Sorry to send this out again, but I wrote too soon. I was missing one driver entry in keystone.conf. Here are my working settings:
File keystone.conf: [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) #driver = keystone.catalog.backends.sql.Catalog driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog # static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog template_file = default_catalog.templates [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter return_all_endpoints_if_no_filter = False File keystone-paste.ini: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory and [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension oauth1_extension endpoint_filter_extension service_v3 Updated Installation instructions: To enable the endpoint filter extension: 1. Add the new filter driver to the catalog section to "keystone.conf". Example: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog 2. Add the new [endpoint_filter] section to ``keystone.conf``. Example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: uncomment and set ``return_all_endpoints_if_no_filter`` 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. Example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 4. Create the endpoint filter extension tables if using the provided sql backend. Example:: ./bin/keystone-manage db_sync --extension endpoint_filter 5. Once you have done the changes restart the keystone-server to apply the changes. > -----Original Message----- > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > Sent: Tuesday, October 08, 2013 1:51 PM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy > > Slightly adjusted instructions after testing: > > To enable the endpoint filter extension: > > 1. Add the new [endpoin_ filter] section ton ``keystone.conf``. > example: > > [endpoint_filter] > # extension for creating associations between project and endpoints in order > to # provide a tailored catalog for project-scoped token requests. > driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter > # return_all_endpoints_if_no_filter = True > > optional: change ``return_all_endpoints_if_no_filter`` the > ``[endpoint_filter]`` section > > 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in > ``keystone-paste.ini``. > example: > > [filter:endpoint_filter_extension] > paste.filter_factory = > keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory > > [pipeline:api_v3] > pipeline = access_log sizelimit url_normalize token_auth admin_token_auth > xml_body json_body ec2_extension s3_extension > endpoint_filter_extension service_v3 > > 3. Create the endpoint filter extension tables if using the provided sql > backend. example:: > ./bin/keystone-manage db_sync --extension endpoint_filter > > 4. Once you have done the changes restart the keystone-server to apply the > changes. > > > -----Original Message----- > > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > > Sent: Tuesday, October 08, 2013 1:30 PM > > To: OpenStack Development Mailing List > > Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy > > > > Here is the response from Fabio: > > > > Mark, > > Please have a look at the configuration.rst in the > > contrib/endpoint-filter folder. > > I pasted here for your convenience: > > > > ================================== > > Enabling Endpoint Filter Extension > > ==================================To enable the endpoint filter > > extension: > > 1. add the endpoint filter extension catalog driver to the ``[catalog]`` > section > > in ``keystone.conf``. example:: > > > > [catalog] > > driver = > > keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa > > talog 2. add the ``endpoint_filter_extension`` filter to the > > ``api_v3`` pipeline in > > ``keystone-paste.ini``. example:: > > > > [pipeline:api_v3] > > pipeline = access_log sizelimit url_normalize token_auth > > admin_token_auth xml_body json_body ec2_extension s3_extension > > endpoint_filter_extension service_v3 3. create the endpoint filter > > extension tables if using the provided sql backend. example:: > > ./bin/keystone-manage db_sync --extension endpoint_filter 4. optional: > > change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` > section > > in ``keystone.conf`` to return an empty catalog if no associations are > made. > > example:: > > [endpoint_filter] > > return_all_endpoints_if_no_filter = False > > > > > > Steps 1-3 are mandatory. Once you have done the changes restart the > > keystone-server to apply the changes. > > > > The /v3/auth/tokens?nocatalog is to remove the catalog from the token > > creation. > > It is different from the filtering because it won't return any > > endpoint in the service catalog. The endpoint filter will return only > > the ones that you have associated with a particular project. > > Please bear in mind that this works only with scoped token (meaning > > where you pass a project id). > > > > > > > > > > > > > > > -----Original Message----- > > > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > > > Sent: Tuesday, October 08, 2013 1:21 PM > > > To: OpenStack Development Mailing List > > > Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy > > > > > > Hello, > > > > > > I am attempting to test the Havana v3 OS-EP-FILTER extension with > > > the latest RC1 bits and I get a 404 error response. > > > > > > The documentation actually shows 2 different URIs for this API: > > > > > > - GET /OS-EP-FILTER/projects/{project_id}/endpoints and > > > http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints > > > > > > I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result. > > > Does anyone have information as to what I am missing? > > > > > > Regards, > > > > > > Mark Miller > > > > > > ------------- > > > > > > From the online documentation: > > > > > > List Associations for Project: GET /OS-EP- > > > FILTER/projects/{project_id}/endpoints > > > > > > Returns all the endpoints that are currently associated with a > > > specific > > project. > > > > > > Response: > > > Status: 200 OK > > > { > > > "endpoints": > > > [ > > > { > > > "id": "--endpoint-id--", > > > "interface": "public", > > > "url": "http://identity:35357/", > > > "region": "north", > > > "links": { > > > "self": > > > "http://identity:35357/v3/endpoints/--endpoint-id--" > > > }, > > > "service_id": "--service-id--" > > > }, > > > { > > > "id": "--endpoint-id--", > > > "interface": "internal", > > > "region": "south", > > > "url": "http://identity:35357/", > > > "links": { > > > "self": > > > "http://identity:35357/v3/endpoints/--endpoint-id--" > > > }, > > > "service_id": "--service-id--" > > > } > > > ], > > > "links": { > > > "self": "http://identity:35357/v3/OS- > > > FILTER/projects/{project_id}/endpoints", > > > "previous": null, > > > "next": null > > > } > > > } > > > > > > > > > _______________________________________________ > > > OpenStack-dev mailing list > > > OpenStack-dev@lists.openstack.org > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev