OpenStack Keystone plans for the Grizzly release

I posted this information to the OpenStack-dev mailing list, but thought it would be worthwhile as a blog post as well.

Here is an overview of what’s looking to happen in Keystone over the grizzly release cycle.

From the summit, we had the state of the project slides, which might be of interest:

Since then, we’ve been working on fleshing out more details around those initial discussions, and we’ve been correlating who’s working on what to get an overview of what’s coming up for Keystone. If you’re into reading raw notes, take a look at

For those looking for more of a tl;dr:

grizzly-1 plans:
* merging in V3 API work – “tech preview”

* move auth_token middleware to keystoneclient repo

* AD LDAP extensions

* enabling policy & RBAC access for V3 API

grizzly-2 plans:
* pre-authenticated token

* plugable authentication handlers

* consolidated policy documentation/recommendations

* PKI future work
– starting into delegation, signing of tokens
– annotations on signing for authorization

grizzly-3 plans:
* delegation

* multifactor authN

Much of the work and desires around Delegation has yet to be fully defined and nailed down, and relies on a lot of additions in making PKI based tokens a stable, solid, default mechanism. I’m sure there will be some redirection once we get a few weeks down the road and see what’s happening with the V3 API rollout and PKI token extensions to support delegation, pre-auth, and so forth.

Published by heckj

Developer, author, and life-long student. Writes online at

%d bloggers like this: