OpenStack Mitaka Design Summit

What problem is this trying to solve?:
    There is a longterm issue with token expiration during image upload. It irritates users, reduces functionality and leads to differen bugs, including security. Trusts mechanism will allow us to eliminate it for good.
Discussion:
We should discuss the implementation of trusts in Glance.


Moderator: Mike Fedosin (mfedosin)
Etherpad: https://etherpad.openstack.org/p/mitaka-glance-trusts

https://etherpad.openstack.org/p/keystone-mitaka-summit-tokens

Tokens
- Criteria for getting fernet to be default?
- fernet in tempest tests and devstack
- More documentation - there's a lot of misconceptions on fernet tokens (ie, they have to be simultaneously rotated on all nodes).
- Guidelines on how often to rotate
- fernet token validation performance improvements
- Gating of PKI deprecation on Fernet

Tokenless Auth
- Criteria for getting tokenless auth to be default in devstack?
- Certs instead of service accounts (wishlist)

https://etherpad.openstack.org/p/keystone-mitaka-summit-multitenancy

hierarchical multitenancy

- Suggestion: To aid the review of these patches, we should implement this in two phases:
- Phase 1: Replace the unerlying implementation of domains with top level projects acting as domains
- Phase 2: Support a hieracrchy of projects acting as domains
- feature branch

https://etherpad.openstack.org/p/keystone-mitaka-summit-policy

Policy

We made some head-way, what's the next logical step?
- Distribution of policy files from Keystone server: Either we should use the policy backend or deprecate.
- Management of Roles
- Merge role ID and Role name
- Get a standard base set of roles
- Idea 1: Virtual roles (aka role-groups): This proposes "management roles" to be created that map to "policy roles" (i.e. those that appear in a policy file)
- This is composed of three distinct things:
- Role inference (assigning one role grants a second)
- Hidden roles (an assiged role that does not show up in a token)
- Role namespaces
- Idea 2: Implied roles: This proposes a role hierarchy of policy roles
- Virtual only misses the ability to compose permissions. We were going to push this on the POlicy side, but we can start on the token issuing
- Bug 968696 (Admin not properly scoped)
- How to handle APIS not scoped to projects
- Roles for management of remote services like "add hypervisor"
- How to delete a resource where the project has been deleted

https://etherpad.openstack.org/p/keystone-mitaka-summit-deprecations

deprecations

- ldap assignment driver?
- ldap write support? (Also, python3-ldap instead of python-ldap)
- eventlet?
- v2.0 API?!?!
- PKI and/or PKIz
- PKI can go once we have Fernet as default. Focus should be on making Fernet as robust as possible.

https://etherpad.openstack.org/p/keystone-mitaka-summit-federation

Federation

- With keystoneauth merged with openstackclient we will be able to finish client side (esp k2k)
- Service Providers endpoint filtering - today every user gets set of enabled service providers in the token response. We should be able to limit it per user/scoped project/scoped domain etc - https://review.openstack.org/#/c/188534/
- Native tracing of the ephemeral users - please see section
- keystoneauth1.session.Session() should allow for getting remote-clouds Session() objects basing on K2K. Something like sp_session = session.Session().get_remote_session('sp1')
- What's the best way to have configurations for multiple clouds and easily switch between them - each cloud should have at least project/domain id to scope to. Is it os-cloud-config?
- Troubleshooting and debugging support
- Mix and Match federation
- What was demo'ed in Boston from the folks from MOC
- Use local nova, but get images from a remote SP glance
- Use local swift, but sign objects from a remote SP barbican
- LDAP "federation" - we should formally support use of an Apache lookup module for LDAP, then allow mapping into keystone groups via the regualar federation mapper
- We need SSSD/identity_look to be domain-friendly. i.e. pass down both DN and domain
- deprecate ldap identity(henrynash) Not for a looooong time, my friend, but one day
- Mapping engine - relies on the string substitution and concatenation - this stops us from fixing few open bugs (https://bugs.launchpad.net/keystone/+bug/1401057). Are we happy with the engine for now so there is no urgent need for rewriting it? Are we relatively happy with that and some work would be welcomed? Do we need more intelligent DSL kind of language? Do we miss anything (in terms of functionalities)?
- Pre-canned mappings? the K2K mapping and Tokenless Auth mapping are for the most part, very similar looking.

Work sessions are for Keystone contributors to discuss implementation details and making quick progress over specific issues, in a small work group environment.

https://etherpad.openstack.org/p/keystone-mitaka-summit-server

Server

- Move extensions to core
- Role Assignment inheritance
- Move extension migration scripts to core
- Improvements to performance (i.e. caching, data layer call inspection)

Swift Work Session 3:

Topics to cover:
* Keystone session in swiftclient
* swiftclient docs

Work sessions are for Keystone contributors to discuss implementation details and making quick progress over specific issues, in a small work group environment.

https://etherpad.openstack.org/p/keystone-mitaka-summit-testing

Testing

Functional testing -- We need to figure out what keystone functional tests are. From feedback what we're thinking is not correct. The functional tests are supposed to verify using the backends directly.
- Prepare base classes for functional tests
- Scenario 1: Fernet
- Scenario 2: LDAP
- Scenario 3: Federated Identity
- Scenario 4: K2K
Unit Test refactoring

Work sessions are for Keystone contributors to discuss implementation details and making quick progress over specific issues, in a small work group environment.

https://etherpad.openstack.org/p/keystone-mitaka-summit-oslo-and-docs

Oslo + Docs

- oslo.cache changes?
- any other oslo libs?
- Improve documentation for libraries

Let's discuss the way forward for a service "protecting" Nova resources.

More info:
https://etherpad.openstack.org/p/mitaka-nova-service-users

https://etherpad.openstack.org/p/keystone-mitaka-summit-libraries

Keystone Libraries

Keystonemiddleware
- Tokenless auth support?
- Can be done with strong authentication
- Needs an API that returns the same data as token validation that can be called by service users
- Federation mix and match support?
- Change KSM to use KSA

KeystoneAuth
- Ready for primetime
- Merge with openstackclient
- Make version discovery more LB friendly
- may need a configurable way to disable version discovery

Keystoneclient
- When to do a 2.0 release that removes CLI/Auth/Middleware?!

https://etherpad.openstack.org/p/keystone-mitaka-summit-x-project

Cross-Project

- Let's finally kill off the discussion of LDAP user list, and settle with listing role assignments instead! (How about lets fix role assignments too?!!! Anybody try "openstack role assignment list" command and actually *like* what it displays? :))
- Many stakeholders have problem with the ephemerality of the users - they need to be able to trace users actions for instance for billing and security. Keystone has native support for CADF events (thanks stevemar), but that's just a half of the solution as nothing consumes them by default. We should think on a solution that will allow deployers to track ephemeral users and make it available in a default DevStack installation. The first shot is Ceilometer/Gnocchi. +1 (henrynash)
- Automatic provisioning of projects when Federated users first log in:
- Notification driven

The Keystone contributors meetup is a informal gathering of the project contributors, with an open agenda.

The Keystone contributors meetup is a informal gathering of the project contributors, with an open agenda.