← Back to team overview

openstack team mailing list archive

Keystone Update: E2 shipped, but RBAC moving to Essex+1

 

Fellow OpenStackers,


We've put out some prototypes and information on RBAC:

1. There is a blueprint out there: https://blueprints.launchpad.net/keystone/+spec/rbac-keystone

2. We have a prototype for the middleware that shows what it would send down to Nova (and other services): see email below with links and highlighted JSON sample response.

3. We have the API that Dashboard and other users could use defined here: https://review.openstack.org/#change,1243


However, feedback has been slow in coming and time is not on our side. While the Keystone team could move this along by E3 (Jan 26), there is doubt that we would be able to get the necessary input, feedback, and alignment from the other core projects. We are therefore moving to push RBAC to Essex+1 (given E3 is the last milestone to add new features in Keystone).


Unless we hear back with commitments, resources, or data that would change the outlook on this, we'll go ahead with that change.


An alternative to providing the functionality in Keystone is (per anotherjesse):

* adding to nova/glance/swift hooks (nova only had it in the ec2 api,
we need to move the checks to a more core location to check in both
the ec2 and openstack api)
* loading static rulesets in services (what we did in nova since the
first release)




Meanwhile, here are some updates on Keystone:

E2 shipped:

- we shipped a D5 compatibility front-end

- 45 bugs fixed

- endpoint updates (global endpoints always returned, adminURL restricted to admin users)

- much documentation added (keystone.openstack,org and http://docs.openstack.org/trunk/openstack-identity/admin/content/)

Trunk

- portable-identifiers have made it into trunk (didn't make it in time into E2).



Regards and Happy Holidays,


Ziad

Keystone PTL