Keystone scoring for 2017.08

Updated scores for existing capabilities.
identity-v3-validate-token but it is admin only.

Change-Id: I111aecf36eae125126cb27bfc4c69bd1dbd2fa9a

next.json

@@ -46,6 +46,7 @@
         "compute-servers-metadata-update",
         "compute-volume-attach",
         "identity-v3-api-discovery",
+        "identity-v3-list-projects",
         "identity-v3-tokens-create",
         "images-v2-index",
         "images-v2-update",
@@ -71,7 +72,6 @@
         "volumes-v2-upload"
       ],
       "advisory": [
-        "identity-v3-list-projects",
         "networks-l3-router",
         "networks-l3-CRUD",
         "networks-list-api-versions",
@@ -3155,18 +3155,17 @@
         }
       },
       "keystone" : {
-        "guidance": "Designation is outlined per API grouping. Identity (user and group) management APIs will not be designated. API access (with exception of auth) may be prohibited by policy (resulting in HTTP 403). Designated APIs include both v2.0 and v3 versions where applicable.",
+        "guidance": "Designation is outlined per API grouping. Identity (user and group) management APIs will not be designated. API access (with exception of auth) may be prohibited by policy (resulting in HTTP 403). Designated APIs include v3 version where applicable.",
         "comment": "Specific Drivers/Plugins and Identity management code are not designated as many deployments have custom drivers and/or read-only, federated, or externally managed Identity information.",
         "sections": {
-          "assignment API": {"description": "APIs for managing roles and assignment of roles to user(s)/group(s) for a given scope", "designated": true, "comment": "Some functionality for v2.0 is provided via the 'admin_crud' extension"},
-          "auth (v2.0) API": {"description": "'/v2.0/tokens' APIs used for v2.0 authentication and token validation/revocation/signing certificates (when PKI tokens are in use)", "designated": true, "comment": "This includes the catalog data provided as part of the token body."},
+          "assignment API": {"description": "APIs for managing roles and assignment of roles to user(s)/group(s) for a given scope", "designated": true, "comment": "Some functionality is provided via the 'user_crud' extension"},
           "auth (v3) API": {"description": "'/v3/auth' APIs used for v3 authentication and token validation/revocation", "designated": true, "comment": "This includes the catalog data provided as part of the token body and '/v3/auth/catalog'."},
           "catalog API": {"description": "APIs for managing services, endpoints, and regions", "designated": false, "comment": "Catalog API is not designated due to the support of template catalog driver which cannot be updated via REST calls. The catalog in the token is considered part of the AUTH APIs."},
           "credential API": {"description": "APIs for managing user credentials", "designated": false, "comment": "none provided"},
           "drivers": {"description": "specific implementations for the keystone API backends (e.g. SQL, LDAP, etc)", "designated": false, "comment": "none provided"},
           "ec2 API": {"description": "APIs for managing and utilizing ec2-style credentials", "designated": false, "comment": "May be required for some OpenStack features in non-keystone services"},
           "federation API": {"description": "APIs for managing and consuming federated identity", "designated": false, "comment": "none provided"},
-          "identity API": {"description": "APIs for managing user(s) and group(s) in a read/write identity store", "designated": false, "comment": "Some functionality for v2.0 is provided via the 'admin_crud' and 'user_crud' extensions"},
+          "identity API": {"description": "APIs for managing user(s) and group(s) in a read/write identity store", "designated": false, "comment": "Some functionality is provided via 'user_crud' extensions"},
           "notifications": {"description": "CADF notifications for events (authentication, creation of resources, etc)", "designated": false, "comment": "Highly recommended and may be required for some features of OpenStack"},
           "policy API": {"description": "APIs for managing centralized policy.json distribution for OpenStack services", "designated": false, "comment": "none provided"},
           "trust API": {"description": "APIs for managing delegation (via trusts) of roles from one user/group to another user/group", "designated": true, "comment": "none provided"},
@@ -3253,7 +3252,15 @@
       }
     },
     "advisory" : {},
-    "deprecated" : {},
+    "deprecated" : {
+      "keystone" : {
+        "guidance": "Designation is outlined per API grouping.",
+        "comment": "Removing section related to  auth V2.0 since it is deprecated.",
+        "sections": {
+          "auth (v2.0) API": {"description": "'/v2.0/tokens' APIs used for v2.0 authentication and token validation/revocation/signing certificates (when PKI tokens are in use)", "designated": true, "comment": "This includes the catalog data provided as part of the token body."}
+        }
+      }
+    },
     "removed" : {},
     "informational" : {
       "heat": {

working_materials/keystone_capabilities_info.csv

@@ -1,13 +1,7 @@
 Capability,Program,Status,Method,Endpoint,Test available?,interop relevant?,PTL Comments,From Defcore Discussion,Scorer Comments,
-identity-v3-tokens-create,platform/compute/object,required,POST,/v3/auth/tokens,1,yes,The returned token value is in the X-Auth-Token header,stay?,tempest.api.identity.v3.test_tokens{test_create_token},
-identity-v3-api-discovery,platform/compute,advisory,,,3,yes,,make required,"tempest.api.identity.v3.test_api_discovery{test_api_version_resources, test_api_media_types, test_api_version_statuses}",
-,,,,,,,,,,
-identity-v2-list-versions,,,GET,/,1,yes,,soon to be deprecated,,
-identity-v2-show-version,,,GET,/v2.0,1,yes,,soon to be deprecated,,
-identity-v2-token-generation,,,POST,/v2.0/tokens,1,yes,,soon to be deprecated,,
-identity-v2-tenants,,,GET,/v2.0/tenants,1,yes,,"is this an admin call? if so, not a candidate",,
-identity-v2-list-extensions,,,GET,/v2.0/extensions,,,,soon to be deprecated,,
-identity-v2-show-extension,,,GET,/v2.0/extensions/{alias},,,,soon to be deprecated,,
+identity-v3-tokens-create,platform/compute/object,required,POST,/v3/auth/tokens,1,yes,The returned token value is in the X-Auth-Token header,,tempest.api.identity.v3.test_tokens{test_create_token}, This TC refers to API https://developer.openstack.org/api-ref/identity/v3/#password-authentication-with-unscoped-authorization. Should we add other test cases to tempest in order to validate API for: password-authentication-with-scoped-authorization and password-authentication-with-explicit-unscoped-authorization?,
+identity-v3-api-discovery,platform/compute,required,,,3,yes,,make required,"tempest.api.identity.v3.test_api_discovery{test_api_version_resources, test_api_media_types, test_api_version_statuses}",
+identity-v3-list-projects,platform/compute,advisory,GET,/v3/users/{user_id}/projects,1,yes,,,,
 ,,,,,,,,,,
 identity-v3-create-ec2-credentials,,,POST,/v3/credentials,1,yes,,Should we make ec2 compatibility required? unclear,,
 identity-v3-list-ec2-credentials,,,GET,/v3/credentials,1,yes,,Should we make ec2 compatibility required? unclear,,
@@ -18,7 +12,6 @@ identity-v3-catalog,(make sure it works on all supported releases),,,,,,returned
 identity-v3-password-update,,,POST,/v3/users/{user_id}/password,1,yes,,"
 Untestable without changing user's password, security risk. Also password policies are very particular to different companies, making a test that would pass on all is near impossible.",tempest.api.identity.v3.test_users{test_update_own_password},
 ,,,,,,,,,,
-identity-v3-list-projects,platform/compute,,GET,/v3/users/{user_id}/projects,0,yes,,,no test available for this feature,
 identity-v3-list-groups,platform/compute,,GET,/v3/users/{user_id}/groups,0,yes,,,no test available for this feature,
 identity-v3-get-project,platform/compute,,GET,/v3/projects/{project_id},0,yes,,,admin required,
 identity-v3-list-roles,platform/compute,,GET,/v3/roles,0,no,,,admin required,
@@ -26,7 +19,14 @@ identity-v3-get-role,platform/compute,,GET,/v3/roles/{role_id},,no,,,admin requi
 identity-v3-list-domains,platform/compute,,GET,/v3/domains,,no,,,admin required,
 identity-v3-get-domain,platform/compute,,GET,/v3/domains/{domain_id},,no,,,admin required,
 ,,,,,,,,,,
-identity-v3-validate-token,platform/compute,,GET,/v3/auth/tokens,,yes,Token to be validated is passed in the X-Subject-Token header,,,"This sounds backwards to me, need to check with steve, shouldn't it be POST for validating and GET for getting a token??"
+identity-v3-validate-token,platform/compute,,GET,/v3/auth/tokens,,yes,Token to be validated is passed in the X-Subject-Token header,,,"This sounds backwards to me, need to check with steve, shouldn't it be POST for validating and GET for getting a token?"
 identity-v3-revoke-token,platform/compute,,DELETE,/v3/auth/tokens,1,yes,Token to be revoked is passed in the X-Subject-Token header,keystone.keystone.tests.unit.test_revoke{test_revoke_by_user},,
 identity-v3-get-catalog,platform/compute/object,,GET,/v3/auth/catalog,0,yes,,,"couldn't find a test specific for this, there are some tests related in keystone.tests.unit.test_v3_auth.py",
 identity-v3-get-auth-projects,platform/compute,,GET,/v3/auth/projects,0,yes,,,"equivalent as far as I can tell to identity-v3-list-projects. couldn't find a test specific for this, there are some tests related in keystone.tests.unit.test_v3_auth.py",
+,,,,,,,,,,
+identity-v2-list-versions,,,GET,/,1,yes,,,Deprecated,
+identity-v2-show-version,,,GET,/v2.0,1,yes,,,Deprecated,
+identity-v2-token-generation,,,POST,/v2.0/tokens,1,yes,,,Deprecated,
+identity-v2-tenants,,,GET,/v2.0/tenants,1,yes,,,Deprecated,
+identity-v2-list-extensions,,,GET,/v2.0/extensions,,,,,Deprecated,
+identity-v2-show-extension,,,GET,/v2.0/extensions/{alias},,,,,Deprecated,

working_materials/scoring.txt

@@ -284,10 +284,11 @@ Notes:
 
 Identity
 --------
-identity-v3-api-discovery:       [1,0,1] [1,1,1] [1,1,0] [1,1,1] [1] [85]*
+identity-v3-api-discovery:       [1,0,1] [1,1,1] [1,1,1] [1,1,1] [1] [94]*
 identity-v3-catalog:             [1,0,1] [1,1,1] [1,1,0] [1,1,1] [1] [85]*
 identity-v3-list-projects:       [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
 identity-v3-list-groups:         [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
+identity-v3-validate-token:      [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
 
 Notes:
   * identity-v3-catalog is returned when the api for
@@ -311,6 +312,12 @@ Notes:
   to be done on the backend system.  It probably needs further study to see
   if it's really interoperable, but it seems unlikely at this point (I also
   don't see it being supported by many external tools, etc).
+  * identity-v3-validate-token A given user can validate its own token. An
+  admin user is able to validate any token. This is enought for capability to
+  be considered non admin.
+  At the time of scoring, there is no non-admin test case in Tempest. Patch
+  https://review.openstack.org/#/c/467493 will add the test case but due to 
+  timing, capability won't be added in this cycle - not until TC is available.
 
 Object Store
 ------------

working_materials/tabulated_scores.csv

@@ -101,10 +101,11 @@ volumes-v3-metadata,1,0,1,1,1,1,1,1,0,1,1,0,1,77*
 volumes-v3-reserve,1,0,1,1,1,1,1,1,0,1,1,0,1,77*
 volumes-v3-readonly,1,0,1,1,1,1,1,1,0,1,1,0,1,77*
 volumes-v3-upload,1,0,1,1,1,1,1,1,0,1,1,0,1,77*
-identity-v3-api-discovery,1,0,1,1,1,1,1,1,0,1,1,1,1,85*
+identity-v3-api-discovery,1,0,1,1,1,1,1,1,1,1,1,1,1,94*
 identity-v3-catalog,1,0,1,1,1,1,1,1,0,1,1,1,1,85*
 identity-v3-list-projects,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
 identity-v3-list-groups,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
+identity-v3-validate-token,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
 objectstore-object-copy,1,1,1,1,1,1,1,1,1,1,1,1,1,100*
 objectstore-object-create,1,1,1,1,1,1,1,1,1,1,1,1,1,100*
 objectstore-object-delete,1,1,1,1,1,1,1,1,1,1,1,1,1,100*