While I think we could merge the two together and control access with RBAC now, I expect we'll keep separate ports for the use case that Matt Joyce specifically mentions. I've made a blueprint to implement RBAC into keystone, using Keystone (https://blueprints.launchpad.net/keystone/+spec/rbac-keystone-api), but there will still be a need to bootstrap into the system, which may reside only on the admin port.
The V3 draft API doesn't distinguish between public and private, somewhat intentionally, as that's something I expect to wrap behind RBAC for most access. That said, having an admin-functions-only running on a private port and potentially disabled is clearly something that Matt (and others?) want to keep available, so I expect we will. -joe On Jun 21, 2012, at 12:36 PM, Gabriel Hurley wrote: > The port change is fine with me since we're trampling on an > already-registered port number. > > However, I'd like to ask again about the admin vs. standard ports in the > Keystone v3 API. There was no mention of the differentiation between the two > or how they would be used. Especially in a post-RBAC/policy.json world, what > is an "admin" API call? Does Keystone really need two ports (Matt Joyce > suggests it does) or could they be one? > > - Gabriel > >> -----Original Message----- >> From: openstack-bounces+gabriel.hurley=nebula....@lists.launchpad.net >> [mailto:openstack- >> bounces+gabriel.hurley=nebula....@lists.launchpad.net] On Behalf Of >> Nguyen, Liem Manh >> Sent: Thursday, June 21, 2012 10:40 AM >> To: Joseph Heck; Vaze, Mandar >> Cc: openstack@lists.launchpad.net >> Subject: Re: [Openstack] [keystone] Keystone on port 5000 - proposing >> change default port to 8770 >> >> +1 for an IANA-registered public port. I wonder why we registered the >> admin port, but not the public port in the first place. >> >> Liem >> >> -----Original Message----- >> From: openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net >> [mailto:openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net] >> On Behalf Of Joseph Heck >> Sent: Thursday, June 21, 2012 1:28 AM >> To: Vaze, Mandar >> Cc: openstack@lists.launchpad.net >> Subject: Re: [Openstack] [keystone] Keystone on port 5000 - proposing >> change default port to 8770 >> >> Honestly the only reason is that I've heard some fairly direct feedback that >> port 5000 is that MS uPnP port and hence blocked by many corporate >> entities, so it's just a matter of a PITA and a slight bump in setup for >> those >> groups. Thought to honestly register another port with IANA like 35357 and >> put it in place - wanted to see if anyone screamed first. >> >> -joe >> >> On Jun 20, 2012, at 8:49 PM, Vaze, Mandar wrote: >>> "public_port" is configurable via keystone.conf - so if port 5000 is >>> blocked in >> specific setup, it is trivial to change it to some other port. >>> >>> why make so many changes (REST docs, XML docs, devstack, and the code) >> for a parameter that can be easily tweaked ? >>> >>> -Mandar >>> >>> -----Original Message----- >>> From: openstack-bounces+mandar.vaze=nttdata....@lists.launchpad.net >> [mailto:openstack-bounces+mandar.vaze=nttdata....@lists.launchpad.net] >> On Behalf Of Joseph Heck >>> Sent: Thursday, June 21, 2012 4:46 AM >>> To: openstack@lists.launchpad.net (openstack@lists.launchpad.net) >>> Subject: [Openstack] [keystone] Keystone on port 5000 - proposing change >> default port to 8770 >>> >>> At the risk of a terrible public tar and feathering... >>> >>> I've learned that port 5000 (which Keystone is using for it's default >>> public- >> token-auth stuff) is commonly blocked by many firewalls, as it's been >> registered as a Microsoft uPnP port. >>> >>> I thought I'd go ahead and propose changing the default to 8770. I picked >> this number because it's close to the Nova ports in common use (8773, 8774, >> 8775, and 8776). >>> >>> And yes, I'll submit updates to all REST docs, XML docs, devstack, and the >> code. >>> >>> So... how many people do I need to worry about murdering me for this >> next design summit? >>> >>> -joe >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~openstack >>> Post to : openstack@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~openstack >>> More help : https://help.launchpad.net/ListHelp >>> >>> >> __________________________________________________________ >> ____________ >>> Disclaimer:This email and any attachments are sent in strictest confidence >> for the sole use of the addressee and may contain legally privileged, >> confidential, and proprietary data. If you are not the intended recipient, >> please advise the sender by replying promptly to this email and then delete >> and destroy this email and any attachments without any further use, copying >> or forwarding >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp > > _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp