# Keystone Team Update - Week of 5 March 2018
## News
### PTG Summaries
Last week many of us attended the PTG in Dublin and made significant progress
on a lot of keystone topics. Here are some recaps:
- https://www.lbragstad.com/blog/keystone-rocky-ptg-summary
- http://www.gazlene.net/dublin-ptg.html
### URL whitelisting for application credentials
One of the major topics at the PTG was the next steps for application
credentials. To make them truly useful we need to enable finer-grained access
control than what we can currently provide with our traditional "scope RBAC"
system. It turns out we already had a spec proposed[1] that predated
application credentials but that largely fills the gaps here. A lot of the
elements in this proposal were very similar to the RBAC in middleware
proposal[2] and Adam had major concerns that the approach taken here would
conflict with the path to eventually properly fixing RBAC in keystone. We were
able to get on a call together and come to a compromise, which is that
operators must be able to pre-approve allowed API paths that a user can add to
their application credential whitelists, but allowing wildcards in the
pre-approved list is acceptable. This can enable a safety net for users to
avoid them accidentally enabling something they didn't intend, and it will put
us on a path toward fully managed policy mappings in keystone eventually.
### Unified Limits next steps
Lance proposed creating a new Oslo library[3] to continue the next stage of
work of unifying quota implementations in keystone. We will also need to
propose an Oslo spec[4] to coordinate this work with the Oslo team. We're also
trying to work out some of the oddities in the current API implementation and
hoping to come out with a consistent and useful interface[5].
### Changing meeting time
We proposed changing the meeting time[6] to make it easier for one of our newer
contributors to join. The meeting change was merged[7] so next week's meeting
will be at 1600 UTC in #openstack-meeting-alt.
### Domain and Project scope
Adrian brought us a fun puzzle[8][9][10] involving ambiguity between how role
assignments are handled between domains and projects. Some bugs were opened to
correct some logic errors but the open question is what kind of future we see
for domains and projects.
[1] https://review.openstack.org/#/c/396331/
[2] https://review.openstack.org/#/c/391624/
[3] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128006.html
[4] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128032.html
[5] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128027.html
[6] http://lists.openstack.org/pipermail/openstack-dev/2018-March/127970.html
[7] https://review.openstack.org/#/c/550260/
[8]
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-03-08.log.html#t2018-03-08T23:43:31
[9]
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-03-09.log.html#t2018-03-09T02:49:24
[10] http://lists.openstack.org/pipermail/openstack-dev/2018-March/128093.html
## Open Specs
Search query: https://goo.gl/eyTktx
We have four specs proposed for the Rocky cycle so far.
### Repropose JWT specification for Rocky[11]
We already wrote a "this would be nice" spec about implementing JSON Web Tokens
as a new token format, and this cycle we have some of the token provider
refactoring far enough along that we're ready to commit to implementing it.
### Add whitelist-extension-for-app-creds[12]
As discussed above, this was a major topic at the PTG and the next logical step
in making application credentials useful.
### Add specification for a capabilities API[13]
Another topic we discussed at the PTG was expanding on our JSON-home document
to provide a way for users to query what they have permissions to do within
keystone.
### Hierarchical Unified Limits[14]
With our initial limtis API supporting a flat project structure, the next step
is supporting hierarchical project models.
[11] https://review.openstack.org/541903
[12] https://review.openstack.org/396331
[13] https://review.openstack.org/547162
[14] https://review.openstack.org/540803
## Recently Merged Changes
Search query: https://goo.gl/hdD9Kw
We merged 4 changes this week.
Might be a bit unfair to count this week since many of us are still recovering
from travel and digesting the events of the PTG.
## Changes that need Attention
Search query: https://goo.gl/tW5PiH
There are 41 changes that are passing CI, not in merge conflict, have no
negative reviews and aren't proposed by bots.
## Milestone Outlook
https://releases.openstack.org/rocky/schedule.html
Welcome to the new cycle! We haven't proposed deadlines yet, but at the PTG we
discussed moving our feature freeze deadline up to avoid the rush, as well as
aiming for finishing client work earlier in order to avoid pressuring the OSC
team at the end of the cycle.
## Shout-outs
Thanks to Johannes Grassler for stepping up to work on the application
credentials whitelist effort after we failed to give adequate attention to his
proposal in earlier cycles.
## Help with this newsletter
Help contribute to this newsletter by editing the etherpad:
https://etherpad.openstack.org/p/keystone-team-newsletter
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
