OpenStack Keystone plans for the Grizzly release

I posted this information to the OpenStack-dev mailing list, but thought it would be worthwhile as a blog post as well.

Here is an overview of what’s looking to happen in Keystone over the grizzly release cycle.

From the summit, we had the state of the project slides, which might be of interest: http://www.slideshare.net/ccjoe/oct-2012-state-of-project-keystone

Since then, we’ve been working on fleshing out more details around those initial discussions, and we’ve been correlating who’s working on what to get an overview of what’s coming up for Keystone. If you’re into reading raw notes, take a look at https://etherpad.openstack.org/keystone-grizzly-plans.

For those looking for more of a tl;dr:

grizzly-1 plans:
* merging in V3 API work – “tech preview”
https://blueprints.launchpad.net/keystone/+spec/implement-v3-core-api

* move auth_token middleware to keystoneclient repo
https://blueprints.launchpad.net/keystone/+spec/authtoken-to-keystoneclient-repo

* AD LDAP extensions
https://blueprints.launchpad.net/keystone/+spec/ad-ldap-identity-backend

* enabling policy & RBAC access for V3 API
https://blueprints.launchpad.net/keystone/+spec/rbac-keystone-api

grizzly-2 plans:
* pre-authenticated token
https://blueprints.launchpad.net/keystone/+spec/pre-auth

* plugable authentication handlers
https://blueprints.launchpad.net/keystone/+spec/pluggable-identity-authentication-handlers

* consolidated policy documentation/recommendations
https://blueprints.launchpad.net/keystone/+spec/document-deployment-suggestions-policy

* PKI future work
https://blueprints.launchpad.net/keystone/+spec/delegation
– starting into delegation, signing of tokens
– annotations on signing for authorization

grizzly-3 plans:
* delegation
https://blueprints.launchpad.net/keystone/+spec/delegation

* multifactor authN
https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn

Much of the work and desires around Delegation has yet to be fully defined and nailed down, and relies on a lot of additions in making PKI based tokens a stable, solid, default mechanism. I’m sure there will be some redirection once we get a few weeks down the road and see what’s happening with the V3 API rollout and PKI token extensions to support delegation, pre-auth, and so forth.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s