The document summarizes updates to the OpenStack Identity (Keystone) project. In the Rocky release, improvements include default roles, unified limits API stabilization, and improved multi-factor authentication. Looking ahead, the Stein release will focus on default roles across services, oslo.limit adoption, and improved federated identity. The document also provides information on how to contribute and lists related sessions.
2. What is OpenStack Identity?
What was accomplished in Queens?
What are we achieving in Rocky?
Looking ahead to Stein
How you can contribute
Related sessions & talks
3. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
4. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
5. What is OpenStack Identity?
a shared service for authentication and authorization
supplies identity information to end users and services
broker between OpenStack and other identity services
7. What is OpenStack Identity?
What was accomplished in Queens?
What are we achieving in Rocky?
Looking ahead to Stein
How you can contribute
Related sessions & talks
8. What was accomplished in Queens?
application credentials
system scope & system role assignments
oslo.policy improvements
unified limits & flat enforcement
project tags
v2.0 API removal
9. What was accomplished in Queens?
application credentials
system scope & system role assignments
oslo.policy improvements
unified limits & flat enforcement
project tags
v2.0 API removal
10. What was accomplished in Queens?
application credentials
system scope & system role assignments
oslo.policy improvements
unified limits & flat enforcement
project tags
v2.0 API removal
11. What was accomplished in Queens?
application credentials
system scope & system role assignments
oslo.policy improvements
unified limits & flat enforcement
project tags
v2.0 API removal
12. What was accomplished in Queens?
application credentials
system scope & system role assignments
oslo.policy improvements
unified limits & flat enforcement
project tags
v2.0 API removal
13. What was accomplished in Queens?
application credentials
system scope & system role assignments
oslo.policy improvements
unified limits & flat enforcement
project tags
v2.0 API removal
14. What is OpenStack Identity?
What was accomplished in Queens?
What are we achieving in Rocky?
Looking ahead to Stein
How you can contribute
Related sessions & talks
15. What are we achieving in Rocky?
default roles
unified limits API stabilization
strict hierarchical enforcement model
application credential capability lists
improved multi-factor authentication
16. What are we achieving in Rocky?
default roles
unified limits API stabilization
strict hierarchical enforcement model
application credential capability lists
improved multi-factor authentication
17. What are we achieving in Rocky?
default roles
unified limits API stabilization
strict hierarchical enforcement model
application credential capability lists
improved multi-factor authentication
18. What are we achieving in Rocky?
default roles
unified limits API stabilization
strict hierarchical enforcement model
application credential capability lists
improved multi-factor authentication
19. What are we achieving in Rocky?
default roles
unified limits API stabilization
strict hierarchical enforcement model
application credential capability lists
improved multi-factor authentication
20. What is OpenStack Identity?
What was accomplished in Queens?
What are we achieving in Rocky?
Looking ahead to Stein
How you can contribute
Related sessions & talks
21. Looking ahead to Stein
default roles across services
oslo.limit adoption
federated identity improvements
22. Looking ahead to Stein
default roles across services
oslo.limit adoption
federated identity improvements
23. Looking ahead to Stein
default roles across services
oslo.limit adoption
federated identity improvements
24. What is OpenStack Identity?
What was accomplished in Queens?
What are we achieving in Rocky?
Looking ahead to Stein
How you can contribute
Related sessions & talks
25. How you can contribute
office hours on Tuesdays
weekly reports every Friday
26. How you can contribute
office hours on Tuesdays
weekly reports every Friday
27. How you can contribute
consistent default roles
oslo.limit integration
28. How you can contribute
consistent default roles
oslo.limit integration
29. What is OpenStack Identity?
What was accomplished in Queens?
What are we achieving in Rocky?
Looking ahead to Stein
How you can contribute
Related sessions & talks
30. Forum sessions
Default Roles on Monday @ 11:35
Project Onboarding on Monday @ 5:10
Edge Architecture on Tuesday @ 11:00
Feedback Session on Tuesday @ 5:30
Unified Limits on Thursday @ 3:30
31. Related talks
A Unified Approach to Role Based Access Control on Monday @ 3:10
Integrating Keystone with Centralized Authentication on Tuesday @ 9:50
Kubernetes and OpenStack Policy Management on Tuesday @ 1:50
Application Credentials in Keystone on Wednesday @ 5:30
Centralized Policy Enforcement on Thursday @ 11:00
Notas do Editor
Monday, May 21 @ 3:35-3:55 pm
Lance
<number>
Harry
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Harry
<number>
Harry
Users can create application credentials from which their apps may authenticate to keystone using it and a secret string.
Allows users can delegate a subset of their role assignments on a project to an application credential, granting the same or restricted authorization to said project.
Soon users will also be able to specify which endpoints for a given role an application credential will be able to access
<number>
Harry
We have added the concept of system and system role assignments
System scope provides a new auth target
The goal is enhance services’ ability to protect APIs that cover system-wide actions e.g. live-migration of instances or endpoint mgmt
<number>
Harry
In preparation for system scope adoption across services and general policy improvements we had to expand the functionality of oslo.policy
Oslo.policy now understands system scope and
Oslo.policy now has a process for deprecating policies in a consistent manner
<number>
Harry
Landed unified limits with a flat enforcement model -- marked as experimental
Provide a consistent experience across the system to provide limits (ignoring project hierarchy (for now))
Presently you can model whatever hierarchy you want with lots of api requests (complicated)
Strict hierarchical limits coming
<number>
Harry
Projects can now be tagged within keystone using simple strings
This makes projects more categorizable and filterable (easier to find)
Kristi’s example about semester-based instances being easily searched/cleaned up
<number>
Harry
Deprecated ~4 years ago. It’s finally gone
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Harry
<number>
Harry
Adding default roles (auditor, member, admin) to several services
Let’s make the policy experience better out-of-the-box w/ testing
Hoping to increase adoption across services during Stein
Pushing for community goal in T-Release for OpenStack wide default roles
<number>
Harry
Oslo.limit library was created
We are aiming to mark the unified limits as stable in Rocky
Next step is reaching out to services to integrate oslo.limits into their respective workflows
<number>
Harry
Federated Identity Improvements
Continued work with shadow users
Native SAML support
k2k federated performance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Lance
<number>
Harry
<number>
Harry
Related talks:
Default Roles on Monday @ 11:35 (Forum session)
Project Onboarding on Monday @ 5:10 (Forum session)
Edge Architecture on Tuesday @ 11:00 (Forum)
Feedback Session on Tuesday @ 5:30 (Forum session)
Unified Limits on Thursday @ 3:30 (Forum session)
<number>
Harry
Related talks:
A Unified Approach to Role Based Access Control on Monday @ 3:10 (Container Infrastructure)
Kubernetes and OpenStack Policy Management on Tuesday @ 1:50 (Private & Hybrid Cloud)
Enabling Cloud Native Applications With Application Credentials in Keystone on Wednesday @ 5:30 (Public Cloud)
<number>
(leave 10 minutes)
That takes care of our project update
We have time for comments, questions, and concerns
Please use the mic in the center of the room, or we can repeat you question
<number>