up with Guang on fixing autoprovisioning for tokenless auth * keep up to date with IEEE/NIST efforts on standardizing federation * investigate undoing the foreign key constraint that breaks the pluggable resource driver * propose governance change to add caching as a base service * clean out deprecated cruft from keystonemiddleware * write up Outreachy/other internship application tasks [1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/service-providers-filters.html [2] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html [3] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html [4] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html [5] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html Lance * write up plan for tempest testing of system scope * break up unified limits testing plan into separate items, one for CRUD in keystone and one for quota and limit validation in oslo.limit[6] * write up spec for assigning roles on root domain * (with Morgan) check for and add interface in oslo.policy to see if policy has been overridden [6] https://trello.com/c/kbKvhYBz/20-test-unified-limits-in-tempest Kristi * finish mutable config patch * propose "model-timestamps" spec for Train[7] * move "Add Multi-Version Support to Federation Mappings" spec[8] to attic * review and possibly complete "Devstack Plugin for Keystone" spec[9] * look into "RFE: Improved OpenID Connect Support" spec[10] * update refreshable app creds spec[11] to make federated users expire rather then app creds * deprecate federated_domain_name [7] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/model-timestamps.html [8] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/versioned-mappings.html [9] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/devstack-plugin.html [10] https://bugs.launchpad.net/keystone/+bug/1815971 [11] https://review.opendev.org/604201 Vishakha * investigate effort needed for Alembic migrations spec[12] (with help from Morgan) * merge "RFE: Retrofit keystone-manage db_* commands to work with Alembic"[13] into "Use Alembic for database migrations" spec * remove deprecated [signing] config * remove deprecated [DEFAULT]/admin_endpoint config * remove deprecated [token]/infer_roles config [12] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/alembic.html [13] https://bugs.launchpad.net/keystone/+bug/1816158 Morgan * review "Materialize Project Hierarchy" spec[14] and make sure it reflects the current state of the world, keep it in the backlog * move "Functional Testing" spec[15] to attic * move "Object Dependency Lifecycle" spec[16] to complete * move "Add Endpoint Filter Enforcement to Keystonemiddleware" spec[17] to attic * move "Request Helpers" spec[18] to attic * create PoC of external IdP proxy component * (with Lance) check for and add interface in oslo.policy to see if policy has been overridden * investigate removing [eventlet_server] config section * remove remaining PasteDeploy things * remove PKI(Z) cruft from keystonemiddleware * refactor keystonemiddleware to have functional components instead of needing keystone to instantiate keystonemiddleware objects for auth [14] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/materialize-project-hierarchy.html [15] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/functional-testing.html [16] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/object-dependency-lifecycle.html [17] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/endpoint-enforcement-middleware.html [18] http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/backlog/request-helpers.html Gage * investigate with operators about specific use case behind "RFE: Whitelisting (opt-in) users/projects/domains for PCI compliance"[19] request * follow up on "RFE: Token returns Project's tag properties"[20] * remove use of keystoneclient from keystonemiddleware [19] https://bugs.launchpad.net/keystone/+bug/1637146 [20] https://bugs.launchpad.net/keystone/+bug/1807697 Rodrigo * Propose finishing "RFE: Project Tree Deletion/Disabling"[21] as an Outreachy project [21] https://bugs.launchpad.net/keystone/+bug/1816105 Adam * write up super-spec on explicit project IDs plus predictable IDs Thanks everyone for a productive week and for all your hard work! Colleen