OpenStack Keystone Queens Project Update

•

0 likes•223 views

Join the Keystone team for a “project update” reflecting current developments in the Queens cycle and discussion of future development activity. We dig into major issues and user needs, and how those needs can be addressed in current and future development. We also discuss hot topics from the Project Teams Gathering, and major development decisions agreed by the team.

Software

Queens Project Update
Lance Bragstad (@LanceBragstad)
Kristi Nikolla (@_knikolla)

What is OpenStack Identity?
What was accomplished in Pike?
What are we achieving in Queens?
Looking ahead to Rocky

What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate

What was accomplished in Pike?
registered default policies in code
improved documentation
rolling upgrade testing

What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team

Looking ahead to Rocky
implement JWT
removal of the UUID token provider and persistent token storage
well-defined roles by default
assisting with the implementation of system scope
hierarchical quotas and enforcement models

Similar to OpenStack Keystone Queens Project Update

Introduction to Microservices by Jim Tran, Principal Solutions Architect, AWSAmazon Web Services

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale

Rest-Assured - легкий способ автоматизации тестирования RESTValtech Ukraine

Владимир Логвинов - Rest-Assured - легкий способ автоматизации тестирования RESTWeb Tech Fun

Netflix MSA and PivotalVMware Tanzu Korea

OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale

Cisco APIC AAGCharles Malkiel

Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan

Managing microservices with istio on OpenShift - MeetupJosé Román Martín Gil

Strong practices for rails applications continuous deliveryRobb Kidd

Service Testing. WTF Does This API Do Globant

API Security in a Microservice ArchitectureMatt McLarty

API Security with OAuth2.0.Kellton Tech Solutions Ltd

Uber's new mobile architectureDhaval Patel

OpenStack As A Strategy For Future Growth at CiscoLew Tucker

apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays

Open Distro for ElasticSearch and how Grimoire is using it. Madrid DevOps Oct...javier ramirez

OpenDistro for Elasticsearch and how Bitergia is using it.Madrid DevOpsjavier ramirez

2022 apidays LIVE Helsinki & North_Why webhook APIs are REST APIs perfect sid...apidays

kowsalyamanickam_resume_OIMKowsalya Manickam

Similar to OpenStack Keystone Queens Project Update (20)

Introduction to Microservices by Jim Tran, Principal Solutions Architect, AWS

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla

Rest-Assured - легкий способ автоматизации тестирования REST

Владимир Логвинов - Rest-Assured - легкий способ автоматизации тестирования REST

Netflix MSA and Pivotal

OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla

Cisco APIC AAG

Externalizing Authorization in Micro Services world

Managing microservices with istio on OpenShift - Meetup

Strong practices for rails applications continuous delivery

Service Testing. WTF Does This API Do

API Security in a Microservice Architecture

API Security with OAuth2.0.

Uber's new mobile architecture

OpenStack As A Strategy For Future Growth at Cisco

apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu

Open Distro for ElasticSearch and how Grimoire is using it. Madrid DevOps Oct...

OpenDistro for Elasticsearch and how Bitergia is using it.Madrid DevOps

2022 apidays LIVE Helsinki & North_Why webhook APIs are REST APIs perfect sid...

kowsalyamanickam_resume_OIM

Recently uploaded

Software Quality Assurance Interview QuestionsArshad QA

Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531

How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc

Test Automation Strategy for Frontend and BackendArshad QA

why an Opensea Clone Script might be your perfect match.pdfjoe51371421

TECUNIQUE: Success Stories: IT Service providermohitmore19

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171

Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110

5 Signs You Need a Fashion PLM Software.pdfWave PLM

DNT_Corporate presentation know about usDynamic Netsoft

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions

Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy

Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI

Exploring iOS App Development: Simplifying the ProcessEvangelist Apps https://twitter.com/EvangelistSW/

Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions

Recently uploaded (20)

Software Quality Assurance Interview Questions

Hand gesture recognition PROJECT PPT.pptx

How To Use Server-Side Rendering with Nuxt.js

Test Automation Strategy for Frontend and Backend

why an Opensea Clone Script might be your perfect match.pdf

TECUNIQUE: Success Stories: IT Service provider

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...

5 Signs You Need a Fashion PLM Software.pdf

DNT_Corporate presentation know about us

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Cloud Management Software Platforms: OpenStack

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI

Exploring iOS App Development: Simplifying the Process

Advancing Engineering with AI through the Next Generation of Strategic Projec...

OpenStack Keystone Queens Project Update

1. Queens Project Update Lance Bragstad (@LanceBragstad) Kristi Nikolla (@_knikolla)

2. What is OpenStack Identity? What was accomplished in Pike? What are we achieving in Queens? Looking ahead to Rocky

3. What is OpenStack Identity? What was accomplished in Pike? What are we achieving in Queens? Looking ahead to Rocky

4. What is OpenStack Identity? a shared service for authentication and authorization supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

5. What is OpenStack Identity? a shared service for authentication and authorization supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

6. What is OpenStack Identity? a shared service for authentication and authorization supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

7. What is OpenStack Identity? a shared service for authentication and authorization supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

8. What is OpenStack Identity? What was accomplished in Pike? What are we achieving in Queens? Looking ahead to Rocky

9. What was accomplished in Pike? registered default policies in code improved documentation rolling upgrade testing

10. What was accomplished in Pike? registered default policies in code improved documentation rolling upgrade testing

11. What was accomplished in Pike? registered default policies in code improved documentation rolling upgrade testing

12. What is OpenStack Identity? What was accomplished in Pike? What are we achieving in Queens? Looking ahead to Rocky

13. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

14. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

15. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

16. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

17. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

18. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

19. What are we achieving in Queens? v2.0 API removal project tags unified limits introduce system scoping oslo.policy improvements implement application credentials rebuilding the upstream team

20. What is OpenStack Identity? What was accomplished in Pike? What are we achieving in Queens? Looking ahead to Rocky

21. Looking ahead to Rocky implement JWT removal of the UUID token provider and persistent token storage well-defined roles by default assisting with the implementation of system scope hierarchical quotas and enforcement models

22. Looking ahead to Rocky implement JWT removal of the UUID token provider and persistent token storage well-defined roles by default assisting with the implementation of system scope hierarchical quotas and enforcement models

23. Looking ahead to Rocky implement JWT removal of the UUID token provider and persistent token storage well-defined roles by default assisting with the implementation of system scope hierarchical quotas and enforcement models

24. Looking ahead to Rocky implement JWT removal of the UUID token provider and persistent token storage well-defined roles by default assisting with the implementation of system scope hierarchical quotas and enforcement models

25. Looking ahead to Rocky implement JWT removal of the UUID token provider and persistent token storage well-defined roles by default assisting with the implementation of system scope hierarchical quotas and enforcement models

Editor's Notes

(Lance) Wednesday, November 8, from 9:50-10:10am
(Lance) Intended Audience: Operators Product people People I'm not expecting to attend: Developers (I think the list of developers in attendance is going to be ultra short) Approach the entire presentation with the end state of Operators and Product people at the forefront. What do operators want to know? What is changing that will impact how I operator/use keystone? Is there anything new that will allow me automate things? Is there anything I'm using now that might be going away soon? Why is it going away? What do product people to know? What is going to get my existing customer base excited? Is there anything new compliance-wise that I can use to net new customers? What usability improvements have been made? Don't start with credentials or facts and figures. Start with a story if possible/applicable. https://www.youtube.com/watch?v=e80BbX05D7Y
(Kristi; 2 - 4 minutes)
(Kristi) Keystone is the implementation of OpenStack Identity
(Kristi)
(Kristi)
(Kristi)
(Kristi; 5 - 7 minutes)
(Kristi; 5 - 7 minutes) Moved defaults policies from policy.json into code Policy.json file contains only overridden policies Also a cross-project goal for Queens and important requirement for the improvement we’re planning on the policy which Lance will talk about in a bit.
(Kristi; 5 - 7 minutes) Multiple sources of documentation related to Keystone have been consolidated (admin guide, dev guide, install guide).
(Kristi; 5 - 7 minutes) Leverage OpenStack-Ansible to test database rolling upgrades
(Kristi; 5 - 7 minutes) Now that we've gone through what we accomplished in Pike, let's take a look at what we're working on for Queens
(Kristi; 5 - 7 minutes) First and foremost we've officially removed the v2.0 API (including auth and validate) Deprecated for years Due to security issues in its design, removal was justified If there is anything you're building on v2.0, you'll be affected by this, please let us know so that we can help you transition to v3 before Queens is out the door
(Kristi; 5 - 7 minutes) Project tags is a carry over item from Pike Majority of it is already merged Implemented per the API WG guidelines and consistent with other implementations
(Kristi; 5 - 7 minutes) Another carry over item from Pike Associate a limit of resources to a project and have that live within keystone Other services would consume limits to implement quotas This implementation has a new driver that is picking up conversations and specifications from last release Our starting point will be defining an interface that allows you to associate limits of resources to projects Relates to work in Rocky
(Lance; 5 - 7 minutes) System scope Kind of like project-scoped tokens but for a different context Culmination of a year's worth of policy/RBAC discussions across OpenStack As of the Denver PTG and we came out with a roadmap for fixing the admin-ness issues we have today The first step is teaching keystone about a new type of scope Feedback from operators and deployers Describing how it will impact deployments Intended usage Mon 8 , 11:00 am Sydney Convention and Exhibition Centre - Level 4 - C4.10 RBAC/Policy Roadmap Feedback
(Lance; 5 - 7 minutes) Oslo.policy improvements Deprecating policies (emit warnings, render documentation with deprecation warnings) Associate scope to policies (which is the the other half of the system-scoping work) Helping other projects achieve the Queens community goal for moving default policies into code Makes maintenance for operators easier Allows developers to leverage the tooling we adding to oslo.policy
(Lance; 5 - 7 minutes) Application credentials (API keys) work in Pike was hung up addressing various security concerns Used the PTG to redefine where we want to go with application credentials Mon 6 , 4:20pm-5:00pm Sydney Convention and Exhibition Centre - Level 4 - C4.11 Application Credentials Feedback
(Lance; 5 - 7 minutes) Rebuilding the upstream team We lost >50% of our upstream development team last release (which is why you see a lot of the same topics from Pike here) We already had our project onboarding session, but if any of this work sounds interesting to you please reach out Mon 6 , 2:20pm-3:00pm Sydney Convention and Exhibition Centre - Level 4 - C4.7 Keystone - Project Onboarding
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes) JSON Web Token (JWT) provider Based on an open standard (RFC 7519); existing python libraries that implement it Very similar to Fernet, Fernet was just implemented 3 months prior to the release of RFC 7519 Reuses a lot of Fernet bits JWT uses asymmetric encryption; Fernet uses symmetric Already have a well written specification detailing the work merged to backlog
(Lance; 5 - 7 minutes) UUID token provider and persistent token storage Having a backup for Fernet based on an open standard makes removing legacy token provider code easier Makes the entire token API much simpler to maintain and understand (traditionally the most complicated sub-system of keystone)
(Lance; 5 - 7 minutes) We will have the tools necessary to start focusing on a set of well defined roles by default Group like permissions with a sane role by default Move towards a consistent policy pattern across services that maintains admin-ness constraints Makes policy easier to understand for developers and operators
(Lance; 5 - 7 minutes) Propagating system scope across OpenStack Helping project associate appropriate scope to their policies in code
(Lance; 5 - 7 minutes) Work with other services to consume hierarchical limits and implement consistent quota enforcement Likely break this into multiple enforcement models that can be used from a library
(Lance; leave 10 minutes) That takes care of our project update We have time for comments, questions, and concerns Please use the mic in the center of the room, or we can repeat you question

OpenStack Keystone Queens Project Update

Recommended

Recommended

More Related Content

Similar to OpenStack Keystone Queens Project Update

Similar to OpenStack Keystone Queens Project Update (20)

Recently uploaded

Recently uploaded (20)

OpenStack Keystone Queens Project Update

Editor's Notes