4 minute read

Originally posted on https://developer.ibm.com/opentech/2015/11/20/keystone-design-summit-outcome-and-goals-for-mitaka/

Better late than never! I took some off after the summit, but here’s my blog about the Keystone Design Summit outcome and goals for Mitaka. Both Boris Bobrov and Dolph Mathews have already written fantastic recaps, I strongly recommend you take a look at those too. This blog is meant to summarize the action items from various design sessions, and should hopefully act as release notes in 6 months! This is by no means complete, but it’s certainly close!

To summarize the outcome in one sentence

We’ll be continuing the trend from our previous releases, focusing on performance, scalability, stability and adding just a few new features that are essential to both public and private clouds.

Keystone Server

Roles & Policy

Return names when listing role assignments NEW API

Implied roles NEW APIs

Domain Scoped Roles NEW APIs

Define Admin Project in config file


Create shadow accounts for any user that has been created or authenticated (via local SQL, LDAP or federation)

  • Greatly improve the story for federated users, we will be able to assign roles directly and trace their actions more easily for billing and auditing
  • Specification: https://review.openstack.org/#/c/240595/

New specs that have APIs!


Continue to make Fernet tokens the go-to token format for Keystone

  • DevStack and Tempest support is still being worked on, needs to be completed before Keystone can make it the default format
  • Improve documentation, lots of unofficial docs via blog posts are causing misconceptions


Retrieve the service catalog with an unauthenticated call

  • Part of a larger cross-project effort, we will be looking to return a well defined service catalog on a new API
  • This will allow for a better service-discovery story for OpenStack as a whole
  • Implementation and API has yet to be finalized

Fixing broken things


  • Pagination for projects, roles and doamins, is possible now since they are only available in SQL
  • Pagination for users and groups in LDAP? We can add support for it, but YMMV

Custom TTL on tokens for long-running operations

  • Make keystone_authtoken configurable with a custom TTL, token validation uses this value or ignores the expires_at

REST interface for domain config NEW API



  • The old routers and SQL backends will be deprecated in M and be removed in O
  • Paste files will need to be updated to point to the new resources before O is released No more extensions - ever.


Each of these items will follow the standard deprecation policy that the TC has now publicized.

v2.0 of the Identity API Deprecate in M, remove in O or greater

  • We will maintain some v2.0 authentication calls, such as: POST /v2.0/tokens and GET /v2.0/tenants

PKI token format Deprecate in M, remove in O

  • Contains a major security bug
  • If PKI format is specified, the resultant token will be a UUID token

LDAP write support Deprecate in M, remove in O

  • Rarely do OpenStack deployers want to write to LDAP, and more rarely do LDAP administrators want to allow this sort of operation


Eventlet Deprecated in K, to be removed in M

  • May live to see another release, need confirmation from mailing list
  • LDAP as a resource backend, to store projects, domains and roles Deprecated in K, to be removed in M

Keystone Libraries


We need to support federation protocol like SAML and kerberos

  • Since support for these pulls in additional libraries, they will be ‘optional’
  • Install these optional plugins with: pip install keystoneauth[kerberos] or pip install keystoneauth[saml]
  • The python-keystoneauth-saml repo will be removed (there were no releases of it)
  • The python-keystoneclient-kerberos repo will become inactive and eventually removed (there were 3 minor releases)
  • Improve the documentation: Show how to create plugins for the federation plugins, and also explain k2k flows


  • Adapt keystonemiddleware to use keystoneauth
  • Tokenless auth support
  • Deprecate certain auth_token configuration values


  • Only changes to the CRUD calls should be added or modified
  • Authentication plugins should go into keystoneauth, and CLI should go into openstackclient
  • Modify other python-*clients to use keystoneauth
  • Deprecate auth plugins and session code (remove these in O)
  • Potentially remove CLI and mark keystoneclient as 2.0 (need to check deprecation policy for clients)
  • Potentially remove middleware and mark keystoneclient as 3.0 (need to check deprecation policy for clients)