Identity Program Specifications

Project Documentation:

• Specification Template

keystone

2024.2 approved specs:

• OpenAPI Schemas

2024.1 approved specs:

• Domain Manager Persona for domain-scoped self-service administration
• Keystone identity mapping to support project definition as a JSON
• Add schema version and support for the domain attribute in mapping rules

2023.1 approved specs:

• Default Service Role
• Support OAuth 2.0 Mutual-TLS

Backlog:

• Backlog Instructions
• Alembic Migrations
• Decouple Auth from API Version
• Materialized path - materialize-project-hierarchy
• model-timestamps
• Native SAML in keystone
• Improved OpenID Connect Support
• Unified model for assignments, OAuth and trusts

Ongoing:

• Devstack Plugin for Keystone
• Policy Goals and Roadmap
• Unified Limits

Ideas:

• Idea Log

keystoneauth

keystoneauth approved specs for the Newton release:

• None

keystoneclient

keystoneclient approved specs for the Newton release:

• None

keystonemiddleware

keystonemiddleware approved specs for the 2023.1 release:

• External OAuth2.0 Authorization Server Support

Implemented Identity Program Specifications

keystone

Yoga approved specs:

• Default Manager Role
• OAuth2.0 Client Credentials Grant Flow Support

Ussuri approved specs:

Ussuri Roadmap

• Expiring Group Memberships Through Mapping Rules
• Extend user API to support federated attributes

Train approved specs:

Train Roadmap

• Add Fine Grained Restrictions to Application Credentials
• Explicit Domain IDs
• Immutable Resources
• Resource options for all resource types

Stein approved specs:

Stein Roadmap

• Domain Level Unified Limit Support
• Add JSON Web Tokens as a Non-persistent Token Provider
• MFA Auth Receipt

Rocky approved specs:

Rocky Roadmap

• Basic Default Roles
• Object Dependency Lifecycle
• Strict Two-Level Limits Enforcement Model

Queens approved specs:

Queens Roadmap

• Application Credentials
• Unified Limits API
• Project Tags
• System Role Assignments

Pike approved specs:

• Add Policy Docs
• Policy in code

Ocata approved specs:

• Allow retrieving an expired token
• Drop Support for Driver Versioning
• PCI-DSS Query Password Expired Users
• PCI-DSS Notifications
• PCI-DSS Password Requirements API
• Per-User Auth Plugin Requirements
• Shadow mapping
• Token Provider Cleanup

Newton implemented specs:

• Support Credential Encryption
• keystone-manage doctor
• LDAP preprocessing
• Migration commands for rolling upgrades
• Security Hardening: PCI-DSS
• Python3.4 Compatibility
• Shadow users (Newton): Unified identity for multiple authentication sources
• Fix tests to run on non-SQLite databases

Mitaka implemented specs:

• Add is_domain to the token for projects acting as a domain
• Bootstrap via CLI
• Allow Retrieval of Default Domain Configuration Options
• Domain Specific Roles
• Direct users mapping using group ids
• Implied Roles - Assign one Role, get many
• Annotate Tokens for the admin project
• Add names to list assignments
• List Assignments for a Project Tree
• Improve List Role Assignments API Performance
• Remove role metadata structures
• Reseller Use Case
• Shadow users: Unified identity for multiple authentication sources
• Support TOTP Authentication
• Project Tree Deletion
• Optionally enforce URL-safe domain and project names

Liberty implemented specs:

• New attributes for SAML Assertion generated by keystone IdP
• Data Driven Assignment Unit Testing
• Make storing of extra SQL attributes optional
• Identity Provider Specific WebSSO
• Tokenless Authorization with X.509 Client SSL Certificate
• List credentials by type
• Stable Keystone Driver Interfaces

Kilo implemented specs:

• IETF ABFAB federation
• CADF Everywhere
• Domain Configuration Storage
• Explicitly Unscoped Tokens
• Direct users mapping for federated authentication
• Scope federation tokens with token authentication method
• IdP ID registration and validation
• Federated Service Providers in Keystone
• Keystone Lightweight Tokens - KLWT
• Enhance Federation mapping algorithms
• OpenID Connect federation
• Split-up Assignments, making the Role-Assignment piece pluggable
• New query params to retrieve the project hierarchy
• Deprecated items that are removed as of the Kilo release
• Replace the concept of extensions
• Rescoping Spec - From Unscoped to Scoped
• Allow Redelegation via Trusts
• Web Single Sign On Portal

Juno implemented specs:

• Audit Support for Keystone Federation
• Retrieve Authentication Scoped Data
• Multi-Attribute Endpoint Grouping
• Endpoint Policy Extension
• Add foreign key to region table in endpoint table
• Filter credentials by user ID
• Standardizing the federation process
• Stand alone service catalog
• Hierarchical Projects
• Use JSON Home for Version/Extension discovery
• API Validation
• Keystone to Keystone federation
• Cross-backend IDs for User and Group Entities
• Non-Persistent Tokens
• Role Assignment Notifications

keystoneauth

• None

keystoneclient

Mitaka implemented specs:

• Deprecate keystone CLI

Liberty implemented specs:

• Deprecations

keystonemiddleware

Xena approved specs:

• secure-rbac - X-Project-Id Pass-through

Kilo implemented specs:

• Adding audit middleware to keystonemiddleware

Juno implemented specs:

• Service Token Composite Authorization
• Split Identity Middleware into a Distinct Package

Indices and tables

• Search Page