[Openstack] Keystone Update: E2 shipped, but RBAC moving to Essex+1
ziad.sawalha at rackspace.com
Tue Dec 20 21:42:32 UTC 2011
We've put out some prototypes and information on RBAC:
1. There is a blueprint out there: https://blueprints.launchpad.net/keystone/+spec/rbac-keystone
2. We have a prototype for the middleware that shows what it would send down to Nova (and other services): see email below with links and highlighted JSON sample response.
3. We have the API that Dashboard and other users could use defined here: https://review.openstack.org/#change,1243
However, feedback has been slow in coming and time is not on our side. While the Keystone team could move this along by E3 (Jan 26), there is doubt that we would be able to get the necessary input, feedback, and alignment from the other core projects. We are therefore moving to push RBAC to Essex+1 (given E3 is the last milestone to add new features in Keystone).
Unless we hear back with commitments, resources, or data that would change the outlook on this, we'll go ahead with that change.
An alternative to providing the functionality in Keystone is (per anotherjesse):
* adding to nova/glance/swift hooks (nova only had it in the ec2 api,
we need to move the checks to a more core location to check in both
the ec2 and openstack api)
* loading static rulesets in services (what we did in nova since the
Meanwhile, here are some updates on Keystone:
- we shipped a D5 compatibility front-end
- 45 bugs fixed
- endpoint updates (global endpoints always returned, adminURL restricted to admin users)
- much documentation added (keystone.openstack,org and http://docs.openstack.org/trunk/openstack-identity/admin/content/)
- portable-identifiers have made it into trunk (didn't make it in time into E2).
Regards and Happy Holidays,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openstack