Re: [Openstack] keystone middleware
Hi, Expecting single external user store which is RO for keystone. In common the users store is LDAP. As I wrote the key thing here is the generated token. Pat On Tue, 19 Feb 2013 10:44:59 +, David Chadwick wrote > Hi Pat > > do you expect the one central user store to be replicated, say in > Keystone, or not replicated? > > The approach we have taken is to assume that the user stores (we > support multiple distributed ones) are external to Keystone, and > will be managed by external administrators. When a user accesses > OpenStack, a transient entry is created in Keystone's user database > for the duration of the SSO token, and is then automatically removed > afterwards. This does not effect role based access controls, but > will effect ACLs that currently use user IDs to identify the user, > since these will change for different login sessions. The solution > is for the ACL to use a persistent identity attribute of the user > which comes from the user store, rather than to use the transient > Keystone user ID > > regards > > David > > On 18/02/2013 16:16, pat wrote: > > Hi David, > > > > Well, it might be useful. I forget to add that I expect one (central) user store. > > > > Thanks > > > > Pat > > > > On Mon, 18 Feb 2013 16:11:05 +, David Chadwick wrote > >> Hi Pat > >> > >> sounds like you need our federation software which was designed > >> specifically for this use case. We currently support SAML as the SSO > >> protocol, and have just added Keystone to Keystone SSO. I have also > >> written a blueprint to show how OAuthv2 and OpenConnect can be used > >> by writing custom plugin modules. So if you have your own > >> proprietary SSO protocol you can write plugin modules for this > >> > >> Kristy can let you Pat have an alpha version for testing if he wants > >> it. > >> > >> regards > >> > >> David > >> > >> On 18/02/2013 15:59, pat wrote: > >>> Hello, > >>> > >>> Sorry to disturb, but I have some questions regarding keystone middleware. > >>> > >>> Some introduction to problem: I need to integrate OpenStack to our > >>> existing > >>> infrastructure where all systems are integrated on REST and Web level > >>> using > >>> SSO-like system (there's generated a token string with specific information). > >>> Required behavior is to allow users log-in once in existing infrastructure and > >>> without additional log-in access OpenStack components. > >>> > >>> I assume this is possible by implementing custom keystone drivers for identity > >>> and token. Is that correct? > >>> Should I also implement new policy and/or catalog driver? > >>> > >>> If this is possible I expect the keystone token is the token generated by > >>> my > >>> middleware driver(s) and such token is used by all other OpenStack parts. > >>> Is > >>> that correct? > >>> Does this affect way how the OpenStack internally validates token? Now > >>> when > >>> validating token the admin token has to be passed to validation request too. I > >>> expect not. > >>> > >>> Is there possible to chain more keystone authentication drivers? E.g. > >>> first > >>> check my custom and if this one fails then check SQL one. > >>> > >>> I've searched internet to find some example of keystone middleware, but I > >>> didn't succeed :-\ Is there an example or step by step documentation > >>> (something for an ... :-))? I've read "Middleware Architecture" documentation > >>> and my questions are based on this. > >>> > >>> Thanks a lot for your help. > >>> > >>>Pat > >>> > >>> > >>> > >>> Freehosting PIPNI - http://www.pipni.cz/ > >>> > >>> > >>> ___ > >>> Mailing list: https://launchpad.net/~openstack > >>> Post to : openstack@lists.launchpad.net > >>> Unsubscribe : https://launchpad.net/~openstack > >>> More help : https://help.launchpad.net/ListHelp > >>> > >> > >> > >> Freehosting PIPNI - http://www.pipni.cz/ > > > > > > > > Freehosting PIPNI - http://www.pipni.cz/ > > > > > Freehosting PIPNI - http://www.pipni.cz/ Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone middleware
Hello, Comments inline. On Mon, 18 Feb 2013 19:56:00 -0600, Dolph Mathews wrote > On Mon, Feb 18, 2013 at 9:59 AM, pat wrote: >Hello, > > Sorry to disturb, but I have some questions regarding keystone middleware. > > Some introduction to problem: I need to integrate OpenStack to our existing > infrastructure where all systems are integrated on REST and Web level using > SSO-like system (there's generated a token string with specific > information). > Required behavior is to allow users log-in once in existing infrastructure and > without additional log-in access OpenStack components. > > > I assume this is something completely proprietary then? Well, it's inspired by common SSO, with some changes/simplifications. > > I assume this is possible by implementing custom keystone drivers for identity > and token. Is that correct? > Should I also implement new policy and/or catalog driver? > > > If you're looking at folsom, you should only need to implement identity, > nothing more. You could even extend one of the existing drives (e.g. SQL) and > only implement certain methods. Well, both. So for folsom, I need to implement (change existing) only identity driver. So this means that identity driver is responsible for generation of the token? And token driver only checks existing token for its lifetime? > > In grizzly, we're also introducing pluggable authentication drivers that > do nothing more than authenticate users, which is probably more in line with > what you're looking for. Your driver could simply authenticate with your > existing system, and then create/update a user in keystone's SQL backend, > for example. We're providing password authentication out of the box at > the API level [1], but you could even implement your own authentication at > the API level (you'll need corresponding client-side support as well). Sounds good to me, but is a custom folsom driver compatible with grizzly? I hope so :-) > > [1]: > https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#the-password-authentication-method > > If this is possible I expect the keystone token is the token generated by my > middleware driver(s) and such token is used by all other OpenStack parts. Is > that correct? > > > You actually won't need to write any middleware. Rather, keystone is > designed to abstract existing, external authentication systems from > OpenStack's internal approach to auth (tokens). By writing a driver in > keystone, you're just redefining that abstraction. Well, I've probably didn't get the naming :-\ So the driver is enough and the driver has to be specified in keystone.conf in [identity] section. Just checking if I've finally get it. > Does this affect way how the OpenStack internally validates token? Now when > validating token the admin token has to be passed to validation request too. I > expect not. > > > Your expectations are correct. > > Is there possible to chain more keystone authentication drivers? E.g. first > check my custom and if this one fails then check SQL one. > > > We don't have that today (even with pluggable authentication). This is > something I'd like to see implemented... I think it'd be trivial to > extend our keystone.conf definitions for authentication method drivers to > simply be a prioritized list that keystone could query in order, until a > driver authenticates successfully (e.g. keystone's built-in password > driver first, then your own driver). That's nice-to-have feature for me. > > I've searched internet to find some example of keystone middleware, but I > didn't succeed :-\ Is there an example or step by step documentation > (something for an ... :-))? I've read "Middleware Architecture" > documentation > and my questions are based on this. > > > That's the best documentation I'm aware of for the middleware > architecture, other than reading the source code of > keystoneclient.middleware.auth_token itself. OK. Thanks a lot for your help. Pat > > Thanks a lot for your help. > > Pat Freehosting PIPNI - http://www.pipni.cz/___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone middleware
Hi David, Well, it might be useful. I forget to add that I expect one (central) user store. Thanks Pat On Mon, 18 Feb 2013 16:11:05 +, David Chadwick wrote > Hi Pat > > sounds like you need our federation software which was designed > specifically for this use case. We currently support SAML as the SSO > protocol, and have just added Keystone to Keystone SSO. I have also > written a blueprint to show how OAuthv2 and OpenConnect can be used > by writing custom plugin modules. So if you have your own > proprietary SSO protocol you can write plugin modules for this > > Kristy can let you Pat have an alpha version for testing if he wants > it. > > regards > > David > > On 18/02/2013 15:59, pat wrote: > > Hello, > > > > Sorry to disturb, but I have some questions regarding keystone middleware. > > > > Some introduction to problem: I need to integrate OpenStack to our existing > > infrastructure where all systems are integrated on REST and Web level using > > SSO-like system (there's generated a token string with specific > > information). > > Required behavior is to allow users log-in once in existing infrastructure > > and > > without additional log-in access OpenStack components. > > > > I assume this is possible by implementing custom keystone drivers for > > identity > > and token. Is that correct? > > Should I also implement new policy and/or catalog driver? > > > > If this is possible I expect the keystone token is the token generated by my > > middleware driver(s) and such token is used by all other OpenStack parts. Is > > that correct? > > Does this affect way how the OpenStack internally validates token? Now when > > validating token the admin token has to be passed to validation request > > too. I > > expect not. > > > > Is there possible to chain more keystone authentication drivers? E.g. first > > check my custom and if this one fails then check SQL one. > > > > I've searched internet to find some example of keystone middleware, but I > > didn't succeed :-\ Is there an example or step by step documentation > > (something for an ... :-))? I've read "Middleware Architecture" > > documentation > > and my questions are based on this. > > > > Thanks a lot for your help. > > > > Pat > > > > > > > > Freehosting PIPNI - http://www.pipni.cz/ > > > > > > ___ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > > > Freehosting PIPNI - http://www.pipni.cz/ Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] keystone middleware
Hello, Sorry to disturb, but I have some questions regarding keystone middleware. Some introduction to problem: I need to integrate OpenStack to our existing infrastructure where all systems are integrated on REST and Web level using SSO-like system (there's generated a token string with specific information). Required behavior is to allow users log-in once in existing infrastructure and without additional log-in access OpenStack components. I assume this is possible by implementing custom keystone drivers for identity and token. Is that correct? Should I also implement new policy and/or catalog driver? If this is possible I expect the keystone token is the token generated by my middleware driver(s) and such token is used by all other OpenStack parts. Is that correct? Does this affect way how the OpenStack internally validates token? Now when validating token the admin token has to be passed to validation request too. I expect not. Is there possible to chain more keystone authentication drivers? E.g. first check my custom and if this one fails then check SQL one. I've searched internet to find some example of keystone middleware, but I didn't succeed :-\ Is there an example or step by step documentation (something for an ... :-))? I've read "Middleware Architecture" documentation and my questions are based on this. Thanks a lot for your help. Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
Hi,
Thanks a lot.
Pat
On Fri, 8 Feb 2013 08:52:13 -0500, Tong Li wrote
> The X-Auth-Token header in your request to validate the user token are not
> the same thing. You have to login as admin to get a token and hold on to that
> token, when a user request comes in with his token, you can hand it over to
> keystone for validation. Here I think will be how the request look like.
>
> request: curl -s -X GET http://localhost:35357/tokens/tokenToBeValidated -H
> "X-Auth-Token: "adminAccessToken""
>
> adminAccessToken should be a token you (as admin) to get using the same API
> and admin userid and password or other means (certificates possibly if that
> is how it was designed) to get access token just like any other user against
> keystone.
>
> Hope that helps.
>
> Tong Li
> Emerging Technologies & Standards
>
> "pat" ---02/08/2013 07:31:25 AM---Hi, Thanks for the reply.
>
> From: "pat"
> To: Tong Li/Raleigh/IBM@IBMUS,
> Cc: openstack@lists.launchpad.net,
> openstack-bounces+litong01=us.ibm@lists.launchpad.net
> Date: 02/08/2013 07:31 AM
> Subject: Re: [Openstack] keystone question
>
---
>
> Hi,
>
> Thanks for the reply.
>
> I've been digging and I've found way how to get token using API:
> curl -s -X POST http://localhost:35357/tokens -d '{"auth":
> {"passwordCredentials": {"username":"XXX", "password":"XXX"},
> "tenantName":"XXX"}}' -H "Content-type: application/json"
>
> This request returns JSON response, that's fine for me.
>
> But how to validate the token? I'm following the API:
> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html
>
> and request: curl -s -X GET http://localhost:35357/tokens/XXXYYYXXX -H
> "X-Auth-Token: "XXXYYYXXX""
> return 401 (unauthorized).
>
> What I'm doing wrong?
>
> Thanks for help
>
>
> On Wed, 6 Feb 2013 11:46:28 -0500, Tong Li wrote
> > keystone provides APIs for authentication, I would think you only need to
> > develop some code in your app to call the API and parse the response, then
> > following request will have to be verified using the token. If you app is
> > already wsgi app, you will just need to use the keystone middleware in your
> > pipeline. If it is other type of the application, you will just need to
> > develop some code which deal with keystone authentication http
> > request/response and figure out a way to verify the token.
> >
> > Thanks.
> >
> > Tong Li
> > Emerging Technologies & Standards
> >
> >
> >
> > "pat" ---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone.
> > I have an application (Jee web one) which I
> >
> > From: "pat"
> > To: openstack@lists.launchpad.net,
> > Date: 02/06/2013 10:35 AM
> > Subject: [Openstack] keystone question
> > Sent by: openstack-bounces+litong01=us.ibm@lists.launchpad.net
> >
---
> >
> > Hi all,
> >
> > I have a question about keystone. I have an application (Jee web one) which
> > I
> > want to authenticate against keystone. What I have to do?
> >
> > Thanks
> >
> > Pat
> >
> >
> > Freehosting PIPNI - http://www.pipni.cz/
> >
> > ___
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack@lists.launchpad.net
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> >
> >
> >
> > ---
> > Freehosting PIPNI - http://www.pipni.cz/
>
>
> ---
> Freehosting PIPNI - http://www.pipni.cz/
>
> ---
> Freehosting PIPNI - http://www.pipni.cz/
Freehosting PIPNI - http://www.pipni.cz/<>___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
Hi,
Thanks for the reply.
I've been digging and I've found way how to get token using API:
curl -s -X POST http://localhost:35357/tokens -d '{"auth":
{"passwordCredentials": {"username":"XXX", "password":"XXX"},
"tenantName":"XXX"}}' -H "Content-type: application/json"
This request returns JSON response, that's fine for me.
But how to validate the token? I'm following the API:
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html
and request: curl -s -X GET http://localhost:35357/tokens/XXXYYYXXX -H
"X-Auth-Token: "XXXYYYXXX""
return 401 (unauthorized).
What I'm doing wrong?
Thanks for help
On Wed, 6 Feb 2013 11:46:28 -0500, Tong Li wrote
> keystone provides APIs for authentication, I would think you only need to
> develop some code in your app to call the API and parse the response, then
> following request will have to be verified using the token. If you app is
> already wsgi app, you will just need to use the keystone middleware in your
> pipeline. If it is other type of the application, you will just need to
> develop some code which deal with keystone authentication http
> request/response and figure out a way to verify the token.
>
> Thanks.
>
> Tong Li
> Emerging Technologies & Standards
>
>
>
> "pat" ---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone. I
> have an application (Jee web one) which I
>
> From: "pat"
> To: openstack@lists.launchpad.net,
> Date: 02/06/2013 10:35 AM
> Subject: [Openstack] keystone question
> Sent by: openstack-bounces+litong01=us.ibm@lists.launchpad.net
>
-------
>
> Hi all,
>
> I have a question about keystone. I have an application (Jee web one) which I
> want to authenticate against keystone. What I have to do?
>
> Thanks
>
> Pat
>
>
> Freehosting PIPNI - http://www.pipni.cz/
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> ---
> Freehosting PIPNI - http://www.pipni.cz/
Freehosting PIPNI - http://www.pipni.cz/<>___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
[Openstack] keystone question
Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone questions
Hi Dolph, Well, I don't have such use case (this just came to my mind), but yes, it's with data redundancy, etc. I think about synchronization at Keystone level ... the failover is the problem. As I wrote, I'm curious if this is possible. Thanks for your answer. Pat On Wed, 29 Aug 2012 04:59:25 -0500, Dolph Mathews wrote > You're looking to provide data redundancy across keystone instances with varying backend implementations... what's your use case? How would you orchestrate the synchronization and failover, if any? What's the purpose of each backend in such a deployment? > > -Dolph > > On Wed, Aug 29, 2012 at 3:50 AM, pat wrote: > Hi Joe, > > OK, this is clear to me, but I more think about this scenario: each keystone > has its own storage and the keystones are interconnected and replicating the > information on keystone layer - so for example one keystone can be connected > to LDAP another to DB or KVS etc. > > Thanks a lot for your answers and patience :-) Your answers are helpful to > me. > > Pat > > On Tue, 28 Aug 2012 08:55:16 -0700, Joseph Heck wrote > > > On Aug 28, 2012, at 12:41 AM, pat wrote: > > > Thanks for Q1. About Q2, I more think about keystone instances and each > > > has > > > its own storage and the keystones are interconnected and their data are > > > replicated. The DB, in your suggestion, looks like single point of > > > failure > to me. > > > > Hi Pat, > > > > Yes - it definitely could be. If you're setting up keystone in an HA > > configuration, then I'd expect that you actually have a mysql > > cluster backing the database that could allow a single instance of > > mysql to fail and maintain services. Keystone, like Nova, Glance, > > etc is stashing it's state somewhere - the WSGI processes that run > > keystone have moved that to MySQL, so MySQL is the place where you > > need to watch and care for. > > > > Many implementations of OpenStack that I've seen have shared the > > MySQL instance between keystone, nova, and glance, and quite > > successfully. > > > > If you were using LDAP entirely for the backend instead of the SQL > > backed mechanisms, then you'd need a replicated/failover cluster for > > LDAP as well. > > > > -joe > > > > > On Mon, 27 Aug 2012 09:46:41 -0700, Joseph Heck wrote > > >> Hi Pat, > > >> > > >> On Aug 27, 2012, at 8:09 AM, pat wrote: > > >>> I have two questions regarding OpenStack Keystone: > > >>> > > >>> Q1) The Folsom release supports domains. The domain can contain more tenants > > >>> and tenant cannot be shared between domains. Is this right? I think so, but > > >>> want to be sure. > > >> > > >> I'm afraid it doesn't. We didn't make sufficient progress with the > > >> V3 API (which is what incorporates domains) to include that with the > > >> Folsom release. We expect this to be available with the grizzly release. > > >> > > >>> Q2) Is it posible to have a cluster of the Keystones to avoid > > >>> Keystone > to be > > >>> a bottleneck? If so, could you point me to a tutorial? Or did I > > >>> missed > > >>> something important? > > >> > > >> If by "cluster" you mean multiple instances to handle requests, then > > >> absolutely - yes. For this particular response, I'll assume you're > > >> using a SQL backend for Keystone. Generally you maintain a single > > >> "database" - wether that's an HA cluster or a single instance, and > > >> any number of Keystone service instances can point to and use that. > > >> > > > > > > > > > > > > Freehosting PIPNI - http://www.pipni.cz/ > > > > > > > > > ___ > > > Mailing list: https://launchpad.net/~openstack > > > Post to : openstack@lists.launchpad.net > > > Unsubscribe : https://launchpad.net/~openstack > > > More help : https://help.launchpad.net/ListHelp > > > > > > Freehosting PIPNI - http://www.pipni.cz/ > > > Freehosting PIPNI - http://www.pipni.cz/ > > ___ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone questions
Hi Joe, OK, this is clear to me, but I more think about this scenario: each keystone has its own storage and the keystones are interconnected and replicating the information on keystone layer - so for example one keystone can be connected to LDAP another to DB or KVS etc. Thanks a lot for your answers and patience :-) Your answers are helpful to me. Pat On Tue, 28 Aug 2012 08:55:16 -0700, Joseph Heck wrote > On Aug 28, 2012, at 12:41 AM, pat wrote: > > Thanks for Q1. About Q2, I more think about keystone instances and each has > > its own storage and the keystones are interconnected and their data are > > replicated. The DB, in your suggestion, looks like single point of failure to me. > > Hi Pat, > > Yes - it definitely could be. If you're setting up keystone in an HA > configuration, then I'd expect that you actually have a mysql > cluster backing the database that could allow a single instance of > mysql to fail and maintain services. Keystone, like Nova, Glance, > etc is stashing it's state somewhere - the WSGI processes that run > keystone have moved that to MySQL, so MySQL is the place where you > need to watch and care for. > > Many implementations of OpenStack that I've seen have shared the > MySQL instance between keystone, nova, and glance, and quite > successfully. > > If you were using LDAP entirely for the backend instead of the SQL > backed mechanisms, then you'd need a replicated/failover cluster for > LDAP as well. > > -joe > > > On Mon, 27 Aug 2012 09:46:41 -0700, Joseph Heck wrote > >> Hi Pat, > >> > >> On Aug 27, 2012, at 8:09 AM, pat wrote: > >>> I have two questions regarding OpenStack Keystone: > >>> > >>> Q1) The Folsom release supports domains. The domain can contain more > >>> tenants > >>> and tenant cannot be shared between domains. Is this right? I think so, > >>> but > >>> want to be sure. > >> > >> I'm afraid it doesn't. We didn't make sufficient progress with the > >> V3 API (which is what incorporates domains) to include that with the > >> Folsom release. We expect this to be available with the grizzly release. > >> > >>> Q2) Is it posible to have a cluster of the Keystones to avoid Keystone to be > >>> a bottleneck? If so, could you point me to a tutorial? Or did I missed > >>> something important? > >> > >> If by "cluster" you mean multiple instances to handle requests, then > >> absolutely - yes. For this particular response, I'll assume you're > >> using a SQL backend for Keystone. Generally you maintain a single > >> "database" - wether that's an HA cluster or a single instance, and > >> any number of Keystone service instances can point to and use that. > >> > > > > > > > > Freehosting PIPNI - http://www.pipni.cz/ > > > > > > ___ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > Freehosting PIPNI - http://www.pipni.cz/ Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone questions
Hi Joe, Thanks for Q1. About Q2, I more think about keystone instances and each has its own storage and the keystones are interconnected and their data are replicated. The DB, in your suggestion, looks like single point of failure to me. Thanks for your time Pat On Mon, 27 Aug 2012 09:46:41 -0700, Joseph Heck wrote > Hi Pat, > > On Aug 27, 2012, at 8:09 AM, pat wrote: > > I have two questions regarding OpenStack Keystone: > > > > Q1) The Folsom release supports domains. The domain can contain more tenants > > and tenant cannot be shared between domains. Is this right? I think so, but > > want to be sure. > > I'm afraid it doesn't. We didn't make sufficient progress with the > V3 API (which is what incorporates domains) to include that with the > Folsom release. We expect this to be available with the grizzly release. > > > Q2) Is it posible to have a cluster of the Keystones to avoid Keystone to > > be > > a bottleneck? If so, could you point me to a tutorial? Or did I missed > > something important? > > If by "cluster" you mean multiple instances to handle requests, then > absolutely - yes. For this particular response, I'll assume you're > using a SQL backend for Keystone. Generally you maintain a single > "database" - wether that's an HA cluster or a single instance, and > any number of Keystone service instances can point to and use that. > Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] keystone questions
Hello, I have two questions regarding OpenStack Keystone: Q1) The Folsom release supports domains. The domain can contain more tenants and tenant cannot be shared between domains. Is this right? I think so, but want to be sure. Q2) Is it posible to have a cluster of the Keystones to avoid Keystone to be a bottleneck? If so, could you point me to a tutorial? Or did I missed something important? Thanks a lot Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] implementing custom keystone module
On Tue, 21 Aug 2012 17:38:54 -0400, Adam Young wrote > On 08/21/2012 05:10 PM, pat wrote: > > Hello, > > > > I want to implement custom keystone authentication module. I went through > > the > > What are you trying to do? There is a good chance that one of the > other modules can be a good example. Well, probably multi-LDAP module, so probably start with current LDAP. > > > documentation and I'm not sure where to start :-\ Please, could you point me > > to specific page describing this? Thanks. And one more: please, could you > > point me to document which describes relation between keystone and WSGI? And > > WSGI is a standard for writing Web applicaions in Python. Keystone > complies with the WSGI contract. THus, while Keystone is usually > run in the Eventlet web container, it can run in Apache HTTPD as > well. Both are WSGI containers. Thanks for explanation. > > > yes, I've never used python :-) > > > > Thanks for help. > > > > Pat > > > > P.S. I've googled a lot, but keystone is too common world :-( > > Google for "Openstack Keystone" and you will have more success. Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] implementing custom keystone module
Hello, I want to implement custom keystone authentication module. I went through the documentation and I'm not sure where to start :-\ Please, could you point me to specific page describing this? Thanks. And one more: please, could you point me to document which describes relation between keystone and WSGI? And yes, I've never used python :-) Thanks for help. Pat P.S. I've googled a lot, but keystone is too common world :-( Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] multiple LDAPs in OpenStack
Yes, you are right, but I want to collect information first ;-) Thanks to all Pat On Mon, 20 Aug 2012 18:07:45 -0500, Dolph Mathews wrote > While there's no implementation of this in keystone today, I'm sure you could write your own LDAP driver in keystone, heavily leveraging the existing LDAP driver. > > -Dolph > > On Mon, Aug 20, 2012 at 4:19 PM, Ryan Lane wrote: > > On Mon, Aug 20, 2012 at 1:52 PM, pat wrote: > > Hello, > > > > I'm new to this list and OpenStack at all. I want to ask a question: I want to > > ask if it's possible to use one LDAP per tenant. I've searched the web, but > > didn't found the answer. > > > > In keystone this is not currently possible. > > - Ryan > Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] multiple LDAPs in OpenStack
Hello, I'm new to this list and OpenStack at all. I want to ask a question: I want to ask if it's possible to use one LDAP per tenant. I've searched the web, but didn't found the answer. Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
