Join the Keystone team for a “project update” reflecting current developments in the Queens cycle and discussion of future development activity.
We dig into major issues and user needs, and how those needs can be addressed in current and future development. We also discuss hot topics from the Project Teams Gathering, and major development decisions agreed by the team.
2. What is OpenStack Identity?
What was accomplished in Pike?
What are we achieving in Queens?
Looking ahead to Rocky
3. What is OpenStack Identity?
What was accomplished in Pike?
What are we achieving in Queens?
Looking ahead to Rocky
4. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
5. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
6. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
7. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
8. What is OpenStack Identity?
What was accomplished in Pike?
What are we achieving in Queens?
Looking ahead to Rocky
9. What was accomplished in Pike?
registered default policies in code
improved documentation
rolling upgrade testing
10. What was accomplished in Pike?
registered default policies in code
improved documentation
rolling upgrade testing
11. What was accomplished in Pike?
registered default policies in code
improved documentation
rolling upgrade testing
12. What is OpenStack Identity?
What was accomplished in Pike?
What are we achieving in Queens?
Looking ahead to Rocky
13. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
14. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
15. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
16. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
17. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
18. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
19. What are we achieving in Queens?
v2.0 API removal
project tags
unified limits
introduce system scoping
oslo.policy improvements
implement application credentials
rebuilding the upstream team
20. What is OpenStack Identity?
What was accomplished in Pike?
What are we achieving in Queens?
Looking ahead to Rocky
21. Looking ahead to Rocky
implement JWT
removal of the UUID token provider and persistent token storage
well-defined roles by default
assisting with the implementation of system scope
hierarchical quotas and enforcement models
22. Looking ahead to Rocky
implement JWT
removal of the UUID token provider and persistent token storage
well-defined roles by default
assisting with the implementation of system scope
hierarchical quotas and enforcement models
23. Looking ahead to Rocky
implement JWT
removal of the UUID token provider and persistent token storage
well-defined roles by default
assisting with the implementation of system scope
hierarchical quotas and enforcement models
24. Looking ahead to Rocky
implement JWT
removal of the UUID token provider and persistent token storage
well-defined roles by default
assisting with the implementation of system scope
hierarchical quotas and enforcement models
25. Looking ahead to Rocky
implement JWT
removal of the UUID token provider and persistent token storage
well-defined roles by default
assisting with the implementation of system scope
hierarchical quotas and enforcement models
Editor's Notes
(Lance)
Wednesday, November 8, from 9:50-10:10am
(Lance)
Intended Audience:
Operators
Product people
People I'm not expecting to attend:
Developers (I think the list of developers in attendance is going to be ultra short)
Approach the entire presentation with the end state of Operators and Product people at the forefront.
What do operators want to know?
What is changing that will impact how I operator/use keystone?
Is there anything new that will allow me automate things?
Is there anything I'm using now that might be going away soon? Why is it going away?
What do product people to know?
What is going to get my existing customer base excited?
Is there anything new compliance-wise that I can use to net new customers?
What usability improvements have been made?
Don't start with credentials or facts and figures. Start with a story if possible/applicable.
https://www.youtube.com/watch?v=e80BbX05D7Y
(Kristi; 2 - 4 minutes)
(Kristi)
Keystone is the implementation of OpenStack Identity
(Kristi)
(Kristi)
(Kristi)
(Kristi; 5 - 7 minutes)
(Kristi; 5 - 7 minutes)
Moved defaults policies from policy.json into code
Policy.json file contains only overridden policies
Also a cross-project goal for Queens and important requirement for the improvement we’re planning on the policy which Lance will talk about in a bit.
(Kristi; 5 - 7 minutes)
Multiple sources of documentation related to Keystone have been consolidated (admin guide, dev guide, install guide).
(Kristi; 5 - 7 minutes)
Leverage OpenStack-Ansible to test database rolling upgrades
(Kristi; 5 - 7 minutes)
Now that we've gone through what we accomplished in Pike, let's take a look at what we're working on for Queens
(Kristi; 5 - 7 minutes)
First and foremost we've officially removed the v2.0 API (including auth and validate)
Deprecated for years
Due to security issues in its design, removal was justified
If there is anything you're building on v2.0, you'll be affected by this, please let us know so that we can help you transition to v3 before Queens is out the door
(Kristi; 5 - 7 minutes)
Project tags is a carry over item from Pike
Majority of it is already merged
Implemented per the API WG guidelines and consistent with other implementations
(Kristi; 5 - 7 minutes)
Another carry over item from Pike
Associate a limit of resources to a project and have that live within keystone
Other services would consume limits to implement quotas
This implementation has a new driver that is picking up conversations and specifications from last release
Our starting point will be defining an interface that allows you to associate limits of resources to projects
Relates to work in Rocky
(Lance; 5 - 7 minutes)
System scope
Kind of like project-scoped tokens but for a different context
Culmination of a year's worth of policy/RBAC discussions across OpenStack
As of the Denver PTG and we came out with a roadmap for fixing the admin-ness issues we have today
The first step is teaching keystone about a new type of scope
Feedback from operators and deployers
Describing how it will impact deployments
Intended usage
Mon 8 , 11:00 am
Sydney Convention and Exhibition Centre - Level 4 - C4.10
RBAC/Policy Roadmap Feedback
(Lance; 5 - 7 minutes)
Oslo.policy improvements
Deprecating policies (emit warnings, render documentation with deprecation warnings)
Associate scope to policies (which is the the other half of the system-scoping work)
Helping other projects achieve the Queens community goal for moving default policies into code
Makes maintenance for operators easier
Allows developers to leverage the tooling we adding to oslo.policy
(Lance; 5 - 7 minutes)
Application credentials (API keys) work in Pike was hung up addressing various security concerns
Used the PTG to redefine where we want to go with application credentials
Mon 6 , 4:20pm-5:00pm
Sydney Convention and Exhibition Centre - Level 4 - C4.11
Application Credentials Feedback
(Lance; 5 - 7 minutes)
Rebuilding the upstream team
We lost >50% of our upstream development team last release (which is why you see a lot of the same topics from Pike here)
We already had our project onboarding session, but if any of this work sounds interesting to you please reach out
Mon 6 , 2:20pm-3:00pm
Sydney Convention and Exhibition Centre - Level 4 - C4.7
Keystone - Project Onboarding
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
JSON Web Token (JWT) provider
Based on an open standard (RFC 7519); existing python libraries that implement it
Very similar to Fernet, Fernet was just implemented 3 months prior to the release of RFC 7519
Reuses a lot of Fernet bits
JWT uses asymmetric encryption; Fernet uses symmetric
Already have a well written specification detailing the work merged to backlog
(Lance; 5 - 7 minutes)
UUID token provider and persistent token storage
Having a backup for Fernet based on an open standard makes removing legacy token provider code easier
Makes the entire token API much simpler to maintain and understand (traditionally the most complicated sub-system of keystone)
(Lance; 5 - 7 minutes)
We will have the tools necessary to start focusing on a set of well defined roles by default
Group like permissions with a sane role by default
Move towards a consistent policy pattern across services that maintains admin-ness constraints
Makes policy easier to understand for developers and operators
(Lance; 5 - 7 minutes)
Propagating system scope across OpenStack
Helping project associate appropriate scope to their policies in code
(Lance; 5 - 7 minutes)
Work with other services to consume hierarchical limits and implement consistent quota enforcement
Likely break this into multiple enforcement models that can be used from a library
(Lance; leave 10 minutes)
That takes care of our project update
We have time for comments, questions, and concerns
Please use the mic in the center of the room, or we can repeat you question