Hi all, Keystone recently took a big step in implementing the default roles work that's been a hot topic over the past year , and a big piece in making RBAC more robust across OpenStack. We merged a patch  that ensures the roles described in the specification  exist. This was formally a cross-project specification , but rescoped to target keystone directly in hopes of making it a future community goal .
If you've noticed issues with various CI infrastructure, it could be due to the fact a couple new roles are being populated by keystone's bootstrap command. For example, if your testing infrastructure creates a role named 'Member' or 'member', you could see HTTP 409s since keystone is now creating that role by default. You can safely remove code that ensures that role exists, since keystone will now handle that for you. These types of changes have been working their way into infrastructure and deployment projects  this week. If you're seeing something that isn't an HTTP 409 and suspect it is related to these changes, come find us in #openstack-keystone. We'll be around to answer questions about the changes in keystone and can assist in straightening things out.  https://etherpad.openstack.org/p/policy-queens-ptg Queens PTG Policy Session  https://etherpad.openstack.org/p/queens-PTG-keystone-policy-roadmap Queens PTG Roadmap Outline  https://etherpad.openstack.org/p/rbac-and-policy-rocky-ptg Rocky PTG Policy Session  https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg Rocky PTG Identity Integration Track  https://etherpad.openstack.org/p/YVR-rocky-default-roles Rocky Forum Default Roles Forum Session  https://review.openstack.org/#/c/572243/  http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html  https://review.openstack.org/#/c/523973/  http://lists.openstack.org/pipermail/openstack-dev/2018-May/130208.html  https://review.openstack.org/#/q/(status:open+OR+status:merged)+branch:master+topic:fix-member
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev