[keystone] Pre-feature-freeze update

Colleen Murphy colleen at gazlene.net
Sat Sep 7 04:57:15 UTC 2019


I won't be writing a team report since I'm still figuring out which way is up after a week in the desert, but with feature freeze next week I wanted to give a status update on all the in-flight work that is due next week:

* System Scope and Default Roles

All documented scope[1] and role[2] migrations are in progress. Some are closer to done than others. Since enforce_scope cannot be set to true in keystone.conf until all of them are completed, and since leaving deprecation warnings in the logs for more than two cycles is a very undesirable operator experience, it's essential we complete these by next week.

* Application Credential Access Rules

This implementation[3] for keystone has been completed for months but the last few patches in the stack are lacking reviews. Client support has been proposed but with the final client release happening next week we will likely not land it until next cycle.

* Resource Options and Immutable Resources

Resource options[4] and immutable resources[5] are intertwined and the finishing touches are still being applied. Hope to have this completed early next week.

* Federated Attributes for Users

Support for federated attributes for users[6] is passing CI but needs reviews, it's unclear to me how much has changed since those patches were originally proposed two years ago so it's unfortunate that we're only left with a week to look at them.

* Expiring Group Membership

There is only a partial implementation proposed for expiring group membership[7] and neither patch is passing CI. This seems to have effectively missed the feature proposal freeze deadline which was a few weeks ago and will not likely make it in this cycle.

* CI

After skimming the meeting logs I saw the unit test timeout problem was discussed and a temporary workaround was proposed[8]. This sounded like a great idea but it seems that no one implemented it, so I did[9]. Unfortunately this will conflict with all the system-scope/default-roles patches in flight. With how many changes need to go in and how slow it will be with all of them needing to be rechecked and continually making the problem even worse, I propose we go ahead and merge the workaround ASAP and update all the in-flight changes to move the protection tests to the new location.

It also appears that the non-voting federation CI broke recently, this will hopefully be fixed by updating the opensuse nodeset[10].

[1] https://bugs.launchpad.net/keystone/+bugs?field.tag=system-scope
[2] https://bugs.launchpad.net/keystone/+bugs?field.tag=default-roles
[3] https://review.opendev.org/#/q/topic:bp/whitelist-extension-for-app-creds
[4] https://review.opendev.org/678322
[5] https://review.opendev.org/#/q/topic:immutable-resources
[6] https://review.opendev.org/#/q/topic:bp/support-federated-attr
[7] https://review.opendev.org/#/q/topic:bug/1809116
[8] http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-08-27-16.01.log.html#l-84
[9]https://review.opendev.org/680788
[10] https://review.opendev.org/680799

Colleen



More information about the openstack-discuss mailing list