Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Keystone [clear filter]
Wednesday, October 28


Glance: Work session
What problem is this trying to solve?:
    There is a longterm issue with token expiration during image upload. It irritates users, reduces functionality and leads to differen bugs, including security. Trusts mechanism will allow us to eliminate it for good.
We should discuss the implementation of trusts in Glance.

Moderator: Mike Fedosin (mfedosin)
Etherpad: https://etherpad.openstack.org/p/mitaka-glance-trusts

Wednesday October 28, 2015 2:00pm - 2:40pm
Ho-O Room
  • format json


Keystone: tokens and tokenless auth

- Criteria for getting fernet to be default?
- fernet in tempest tests and devstack
- More documentation - there's a lot of misconceptions on fernet tokens (ie, they have to be simultaneously rotated on all nodes).
- Guidelines on how often to rotate
- fernet token validation performance improvements
- Gating of PKI deprecation on Fernet

Tokenless Auth
- Criteria for getting tokenless auth to be default in devstack?
- Certs instead of service accounts (wishlist)

Wednesday October 28, 2015 2:50pm - 3:30pm
Suzuran room
  • format json


Keystone: hierarchical multitenancy

hierarchical multitenancy

- Suggestion: To aid the review of these patches, we should implement this in two phases:
- Phase 1: Replace the unerlying implementation of domains with top level projects acting as domains
- Phase 2: Support a hieracrchy of projects acting as domains
- feature branch

Wednesday October 28, 2015 3:40pm - 4:20pm
Suzuran room
  • format json


Keystone: policy


We made some head-way, what's the next logical step?
- Distribution of policy files from Keystone server: Either we should use the policy backend or deprecate.
- Management of Roles
- Merge role ID and Role name
- Get a standard base set of roles
- Idea 1: Virtual roles (aka role-groups): This proposes "management roles" to be created that map to "policy roles" (i.e. those that appear in a policy file)
- This is composed of three distinct things:
- Role inference (assigning one role grants a second)
- Hidden roles (an assiged role that does not show up in a token)
- Role namespaces
- Idea 2: Implied roles: This proposes a role hierarchy of policy roles
- Virtual only misses the ability to compose permissions. We were going to push this on the POlicy side, but we can start on the token issuing
- Bug 968696 (Admin not properly scoped)
- How to handle APIS not scoped to projects
- Roles for management of remote services like "add hypervisor"
- How to delete a resource where the project has been deleted

Wednesday October 28, 2015 4:40pm - 5:20pm
Suzuran room
  • format json
Thursday, October 29


Keystone: deprecations


- ldap assignment driver?
- ldap write support? (Also, python3-ldap instead of python-ldap)
- eventlet?
- v2.0 API?!?!
- PKI and/or PKIz
- PKI can go once we have Fernet as default. Focus should be on making Fernet as robust as possible.

Thursday October 29, 2015 9:00am - 9:40am
Suzuran room
  • format json


Keystone: federation


- With keystoneauth merged with openstackclient we will be able to finish client side (esp k2k)
- Service Providers endpoint filtering - today every user gets set of enabled service providers in the token response. We should be able to limit it per user/scoped project/scoped domain etc - https://review.openstack.org/#/c/188534/
- Native tracing of the ephemeral users - please see section
- keystoneauth1.session.Session() should allow for getting remote-clouds Session() objects basing on K2K. Something like sp_session = session.Session().get_remote_session('sp1')
- What's the best way to have configurations for multiple clouds and easily switch between them - each cloud should have at least project/domain id to scope to. Is it os-cloud-config?
- Troubleshooting and debugging support
- Mix and Match federation
- What was demo'ed in Boston from the folks from MOC
- Use local nova, but get images from a remote SP glance
- Use local swift, but sign objects from a remote SP barbican
- LDAP "federation" - we should formally support use of an Apache lookup module for LDAP, then allow mapping into keystone groups via the regualar federation mapper
- We need SSSD/identity_look to be domain-friendly. i.e. pass down both DN and domain
- deprecate ldap identity(henrynash) Not for a looooong time, my friend, but one day
- Mapping engine - relies on the string substitution and concatenation - this stops us from fixing few open bugs (https://bugs.launchpad.net/keystone/+bug/1401057). Are we happy with the engine for now so there is no urgent need for rewriting it? Are we relatively happy with that and some work would be welcomed? Do we need more intelligent DSL kind of language? Do we miss anything (in terms of functionalities)?
- Pre-canned mappings? the K2K mapping and Tokenless Auth mapping are for the most part, very similar looking.

Thursday October 29, 2015 9:50am - 10:30am
Suzuran room
  • format json


Keystone: Work session
Work sessions are for Keystone contributors to discuss implementation details and making quick progress over specific issues, in a small work group environment.



- Move extensions to core
- Role Assignment inheritance
- Move extension migration scripts to core
- Improvements to performance (i.e. caching, data layer call inspection)

Thursday October 29, 2015 11:00am - 11:40am
Fuku Room
  • format json


Swift: Work session
Swift Work Session 3:

Topics to cover:
* Keystone session in swiftclient
* swiftclient docs

Thursday October 29, 2015 11:00am - 11:40am
Ho-O Room
  • format json


Keystone: Work session
Work sessions are for Keystone contributors to discuss implementation details and making quick progress over specific issues, in a small work group environment.



Functional testing -- We need to figure out what keystone functional tests are. From feedback what we're thinking is not correct. The functional tests are supposed to verify using the backends directly.
- Prepare base classes for functional tests
- Scenario 1: Fernet
- Scenario 2: LDAP
- Scenario 3: Federated Identity
- Scenario 4: K2K
Unit Test refactoring

Thursday October 29, 2015 11:50am - 12:30pm
Fuku Room
  • format json


Keystone: Work session
Work sessions are for Keystone contributors to discuss implementation details and making quick progress over specific issues, in a small work group environment.


Oslo + Docs

- oslo.cache changes?
- any other oslo libs?
- Improve documentation for libraries

Thursday October 29, 2015 1:50pm - 2:30pm
Fuku Room
  • format json


Nova: Cross Service Issues: Service Lock Server, Service Tokens, Instance Users
Let's discuss the way forward for a service "protecting" Nova resources.

More info:

Thursday October 29, 2015 3:30pm - 4:10pm
Royal room
  • format json


Keystone: libraries

Keystone Libraries

- Tokenless auth support?
- Can be done with strong authentication
- Needs an API that returns the same data as token validation that can be called by service users
- Federation mix and match support?
- Change KSM to use KSA

- Ready for primetime
- Merge with openstackclient
- Make version discovery more LB friendly
- may need a configurable way to disable version discovery

- When to do a 2.0 release that removes CLI/Auth/Middleware?!

Thursday October 29, 2015 4:30pm - 5:10pm
Ohka room
  • format json


Keystone: cross-project


- Let's finally kill off the discussion of LDAP user list, and settle with listing role assignments instead! (How about lets fix role assignments too?!!! Anybody try "openstack role assignment list" command and actually *like* what it displays? :))
- Many stakeholders have problem with the ephemerality of the users - they need to be able to trace users actions for instance for billing and security. Keystone has native support for CADF events (thanks stevemar), but that's just a half of the solution as nothing consumes them by default. We should think on a solution that will allow deployers to track ephemeral users and make it available in a default DevStack installation. The first shot is Ceilometer/Gnocchi. +1 (henrynash)
- Automatic provisioning of projects when Federated users first log in:
- Notification driven

Thursday October 29, 2015 5:20pm - 6:00pm
Ohka room
  • format json
Friday, October 30


Keystone contributors meetup
The Keystone contributors meetup is a informal gathering of the project contributors, with an open agenda.

Friday October 30, 2015 9:00am - 12:30pm
Ho-O Room
  • format json


Keystone contributors meetup
The Keystone contributors meetup is a informal gathering of the project contributors, with an open agenda.

Friday October 30, 2015 2:00pm - 5:30pm
Ho-O Room
  • format json