Re: [Openstack] IMPORTANT: Openstack List Migration (Please read)

[Adam Young]

Yes, but subscribing for that gets a page with

The requested URL /mailman/subscribe/openstack was not found on this server.


On 07/25/2013 08:52 AM, Damion Parry wrote:

Hello,

I happened to stumble across:

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

HTH,
Damion.

On 25 Jul 2013, at 13:50, Sylvain Bauza sylvain.ba...@bull.net 
mailto:sylvain.ba...@bull.net wrote:



Hi,
Nope, I was talking about the openst...@lists.openstack.org ML, which 
I can't find on mailman. The link you gave me is about 
openstack-dev@, not openstack@.


If Paul Hummel (or other) could tell us what to do to subscribe to 
the fresh new openst...@lists.openstack.org, it would be great :-)


-Sylvain


Le 25/07/2013 14:13, Paul Michali a écrit :
From the main page, you click on the list name and it takes you to a 
link on how to subscribe/unsubscribe...


http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


PCM (Paul Michali)

MAIL p...@cisco.com mailto:p...@cisco.com
IRC   pcm_  (irc.freenode.net http://irc.freenode.net/)
TW   @pmichali

On Jul 25, 2013, at 3:06 AM, Sylvain Bauza sylvain.ba...@bull.net 
mailto:sylvain.ba...@bull.net wrote:



Hi Paul,
Apologies if I missed any related info, but how to subscribe to the 
new lists.openstack.org http://lists.openstack.org/ list ?

I can't find my way thru mailman [1]

Thanks,
-Sylvain

[1] : http://lists.openstack.org/cgi-bin/mailman/listinfo

Le 24/07/2013 18:19, Paul Hummer a écrit :

Openstackers-

  You've probably seen talk of migrating this list from Launchpad 
to lists.openstack.org http://lists.openstack.org/.  It's 
happening.  This will affect you, and if you don't read through 
this, you could find yourself wondering where everyone went when 
you send emails to this list.


Here's the timeline:

100UTC Friday - The Launchpad group ~openstack will be put in 
invite-only, so no new users will be able to sign up. At this 
point, I'll get a Launchpad Admin to provide all the data from the 
mailing list, and migrate it to lists.openstack.org 
http://lists.openstack.org/
100UTC Saturday - The mailing list migration will be complete, and 
all users will be migrated over to lists.openstack.org 
http://lists.openstack.org/. From then on, 
openstack@lists.launchpad.net 
mailto:openstack@lists.launchpad.net will be a dead list, and 
openst...@lists.openstack.org 
mailto:openst...@lists.openstack.org will be the actual list. If 
you continue to send emails to the Launchpad list, this will be 
you: http://i.imgur.com/MQUmmqo.gif


If you have any questions, ask away.

Cheers,
Paul


___
Mailing list:https://launchpad.net/~openstack
Post to :openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack
More help   :https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack 
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net 
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack 
https://launchpad.net/%7Eopenstack

More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack 
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net 
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack 
https://launchpad.net/%7Eopenstack

More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] glance: Invalid Openstack Identity Credentials

[Adam Young]

On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
Hav you tried checking the credentials that glance uses for validating 
tokens with keystone?


They are defined in glance's conf files in the section:

[keystone_authtoken]
signing_dir = /var/cache/glance/api


make sure that the directory
/var/cache/glance/api
exists and has the certificates in it.  A good test is to remove the 
certifcates and hit the server again, as they are fetched on demand.  If 
there are no certificates there after another try, either glance can't 
talk to Keystone or keystone is not handing out the certificates.



auth_uri = http://127.0.0.1:5000/
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = password

Salvatore


On 18 July 2013 22:16, Matt Davis mattd5...@gmail.com 
mailto:mattd5...@gmail.com wrote:


Hello all,

I'm working on a deployment script to install and configure my
OpenStack services and I'm getting a strange result with glance. 
It's surely a bug with my script messing up a config file line,

but I can't interpret the glance and keystone logs to track the
issue down.  Here's the use case:

1)  Install keystone following the directions in the Grizzly
installation guide for Ubuntu 12.04.
2)  Install glance following the directions in the Grizzly
installation guide for Ubuntu 12.04.
3)  Run glance image-list to see if I can get an empty list.

My result:

=
glance --os-username=admin --os-password=secrete --os-tenant-name
demo --os-auth-url=http://localhost:5000/v2.0 image-list

Request returned failure status.
Invalid OpenStack Identity credentials.
=

The glance API log is as follows:

=
2013-07-18 11:18:24.301 6306 DEBUG
glance.api.middleware.version_negotiation [-] Determining version
of request: GET //v1/images/detail Accept:  process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] Using url versioning
process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] Matched version: v1
process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] new uri
/v1/images/detail process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
=

No entries are added to the glance registry log. If I tweak the
password to make the credentials invalid, I get this:

=
glance --os-username=admin --os-password=wrong_pw --os-tenant-name
demo --os-auth-url=http://localhost:5000/v2.0 image-list
Unable to communicate with identity service: {error: {message:
Invalid user / password, code: 401, title: Not
Authorized}}. (HTTP 401)
=

So keystone is definitely looking up my credentials and responding
differently when they match.

Any ideas as to where should I be looking for the issue?

Thanks for your time!

-Matt

___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] glance: Invalid Openstack Identity Credentials

[Adam Young]

I wrote this up as a general answer. Hope it helps.

https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/

On 07/24/2013 11:44 AM, Adam Young wrote:

On 07/24/2013 10:45 AM, Salvatore Orlando wrote:
Hav you tried checking the credentials that glance uses for 
validating tokens with keystone?


They are defined in glance's conf files in the section:

[keystone_authtoken]
signing_dir = /var/cache/glance/api


make sure that the directory
/var/cache/glance/api
exists and has the certificates in it.  A good test is to remove the 
certifcates and hit the server again, as they are fetched on demand.  
If there are no certificates there after another try, either glance 
can't talk to Keystone or keystone is not handing out the certificates.



auth_uri = http://127.0.0.1:5000/
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = password

Salvatore


On 18 July 2013 22:16, Matt Davis mattd5...@gmail.com 
mailto:mattd5...@gmail.com wrote:


Hello all,

I'm working on a deployment script to install and configure my
OpenStack services and I'm getting a strange result with glance. 
It's surely a bug with my script messing up a config file line,

but I can't interpret the glance and keystone logs to track the
issue down.  Here's the use case:

1)  Install keystone following the directions in the Grizzly
installation guide for Ubuntu 12.04.
2)  Install glance following the directions in the Grizzly
installation guide for Ubuntu 12.04.
3)  Run glance image-list to see if I can get an empty list.

My result:

=
glance --os-username=admin --os-password=secrete --os-tenant-name
demo --os-auth-url=http://localhost:5000/v2.0 image-list

Request returned failure status.
Invalid OpenStack Identity credentials.
=

The glance API log is as follows:

=
2013-07-18 11:18:24.301 6306 DEBUG
glance.api.middleware.version_negotiation [-] Determining version
of request: GET //v1/images/detail Accept:  process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:46
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] Using url
versioning process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:59
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] Matched version: v1
process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:71
2013-07-18 11:18:24.302 6306 DEBUG
glance.api.middleware.version_negotiation [-] new uri
/v1/images/detail process_request

/usr/lib/python2.7/dist-packages/glance/api/middleware/version_negotiation.py:72
=

No entries are added to the glance registry log.  If I tweak the
password to make the credentials invalid, I get this:

=
glance --os-username=admin --os-password=wrong_pw
--os-tenant-name demo --os-auth-url=http://localhost:5000/v2.0
image-list
Unable to communicate with identity service: {error:
{message: Invalid user / password, code: 401, title: Not
Authorized}}. (HTTP 401)
=

So keystone is definitely looking up my credentials and
responding differently when they match.

Any ideas as to where should I be looking for the issue?

Thanks for your time!

-Matt

___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list:https://launchpad.net/~openstack
Post to :openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack
More help   :https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone client auth plugins

[Adam Young]

On 07/18/2013 12:33 AM, Alessio Ababilov wrote:


Hi, Chmouel!

I have seen your commit https://review.openstack.org/#/c/36427/2 
introducing auth plugins to keystone client.


I have developed a common API client library that already has auth 
plugin mechanism found in novaclient. The library can be used in 
keystone, nova, and glance clients, and now it is accepted to marconi 
client ( 
https://github.com/stackforge/python-marconiclient/tree/master/marconiclient/common/apiclient).


The library has several important features:

* reissue authentication request for expired tokens;
* pluggable authentication;
* rich exceptions hierarchy;
* utils for building CLI tools;
* share one token between sessions to different servers (nova, glance, 
keystone, etc)


The library is ready to use in keystone client.

Could you take a look on it, please?

Alessio Ababilov
Senior Software Engineer
Grid Dynamics



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
Would it be possible to move that code to Keystone Client?  We'd love to 
use it, but the Keystone team is working on Auth, and to have the auth 
mechanisms spit out of our project will put a real burden on getting 
things working and fixed.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] can one user in multiple tenants?

[Adam Young]

The CLI keystone user-role-list should be returning that, so long as you
don't filter by tenant.

From an API perspective, you would call

/users/{user_id}/roles

http://docs.openstack.org/developer/keystone/api_curl_examples.html#get-users-user-id-roles


On 07/18/2013 04:04 AM, Peter Cheung wrote:
 I understand now, the tenant is keystone user-get is the default
 tenant ID. User can have many roles in different tenant.
 But we don't have a command to list out all roles among all tenant for
 a specific user.

 take a look this screen:
 http://peter.kingofcoders.com/?p=779



 
 Date: Thu, 18 Jul 2013 00:15:52 -0400
 From: ayo...@redhat.com
 To: openstack@lists.launchpad.net
 Subject: Re: [Openstack] can one user in multiple tenants?

 On 07/18/2013 12:12 AM, Peter Cheung wrote:

 Hi all
 1) can one user in multiple tenants? I think yes, but when i
 keystone user-get, i can see only one tenant field.

 User has a role assignemnt. The default role is Member, and they can
 have this role in multiple tenants. You are seeing the default tenant
 field.

 2) how can i assign another tenant to a specific user? which
 command can do that?

 keystone user-role-add



 Thanks
 from Peter


 ___
 Mailing list: https://launchpad.net/~openstack 
 https://launchpad.net/%7Eopenstack
 Post to : openstack@lists.launchpad.net 
 mailto:openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack 
 https://launchpad.net/%7Eopenstack
 More help   : https://help.launchpad.net/ListHelp



 ___ Mailing list:
 https://launchpad.net/~openstack Post to :
 openstack@lists.launchpad.net Unsubscribe :
 https://launchpad.net/~openstack More help :
 https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] can one user in multiple tenants?

[Adam Young]

On 07/18/2013 12:12 AM, Peter Cheung wrote:

Hi all
   1) can one user in multiple tenants? I think yes, but when i 
keystone user-get, i can see only one tenant field.
User has a role assignemnt.  The default role is Member, and they can 
have this role in multiple tenants.  You are seeing the default tenant 
field.


   2) how can i assign another tenant to a specific user? which 
command can do that?

keystone user-role-add




Thanks
from Peter


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [keystone] How to validate token without admin privileges

[Adam Young]

We are moving to an RBAC system for enforcing access to the APIs.  So, 
where as in the past we enforced is admin when checking a token, in 
the future, you can specify your own policy rule.


PKI based Tokens  can be verified without talking to Keystone. See the 
auth_token middleware and cms.py files in python-keystoneclient to see 
how that is done.



On 06/20/2013 04:36 PM, Janus Godard wrote:

Thanks Ravi and Haitao.

The only workaround I found is to create a new token from the one I
want to validate with:

curl -X POST -d '{ auth:{ token:{ id:non-admin-token },
tenantName:testproject }}' -H Content-Type:application/json -H
Accept: application/json http://localhost:5000/v2.0/tokens | python
-mjson.tool

But since it keeps creating tokens it could spam the db if there were
a lot of requests and it requires knowing the tenant name if one wants
to get the roles in the response.

On Thu, Jun 20, 2013 at 4:05 PM, Haitao Jiang jianghai...@gmail.com wrote:

Janus

I think you can use curl and Keystone API to validate your token:

curl -s -H X-Auth-Token: your token http://keystone:5000/v2.0 |
python -mjson.tool

I think you can also validate the token against a tenant by using belongsTo.

Maybe there are better ways.

Best

Haitao

On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard jgv...@gmail.com wrote:

Hi,

I'm new to OpenStack. I'm looking at deploying two 3rd party services along
OpenStack and would like to use Keystone for they authentication mechanism.
Service A will authenticate and get a token from keystone and use it for
REST requests to service B. Those two services don't use WSGI, just the REST
API. Is there a way for service B to validate the token with keystone
without having an admin role or the admin token?

Sorry for the noob question. The only thing I found in the doc is the GET
method that requires admin permissions:
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html
And from what I read in the compute admin docs the OpenStack services seem
to rely on admin credentials or token.

Regards,

Janus



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone, pki tokens and memcache

[Adam Young]

On 06/17/2013 12:27 AM, Sam Morrison wrote:

I'm currently looking into Grizzly and have been having some issues getting PKI 
tokens to work.

If I have memcache as the token backend keystone issues uuid based tokens, if I 
have sql as the backend then it issues PKI tokens.

Does this mean you can't use memcache backend if you want to use PKI tokens?

Cheers,
Sam


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
You are making additional configuration changes beyond the Backend. The 
config options for PKI vs UUID is defined in keystone/common/config.py



'token_format', group='signing', default=PKI

The Backend is in the same place:

'driver', group='token', default='keystone.token.backends.sql.Token'


So to set UUID tokens, in the config file,
[signing]
token_format=UUID

or explicitly

[signing]
token_format=PKI


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Splitting the Identity Backend

[Adam Young]

OK, I think it makes sense.  If we keep roles and role assignments in 
the same place, we don't have the ability to do more complex 
assignments.  So the four backends would then be:



Domains
Identity (Users, groups)
Assignments (could also be called mapping)
Projects (Includes roles)

Assuming that an existing user has a SQL Identity backend, it would work 
like this.


Domains would be SQL only. The other pieces would be primarily SQL.  An 
LDAP backend will get a variable name from paste.  For each domain, the 
user can specify that any of the other pieces is supported by a specific 
LDAP backend.  Otherwise, it will default to SQL.


If an existing user is doing writable LDAP and  wishes to contine, all 
they will gain is the SQL datastore with the domain data in it.


This allows us to plug pam/sssd in as well.  Those will be Identity only.





On 05/21/2013 06:18 AM, David Chadwick wrote:

Hi Adam

I would propose splitting the backend into two conceptually distinct 
types of attributes, and then each of these high level types can be 
arbitrary split into different databases depending upon their sources 
of authority and who administers them. Your proposal would be just one 
specialisation of this more general model.


The high level distinction I would make is between (read only) 
identity attributes and (writable) authorisation attributes. The 
latter are the ones used by the OpenStack services for making access 
control decisions, whilst the former are never used or seen by the 
OpenStack services, but are used by organisations to identify and 
group users into different sets. So HR databases and LDAP servers 
typically store these identity attributes.


An attribute mapping function is needed to map between the former and 
the latter.


We can then organise the user login function as follows:

1. A user logs in and is identified and authenticated, and a set of 
identity attributes are assigned to him by the authentication 
function. This could be from a read only LDAP service, or by a 
federated IDP. It should be pluggable and installation dependent. It 
could even  be done by the user presenting an X.509 certificate and 
the information extracted from it. This part of Keystone should be 
highly flexible and adaptable to suit different deployment models.


2. The attribute mapping function maps from his identity attributes to 
his authz attributes. This can be a null mapping function if needed 
e.g. if the read only backend LDAP happens to store the users 
OpenStack projects and roles. But in most cases it will not be null. 
The mappings are set up by the Keystone administrator.


3. The users authz attributes are stored in his Keystone entry, which 
must be a writeable database owned by Keystone. Each time the user 
logins, his authz attributes will be updated to match his current 
identity attributes. So if an organisation promotes an employee, and 
changes his LDAP attributes, this could have the effect of 
automatically escalating his rights in Openstack. Conversely, if an 
employee is demoted, his rights in OpenStack could be automatically 
downgraded. It would all depend upon what the mapping rules were ie. 
whether they were fixed to a user's login ID (in which case his authz 
attributes would not change) or whether they depended upon his roles 
in his organisation (in which case they would automatically change).


4. The token is created based on his authz attributes as now, and 
everything continues as now.


So taking the current mix of identity attributes that you identify 
below, they would be split as follows


Domains, Roles, and Projects would be stored in Keystone's writeable 
database (as they are authz attributes)
Groups and User Names (and Passwords) would be stored in the read only 
identity databases.

Role assignments would be done by the attribute mapping function.

If you want to split Domains into their own separate Keystone 
database, this fine, it does not effect the overall model. So, your 
proposal fits into this high level model, but this high level model 
provides much more flexibility to implementers and will allow for 
future expansion


regards

David

On 20/05/2013 17:46, Adam Young wrote:

Currently, the Identity backend  has Domains, Users , Groups, Roles,
Role Assignments and Projects.  I've proposed splitting it into 3
distinct pieces.  Domain, Identity, and Projects.

Here is the rationale:

Somewhere between a third and a half of the OpenStack deployments are
using LDAP.  However, the mapping from LDAP to Identity does not work.
LDAP is almost always a read only  datasource.   While Keystone *can*
manage these, it should also be possible to treat the users and groups
piece as externally managed.

In addition, several organizations have multiple LDAP servers. Not a
huge number of servers,  but more than one is a very common scenario due
to a merger.  Each of these should map to a domain. Thus, domain
management has to be extracted out of the LDAP

Re: [Openstack] AuthN/AuthZ

[Adam Young]

On 05/16/2013 11:29 AM, Aaron Knister wrote:
Thanks Adam. I was able to get that far after a *lot* of headache. 
AD's typical schema doesn't map to what OpenStack is expecting, 
particularly as far as the domain_id attribute is concerned.


Sorry about that.  I am not too fond of our Domain_id thing either, and 
working to rectify:





When running Keystone under Apache HTTPD how does one use horizon?


No change.  You can report ports other that 5000/35357 for Keystone's 
service catalog  if you want to have Keystone serve on 443.  Or, you can 
have apache listen on the usual keystone ports. You will want Keystone 
on a separate machine from Horizon.





On Wed, May 15, 2013 at 3:57 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to
talk to AD.



On 05/14/2013 06:11 PM, Aaron Knister wrote:

*bump*

Here's the tl;dr version:

- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly interested
in the automatic mapping of existing LDAP groups to roles/tenants
within openstack.
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be interested in
contributing this if it's on the roadmap and hasn't been done yet.
- Are there plans to add support for auth plugins/external au th
to Horizon? As above, I'm interested in implementing this if
there's interest.
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for httpd
external authentication) which would also eliminate the
credentials-in-environment-
variables issue. Is using PKI for authentication going to be
supported? If so what's the status?

Am I perhaps posting this to the wrong list? I didn't get any
replies from my original post.

Thanks!

-Aaron



On Tue, May 7, 2013 at 1:52 PM, Aaron Knister
aaron.knis...@gmail.com mailto:aaron.knis...@gmail.com wrote:

Hi Everyone,

I'm looking for feedback and input about what other sites are
doing for authentication and authorization with OpenStack.

First, some background:

I'm currently evaluating OpenStack (Grizzly), specifically
working on integration with Active Directory. I'm unable to
modify the schema to allow groupOfNames as a SUP of
organizationalRole so I've implemented a workaround using
openldap and several of its overlays backends to sit in front
of AD. That all works just fine, however I really would like
to be able to map AD groups to roles/tenants. I suspect I'll
end up writing some code to do this-- shouldn't be too hard.

Also on the subject of Active Directory, it's a show stopper
for me to put un-encrypted AD credentials in environment
variables to then pass to the various openstack CLI progs. My
ideal workaround would be to use Kerberos authentication
which I actually have working. I setup keystone to run under
apache based on this documentation with some tweaks here and
there:

http://docs.openstack.org/developer/keystone/external-auth.html

I created an openstack client auth plugin (based on the VOMS
auth plugin) using requests_kerberos and this works well with
the nova client, however none of the other client tools,
including horizon, seem to support authentication plugins or
the external authentication concept in general.

So, here are my questions:

- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly
interested in the automatic mapping of existing LDAP groups
to roles/tenants within openstack.
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be
interested in contributing this if it's on the roadmap and
hasn't been done yet.
- Are there plans to add support for auth plugins/external au
th to Horizon? As above, I'm interested in implementing this
if there's interest.
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for
httpd external authentication) which would also eliminate the
credentials-in-environment-variables issue. Is using PKI for
authentication going to be supported? If so what's the status?

Thanks in advance!

-Aaron




___
Mailing list:https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
Post to :openstack@lists.launchpad.net  
mailto:openstack@lists.launchpad.net
Unsubscribe :https

[Openstack] [Keystone] Splitting the Identity Backend

[Adam Young]

Currently, the Identity backend  has Domains, Users , Groups, Roles, 
Role Assignments and Projects.  I've proposed splitting it into 3 
distinct pieces.  Domain, Identity, and Projects.


Here is the rationale:

Somewhere between a third and a half of the OpenStack deployments are 
using LDAP.  However, the mapping from LDAP to Identity does not work. 
LDAP is almost always a read only  datasource.   While Keystone *can* 
manage these, it should also be possible to treat the users and groups 
piece as externally managed.


In addition, several organizations have multiple LDAP servers. Not a 
huge number of servers,  but more than one is a very common scenario due 
to a merger.  Each of these should map to a domain. Thus, domain 
management has to be extracted out of the LDAP backend.


Identity would contain users and groups.  Projects would contain 
Projects, Roles, and Role Assignments.  Domains would contain only domains.


For people happily deploying SQL, nothing should change.  A single 
Database instance can still serve all three backends.  It should only 
mean removing some foreign key constraints.


For people that are deploying the current LDAP code and are happy with 
the layout, we will continue to support the LDAP Project backend.



Say an organization has two LDAP servers, and also maintains a public 
facing cloud backed by SQL.  Each of the two LDAP servers would have 
configurations that correspond to the current layout, although limited 
only to the user and group subtrees.  The domain registry  would live in 
the SQL backend.  It would have two entries for the LDAP servers, and 
these would be immutable.  Dynamic domain allocation and deletion would 
work only for the domains backed by SQL.




The main blueprint for this is:
https://blueprints.launchpad.net/keystone/+spec/split-identity
with supporting blueprints for pieces that can be completed 
interdependently.


Comments welcome.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Grizzly] NoneType object unsubscriptable while setting up keystone

[Adam Young]

Look in the bug database, I think there is already an entry for this.  
user-list works in general, so it has to be something in your 
environment that is triggering it.  If I remember correctly, you are 
likely using the Admin token.  What are the openstack variables in your 
environment?



On 05/14/2013 08:10 AM, Daniel wrote:

Greetings,

I am currently trying to install Grizzly on a single node running 
Red Hat Enterprise Linux Server release 6.4, using RedHat's RDO 
repository 
(http://repos.fedorapeople.org/repos/openstack/openstack-grizzly/epel-6/). 
The related keystone RPM is openstack-keystone-2013.1-1.el6.noarch.


I have followed the instructions from the official documentation 
(http://docs.openstack.org/grizzly/openstack-compute/install/yum/content/install-keystone.html), 
without error up to the keystone-manage db_sync (included).


After that point, keystone commands return the following error : 
'NoneType' object is unsubscriptable. It would appear that the 
commands work at least in part, since I can see a user directly in the 
MySQL database after running a keystone user-create command, but I 
still can't list them :


# keystone user-list
'NoneType' object is unsubscriptable

The only changes I've made to the keystone.conf file apart from the 
log configuration are the connection and admin_token parameters. The 
mysql connection works correctly from the command line, and it would 
seem it works for the keystone utility as well since the database is 
populated.


I've also found nothing remarkable in the keystone log file.

As a side note, trying to install a full Openstack environment with 
the packstack utility failed with the same error.


Where should I look to get more info on that error?

Thanks in advance,

Daniel.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] AuthN/AuthZ

[Adam Young]

Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk 
to AD.



On 05/14/2013 06:11 PM, Aaron Knister wrote:

*bump*

Here's the tl;dr version:

- How have other folks handled integration of OpenStack with existing 
authN/authZ infrastructures? I'm particularly interested in the 
automatic mapping of existing LDAP groups to roles/tenants within 
openstack.
- Are there plans to add support for the auth plugins to the *client 
modules and CLI tools going forward? I'd be interested in contributing 
this if it's on the roadmap and hasn't been done yet.
- Are there plans to add support for auth plugins/external au th to 
Horizon? As above, I'm interested in implementing this if there's 
interest.
- I see vague references in the documentation/*client code to using 
certificates for authentication (without the need for httpd external 
authentication) which would also eliminate the 
credentials-in-environment-
variables issue. Is using PKI for authentication going to be 
supported? If so what's the status?


Am I perhaps posting this to the wrong list? I didn't get any replies 
from my original post.


Thanks!

-Aaron



On Tue, May 7, 2013 at 1:52 PM, Aaron Knister aaron.knis...@gmail.com 
mailto:aaron.knis...@gmail.com wrote:


Hi Everyone,

I'm looking for feedback and input about what other sites are
doing for authentication and authorization with OpenStack.

First, some background:

I'm currently evaluating OpenStack (Grizzly), specifically working
on integration with Active Directory. I'm unable to modify the
schema to allow groupOfNames as a SUP of organizationalRole so
I've implemented a workaround using openldap and several of its
overlays backends to sit in front of AD. That all works just fine,
however I really would like to be able to map AD groups to
roles/tenants. I suspect I'll end up writing some code to do
this-- shouldn't be too hard.

Also on the subject of Active Directory, it's a show stopper for
me to put un-encrypted AD credentials in environment variables to
then pass to the various openstack CLI progs. My ideal workaround
would be to use Kerberos authentication which I actually have
working. I setup keystone to run under apache based on this
documentation with some tweaks here and there:

http://docs.openstack.org/developer/keystone/external-auth.html

I created an openstack client auth plugin (based on the VOMS auth
plugin) using requests_kerberos and this works well with the nova
client, however none of the other client tools, including horizon,
seem to support authentication plugins or the external
authentication concept in general.

So, here are my questions:

- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly interested
in the automatic mapping of existing LDAP groups to roles/tenants
within openstack.
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be interested in
contributing this if it's on the roadmap and hasn't been done yet.
- Are there plans to add support for auth plugins/external au th
to Horizon? As above, I'm interested in implementing this if
there's interest.
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for httpd
external authentication) which would also eliminate the
credentials-in-environment-variables issue. Is using PKI for
authentication going to be supported? If so what's the status?

Thanks in advance!

-Aaron




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] keystone

[Adam Young]

Looks like you have typos in x.sh


On 05/14/2013 08:43 AM, Mahzad Zahedi wrote:

I have followed basic install guide openstack on ubuntu  (grizzy) so
for configuration keystone first,

I have created openrc File and added below lines into it:

export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL=http://localhost:5000/v2.0/;
export SERVICE_ENDPOINT=http://localhost:35357/v2.0;
export SERVICE_TOKEN=password

and then  again I have created a x.sh file for script that is
mentioned inside of install doc

#!/bin/bash
# Modify these variables as needed
ADMIN_PASSWORD=${ADMIN_PASSWORD:-password}


NOW , when running ./x.sh i have belo errors:

Invalid OpenStack Identity credentials.
./bash_script.sh: line 36: 2: command not found
Invalid OpenStack Identity credentials.
./bash_script.sh: line 38: 2: command not found
Invalid OpenStack Identity credentials.
Invalid OpenStack Identity credentials.
Invalid OpenStack Identity credentials.
usage: keystone user-create --name user-name [--tenant-id tenant-id]
 [--pass pass] [--email email]
 [--enabled true|false]
keystone user-create: error: argument --tenant-id: expected one argument
./bash_script.sh: line 45: 2: command not found
Invalid OpenStack Identity credentials.
./bash_script.sh: line 48: --tenant-id: command not found
Invalid OpenStack Identity credentials.
./bash_script.sh: line 51: password: command not found
Invalid OpenStack Identity credentials.
./bash_script.sh: line 54: --tenant-id: command not found
Invalid OpenStack Identity credentials.
Invalid OpenStack Identity credentials.
./bash_script.sh: line 58: 2: command not found
usage: keystone user-role-add --user user --role role [--tenant tenant]
keystone user-role-add: error: argument --user/--user-id/--user_id:
expected one argument
usage: keystone user-role-add --user user --role role [--tenant tenant]
keystone user-role-add: error: argument --tenant/--tenant-id: expected
one argument
usage: keystone user-role-add --user user --role role [--tenant tenant]
keystone user-role-add: error: argument --tenant/--tenant-id: expected
one argument
usage: keystone user-role-add --user user --role role [--tenant tenant]
keystone user-role-add: error: argument --tenant/--tenant-id: expected
one argument
./bash_script.sh: line 63: --role-id: command not found
usage: keystone user-role-add --user user --role role [--tenant tenant]
keystone user-role-add: error: argument --tenant/--tenant-id: expected
one argument
usage: keystone user-role-add --user user --role role [--tenant tenant]
keystone user-role-add: error: argument --tenant/--tenant-id: expected
one argument
Invalid OpenStack Identity credentials.
Invalid OpenStack Identity credentials.
Invalid OpenStack Identity credentials.
Invalid OpenStack Identity credentials.
./bash_script.sh: line 72: --description: command not found
usage: keystone service-create --name name --type type
[--description service-description]
keystone service-create: error: argument --description: expected one argument
./bash_script.sh: line 74: OpenStack EC2 service: command not found
Invalid OpenStack Identity credentials.
usage: keystone endpoint-create [--region endpoint-region] --service-id
 service-id [--publicurl public-url]
 [--adminurl admin-url]
 [--internalurl internal-url]
keystone endpoint-create: error: argument --service-id/--service_id:
expected one argument
./bash_script.sh: line 77: --publicurl: command not found
./bash_script.sh: line 79: --internalurl: command not found
usage: keystone endpoint-create [--region endpoint-region] --service-id
 service-id [--publicurl public-url]
 [--adminurl admin-url]
 [--internalurl internal-url]
keystone endpoint-create: error: argument --service-id/--service_id:
expected one argument
./bash_script.sh: line 81: --publicurl: command not found
./bash_script.sh: line 83: --internalurl: command not found
usage: keystone endpoint-create [--region endpoint-region] --service-id
 service-id [--publicurl public-url]
 [--adminurl admin-url]
 [--internalurl internal-url]
keystone endpoint-create: error: argument --service-id/--service_id:
expected one argument
./bash_script.sh: line 85: --publicurl: command not found
usage: keystone endpoint-create [--region endpoint-region] --service-id
 service-id [--publicurl public-url]
 [--adminurl admin-url]
 [--internalurl internal-url]
keystone endpoint-create: error: argument --service-id/--service_id:
expected one argument
./bash_script.sh: line 88: WARNING:: command not found
usage: 

Re: [Openstack] Heat PTL candidacy

[Adam Young]

On 04/23/2013 10:15 AM, Steven Hardy wrote:

Repost to correctly include openstack-dev on Cc

On Tue, Apr 23, 2013 at 02:45:31PM +0100, Steven Hardy wrote:

Hi!

I'd like to propose myself as a candidate for the Heat PTL role, ref
Thierry's nominations email [1]

I've been professionally involved with software engineering for around 13
years, working in a variety of industries, from embedded/kernel
development to big-enterprise customer-facing consulting.

Having been involved with the Heat project from very near the start, I've
been part of the strong core team who are making this project grow from a
good idea into something people can actually use (and are using!).

I have a deep understanding of our current code-base, and a clear view of
our future roadmap (and the challenges we face!), so I believe I am in a
good position to step into the role Steve Dake was unfortunately unable to
continue with, and do what is required to enable the Heat project to
deliver another successful release for Havana.

Having attended the summit last week, I have to say I'm even more driven
and enthusiastic about the project, so much great feedback and ideas from
our users and potential contributors.  I look forward to developing more
features our users want, and encouraging much wider community participation
in the project over the next few months.

Thanks!

Steve Hardy


[1] http://lists.openstack.org/pipermail/openstack-dev/2013-April/007724.html
+1.  I've worked with Steve Hardy on getting  the Heat/Keystone 
Delegation requirements clear.  His professionalism and deep 
understanding are fantastic.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] New site for questions http://ask.openstack.org

[Adam Young]

Is there a way I can get notified for any new Questions specific to 
Keystone?  I'm a core dev on Keystone, and can probably answer some of 
the more esoteric stuff.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone]Question: Assignment of default role

[Adam Young]

Yes, this is new.  We are removing the direct associtation between users 
and projects (Project members) and replacing it with a Role (_member_)


The _ is there to ensure it does not conflict with existing roles.

The two different ways of associating users to projects was causing 
problems.  With RBAC, we can now enforce policy about project membership 
that we could not do before.






On 02/21/2013 09:39 PM, Leo Toyoda wrote:

Hi, everyone

I'm using the master branch devstack.
I hava a question about assignment of default role (Keystone).

When I create a user to specify the tenant, '_member_' is assigned to the roles.
$ keystone user-create --name test --tenant-id e61..7f6 --pass test --email 
t...@example.com
+--+---+
| Property |  Value|
+--+---+
|  email   | te...@example.com |
| enabled  |   True|
|id| af1..8d2  |
|   name   |   test|
| tenantId | e61..7f6  |
+--+---+
$ keystone user-role-list --user test --tenant e61..7f6
+--+--+--+---+
|id|   name   | user_id  | tenant_id |
+--+--+--+---+
| 9fe..bab | _member_ | af1..8d2 | e61..7f6  |
+--+--+--+---+

Then, assign the Member role to the user.
Hitting assigned two roles of 'Member' and '_member_'.
$ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6
$ keystone user-role-list --user af1..8d2 --tenant e61..7f6
+--+--+--+---+
|id|   name   | user_id  | tenant_id |
+--+--+--+---+
| 57d..d1f |  Member  | af1..8d2 | e61..7f6  |
| 9fe..bab | _member_  | af1..8d2 | e61..7f6  |
+--+--+--+---+

When I create a user without specifying a tenant, I assign 'Member' role.
In this case, Only one role is assigned.
$ keystone user-create --name test2 --pass test --email te...@example.com
+--+---+
| Property |  Value|
+--+---+
|  email   | te...@example.com |
| enabled  |  True |
|id|c22..a6d   |
|   name   |  test2|
| tenantId |   |
+--+---+
$ keystone user-role-add --user c22..a6d --role 57d..d1f  --tenant e61..7f6
$ keystone user-role-list --user c22..a6d --tenant e61..7f6
+--+--+--+---+
|id|   name   | user_id  | tenant_id |
+--+--+--+---+
| 57d..d1f |  Member  | c22..a6d | e61..7f6  |
+--+--+--+---+

Is it expected behavior that two rolls are assigned?

Thanks
Leo Toyoda


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release

[Adam Young]

On 02/14/2013 09:38 AM, Heiko Krämer wrote:

Heyho Guys,

i'm testing Swift and Keystone (Grizzly).

!NOTE!
I'm posting only the importent stuff (output, responses, configs)

I've upgraded and migrate the database, the migration are working not
correct (kyestone-manage db_sync) because in the role table will create
a new column but with NULL values and this will break the auth (first
issue).

The next command of keystone they you will need is
keystone-manage pki_setup = done without errors but you will need to
change the rights of the generated files.



#
## Output / Log ###

My request to keystone are correct if i try to get a token with curl. I
get a token with all endpoints and other stuff.

 token: {
 expires: 2013-02-15T14:29:59Z,
 id:
MIIL-wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExCTAHBgUrDgMCGjCCCtgGCSqGSIb3DQEHAaCCCskEggrFeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMi0xNFQxNDoyOTo1OS44NDI0MjQiLCAiZXhwaXJlcyI6ICIyMDEzLTAyLTE1VDE0OjI5OjU5WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUiLCAibmFtZSI6ICJ0ZXN0aW5nIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODc3NC92Mi81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSIsICJpZCI6ICJiOGQ3YTQzMWZjY2M0MWY2YTYzMzFjZTY3NjBlYjI1ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzg4LjE5OC42LjE1Mjo4Nzc0L3YyLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjk2OTYiLCAiaWQiOiAiM2ZjNTcxNzUyMDA3NDY3OWI3MTlkM2VmNTlmZGViYzMiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJxdWFudHVtIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjkyOTIvdjIiLCAiaWQiOiAiMWZlZTllNDQ1NjNjNDcwYzhkNjFmNjE5NDNjYmIxM2YiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6OTI5Mi92MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo4Nzc2L3YxLzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjFmMjVlMDUwMjdmMTRmNGI5MDFmMWFmNjJiZTZhMzAwIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjg3NzYvdjEvNTY5NzdiYjVhMDU1NDc2MWJmMGViOWQ2Y2E3NzBkNzUifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAidm9sdW1lIiwgIm5hbWUiOiAiY2luZGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogInRlc3RpbmciLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjAuMC4xOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMWIyZTViZjkzNTI2NGI2ODljZmZkZWViMTk1ZDRjMWQiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6ODc3My9zZXJ2aWNlcy9DbG91ZCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJlYzIiLCAibmFtZSI6ICJlYzIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MSIsICJyZWdpb24iOiAidGVzdGluZyIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMC4wLjE6ODA4MC92MS9BVVRIXzU2OTc3YmI1YTA1NTQ3NjFiZjBlYjlkNmNhNzcwZDc1IiwgImlkIjogIjI3YTEyYTBkMGI2ODQ2YjJhMDQzNjMwZmJlYzUwNmJhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vODguMTk4LjYuMTUyOjgwODAvdjEvQVVUSF81Njk3N2JiNWEwNTU0NzYxYmYwZWI5ZDZjYTc3MGQ3NSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4wLjAuMTozNTM1Ny92Mi4wIiwgInJlZ2lvbiI6ICJ0ZXN0aW5nIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC4wLjAuMTo1MDAwL3YyLjAiLCAiaWQiOiAiMDI2NWNmOTUyZDRmNGZhYWEyZjdlZGIzNGZlMGQxYTUiLCAicHVibGljVVJMIjogImh0dHA6Ly84OC4xOTguNi4xNTI6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJkbGVpZGlzY2giLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRjZDRhNzRlMTVlMTQ4MmY5ZmExNmY1MjRhZmQ4ZWJlIiwgInJvbGVzIjogW3sibmFtZSI6ICJhZG1pbiJ9LCB7Im5hbWUiOiAiS2V5c3RvbmVTZXJ2aWNlQWRtaW4ifSwgeyJuYW1lIjogIktleXN0b25lQWRtaW4ifV0sICJuYW1lIjogImRsZWlkaXNjaCJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI0NzA3YzJmNDg3ODg0MmM1ODUzMWJkN2U4MGU0ZDkzMCIsICI4ZjRmNGNhNmJmZGM0NWUwOTdjMTc1YmViNzUwNjU0ZCIsICI0Y2Y5OWU0ZGQ1YTg0NjZiOTlmZTRmZTIyNTAxYjg5NyJdfX19MYH-MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgD0cne0M65sCpOWFFSBqmA9rm14ecxkLtI9+fYJapMFIY3URuFxp8dWD2YPNeR7Jxw0lBcGLX418nG15G559pAqtk7-vKVV+X4tvJYRuHOt33fw37-b4hsX3ZEbdeif24j4eQEJKqDe2r7cLy8Iox2rCMjC2yKfZwjhIZdmNf7ZS,

 issued_at: 2013-02-14T14:29:59.842424,
 tenant: {
 

Re: [Openstack] keystone delegate Athentication

[Adam Young]

Actually, this isn't trusts, if I understand it correctly, but rather 
the REMOTE_USER patch that went in earlier.


THe short version is that you run keystone in Apache, and set up strong 
authentication in Apache.  REMOTE_USER is from the wsgi (Python CGI) 
contract.  It is the variable set by Apache and sent to Keystone saying 
the username of the authenticated user.


Will that work for you?


On 02/06/2013 09:58 AM, Dolph Mathews wrote:
Adam Young is working on introducing delegation in grizzly: 
https://blueprints.launchpad.net/keystone/+spec/trusts


I'm sure he'd appreciate some help if you'd like to contribute!


-Dolph


On Wed, Feb 6, 2013 at 8:54 AM, Mballo Cherif 
cherif.mba...@gemalto.com mailto:cherif.mba...@gemalto.com wrote:


Hi everybody !

I am wondering if it's possible to delegate keystone
Authentication to an Authentication against a  server (I have one
Strong Authentication server) or an Identity Provider?

If I make modification on keystoneclient code it may be possible?

Any ideas? Please help me!

Thanks !

Sherif!


___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [OpenStack] Keystone did not start - DevStack Installation

[Adam Young]

On 02/05/2013 08:00 AM, Antonio Tirri wrote:

Hi all,
actually i'm trying to install OpenStack through DevStack script. 
Unfortunately the installation is not successful because the keystone 
service doesn't start.


This is the log of the script:

2013-02-05 13:19:05 + SCREEN_NAME=stack
2013-02-05 13:19:05 + SCREENRC=/opt/stack/devstack/stack-screenrc
2013-02-05 13:19:05 + [[ ! -e /opt/stack/devstack/stack-screenrc ]]
2013-02-05 13:19:05 + grep key /opt/stack/devstack/stack-screenrc
2013-02-05 13:19:05 ++ echo -ne '\015'
2013-02-05 13:19:05 + NL=$'\r'
2013-02-05 13:19:05 + echo 'screen -t key bash'
2013-02-05 13:19:05 + echo 'stuff cd /opt/stack/keystone  
/opt/stack/keystone/bin/keystone-all --config-file 
/etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d 
--debug

'
2013-02-05 13:19:05 + screen -S stack -X screen -t key
2013-02-05 13:19:05 + sleep 1.5
2013-02-05 13:19:06 + [[ -n '' ]]
2013-02-05 13:19:06 + screen -S stack -p key -X stuff 'cd 
/opt/stack/keystone  /opt/stack/keystone/bin/keystone-all 
--config-file /etc/keystone/keystone.conf --log-config 
/etc/keystone/logging.conf -d --debug || touch 
/opt/stack/status/stack/key.failure

'
2013-02-05 13:19:06 + echo 'Waiting for keystone to start...'
2013-02-05 13:19:06 Waiting for keystone to start...
2013-02-05 13:19:06 + timeout 60 sh -c 'while ! http_proxy= curl -s 
http://163.162.24.167:5000/v2.0/ /dev/null; do sleep 1; done'
]0;stack@openstack-controller: 
~/devstackstack@openstack-controller:~/devstack$ 2013-02-05 13:20:06 
+ echo 'keystone did not start'

2013-02-05 13:20:06 keystone did not start
2013-02-05 13:20:06 + exit 1
2013-02-05 13:20:06 + clean
2013-02-05 13:20:06 + local r=1
2013-02-05 13:20:06 ++ jobs -p
2013-02-05 13:20:06 + kill
2013-02-05 13:20:06 + exit 1

How this problem can be solved?

Antonio


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
screen -S stack -p key -X stuff 'cd /opt/stack/keystone  
/opt/stack/keystone/bin/keystone-all --config-file 
/etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d 
--debug || touch /opt/stack/status/stack/key.failure



Is the command that starts keystone.  From the above, it not clear why 
it is failing.  You should be able to run it interactively with:


cd /opt/stack/keystone

/opt/stack/keystone/bin/keystone-all --config-file 
/etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d 
--debug


And get more output.  If it swallows all the output, look in 
/etc/keystone/logging.conf to see what it is set at.  It might be 
sending it to a log file, such as /var/log/keystone






___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [OpenStack] Keystone did not start - DevStack Installation

[Adam Young]

You probably created
/opt/stack/keystone/keystone.log

as root at one point.  Either delete it, or chown it to the stack user.

On 02/05/2013 12:05 PM, Antonio Tirri wrote:

Hi Adam,
thanks for your answer.

First of all, the full log of my script is here
www.forumaltavilla.it/joomla/Documenti/log_devstack.txt 
http://www.forumaltavilla.it/joomla/Documenti/log_devstack.txt


It seems that there are some problems in managing user permissions. 
Even if I included the stack user in /etc/sudoers adding the following 
line


stack ALL=(ALL) NOPASSWD: ALL

Moreover, i can't execute the script as root because, by default, it 
switch to the stack user.


however, the output of the command
/opt/stack/keystone/bin/keystone-all --config-file 
/etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d 
--debug


 is

stack@openstack-controller:~/keystone$ 
/opt/stack/keystone/bin/keystone-all --config-file 
/etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d 
--debug

Traceback (most recent call last):
  File /opt/stack/keystone/bin/keystone-all, line 82, in module
config.setup_logging(CONF)
  File /opt/stack/keystone/keystone/config.py, line 41, in setup_logging
logging.config.fileConfig(conf.log_config)
  File /usr/lib/python2.7/logging/config.py, line 78, in fileConfig
handlers = _install_handlers(cp, formatters)
  File /usr/lib/python2.7/logging/config.py, line 156, in 
_install_handlers

h = klass(*args)
  File /usr/lib/python2.7/logging/__init__.py, line 897, in __init__
StreamHandler.__init__(self, self._open())
  File /usr/lib/python2.7/logging/__init__.py, line 916, in _open
stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/opt/stack/keystone/keystone.log'

while if i launch that command with sudo, it seems that it runs.

Thank you,
Antonio

On 5 February 2013 17:04, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 02/05/2013 08:00 AM, Antonio Tirri wrote:

Hi all,
actually i'm trying to install OpenStack through DevStack script.
Unfortunately the installation is not successful because the
keystone service doesn't start.

This is the log of the script:

2013-02-05 13:19:05 + SCREEN_NAME=stack
2013-02-05 13:19:05 + SCREENRC=/opt/stack/devstack/stack-screenrc
2013-02-05 13:19:05 + [[ ! -e /opt/stack/devstack/stack-screenrc ]]
2013-02-05 13:19:05 + grep key /opt/stack/devstack/stack-screenrc
2013-02-05 13:19:05 ++ echo -ne '\015'
2013-02-05 13:19:05 + NL=$'\r'
2013-02-05 13:19:05 + echo 'screen -t key bash'
2013-02-05 13:19:05 + echo 'stuff cd /opt/stack/keystone 
/opt/stack/keystone/bin/keystone-all --config-file
/etc/keystone/keystone.conf --log-config
/etc/keystone/logging.conf -d --debug
'
2013-02-05 13:19:05 + screen -S stack -X screen -t key
2013-02-05 13:19:05 + sleep 1.5
2013-02-05 13:19:06 + [[ -n '' ]]
2013-02-05 13:19:06 + screen -S stack -p key -X stuff 'cd
/opt/stack/keystone  /opt/stack/keystone/bin/keystone-all
--config-file /etc/keystone/keystone.conf --log-config
/etc/keystone/logging.conf -d --debug || touch
/opt/stack/status/stack/key.failure
'
2013-02-05 13:19:06 + echo 'Waiting for keystone to start...'
2013-02-05 13:19:06 Waiting for keystone to start...
2013-02-05 13:19:06 + timeout 60 sh -c 'while ! http_proxy= curl
-s http://163.162.24.167:5000/v2.0/ /dev/null; do sleep 1; done'
]0;stack@openstack-controller: ~/devstack
stack@openstack-controller:~/devstack$ 2013-02-05 13:20:06 + echo
'keystone did not start'
2013-02-05 13:20:06 keystone did not start
2013-02-05 13:20:06 + exit 1
2013-02-05 13:20:06 + clean
2013-02-05 13:20:06 + local r=1
2013-02-05 13:20:06 ++ jobs -p
2013-02-05 13:20:06 + kill
2013-02-05 13:20:06 + exit 1

How this problem can be solved?

Antonio


___
Mailing list:https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
Post to :openstack@lists.launchpad.net  
mailto:openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
More help   :https://help.launchpad.net/ListHelp

screen -S stack -p key -X stuff 'cd /opt/stack/keystone 
/opt/stack/keystone/bin/keystone-all --config-file
/etc/keystone/keystone.conf --log-config
/etc/keystone/logging.conf -d --debug || touch
/opt/stack/status/stack/key.failure


Is the command that starts keystone.  From the above, it not clear
why it is failing.  You should be able to run it interactively with:

cd /opt/stack/keystone


/opt/stack/keystone/bin/keystone-all --config-file
/etc/keystone/keystone.conf --log-config
/etc/keystone/logging.conf -d --debug

And get more output.  If it swallows all the output, look in
/etc/keystone/logging.conf to see what it is set

Re: [Openstack] [keystone] Why are we returing such a big payload in validate token?

[Adam Young]

On 01/31/2013 07:44 PM, Ali, Haneef wrote:


Hi,

As of now  v3  validateToken response has tokens, service catalog, 
users, project , roles and  domains.  (i.e)  Except for groups we are 
returning everything.  We also discussed about the possibility of 100s 
of endpoints.  ValidateToken is supposed to be a high frequency call . 
  This is




Validate token should not going  be a high frequency call.  The 
information is encapsulated inside the signed token for just that reason.


I would agree with the sentiment, however, that we are cramming a lot of 
info into the token.  TOkens should be scoped much, much more finely: by 
default one service or endpoint, and one tenant.


The only thing that should require the full service catalog is the 
initial request of an unsigned token, and that should merely go back to 
the client.


going to be a huge performance impact . What is the use case  for such 
a big payload  when compared with v2?


If a service needs catalog , then the service can always ask for the 
catalog.


Thanks

Haneef



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [keystone] Why are we returing such a big payload in validate token?

[Adam Young]

On 01/31/2013 10:57 PM, Vishvananda Ishaya wrote:
On Jan 31, 2013, at 6:37 PM, Ali, Haneef haneef@hp.com 
mailto:haneef@hp.com wrote:


Isn’t  signed token an optional feature?  If so validateToken is 
going to be a high frequency call.  Also  “Service Catalog” is a 
constant, the services can  cache it.  It doesn’t need to be part of 
validateToken.


Service catalog is not a constant. That said the only time it is used 
is when a service needs to proxy a call to another service using the 
same token. If we had a reasonable way to make requests on behalf of 
other users we don't really need it as the service could just keep its 
own catalog and make requests on behalf of the requesting user.


I'm working on it.  It is called trusts and there is a WIP posted here:

https://review.openstack.org/#/c/20289/

Blueprint is here:

https://blueprints.launchpad.net/keystone/+spec/trusts



Vish


Thanks
Haneef
*From:*openstack-bounces+haneef.ali=hp@lists.launchpad.net 
mailto:openstack-bounces+haneef.ali=hp@lists.launchpad.net 
[mailto:openstack-bounces+haneef.ali=hp@lists.launchpad.net 
mailto:bounces+haneef.ali=hp@lists.launchpad.net]*On Behalf 
Of*Adam Young

*Sent:*Thursday, January 31, 2013 6:25 PM
*To:*openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net
*Subject:*Re: [Openstack] [keystone] Why are we returing such a big 
payload in validate token?

On 01/31/2013 07:44 PM, Ali, Haneef wrote:

Hi,
As of now  v3  validateToken response has “tokens, service
catalog, users, project , roles and  domains.  (i.e)  Except for
groups we are returning everything.  We also discussed about the
possibility of 100s of endpoints.  ValidateToken is supposed to
be a high frequency call .This is


Validate token should not going  be a high frequency call.  The 
information is encapsulated inside the signed token for just that reason.


I would agree with the sentiment, however, that we are cramming a lot 
of info into the token.  TOkens should be scoped much, much more 
finely: by default one service or endpoint, and one tenant.


The only thing that should require the full service catalog is the 
initial request of an unsigned token, and that should merely go back 
to the client.



going to be a huge performance impact . What is the use case  for 
such a big payload  when compared with v2?
If a service needs catalog , then the service can always ask for the 
catalog.

Thanks
Haneef



___
Mailing list:https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
Post to :openstack@lists.launchpad.net  
mailto:openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
More help   :https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack 
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net 
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack 
https://launchpad.net/%7Eopenstack

More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Poll: H release cycle naming

[Adam Young]

On 01/24/2013 10:13 AM, Thierry Carrez wrote:

It's that time of the year again...

As is the tradition, we'd like the help of the community to help select
the code name of the next release cycle of OpenStack.

The Technical Committee narrowed the list of valid candidates to 4
names, and we'd like you to pick the one you prefer.

So what will it be ? Hood, Havana, Harbor or Hatfield ?

Please head to:
https://launchpad.net/~openstack/+poll/h-release-naming

to let us know what you prefer !
Poll ends Tuesday, January 29, 20:00 UTC.

Note that you need to be a member of the ~openstack group in Launchpad
to be able to vote, but all people on this list already are.



I think we have overlooked the most obvious answer:

Hillsboro:  http://en.wikipedia.org/wiki/Hillsboro,_Oregon

This is the Portland tech hub.

Most of the Portland people at the conference probably work in Hillsboro.


I'm not trying to ramrod it through as the solution, but it should at 
least be one of the options.

Why was it ruled out?

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Glance image upload Keystone error

[Adam Young]

On 01/23/2013 06:34 AM, Trinath Somanchi wrote:

Hi Stackers-

I have installed glance and Keystone and configured them.


Not sure how you installed, but you need to make sure the PKI 
provisioning is done.  You can do it by hand with the keystone_manage 
command.  Make sure you run it as the user that Keystone is going to run 
as, as it creates the certificates and Keystone (ajnd only Keystone) 
needs to be able to access those.




But When I upload a test image with glance, I got this error in 
keystone logs


(sqlalchemy.engine.base.Engine): 2013-01-23 17:04:57,904 INFO 
('106298a47e5a4d129c7b8571e188c51e', 1)
(keystone.common.cms): 2013-01-23 17:04:57,990 ERROR Signing error: 
Error opening signer certificate /etc/keystone/ssl/certs/signing_cert.pem
140702974211744:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:398:fopen('/etc/keystone/ssl/certs/signing_cert.pem','r')
140702974211744:error:20074002:BIO routines:FILE_CTRL:system 
lib:bss_file.c:400:

unable to load certificate

(root): 2013-01-23 17:04:57,991 ERROR Command 'openssl' returned 
non-zero exit status 3

Traceback (most recent call last):
  File 
/usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/common/wsgi.py, 
line 215, in __call__

result = method(context, **params)
  File 
/usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/token/controllers.py, 
line 118, in authenticate

config.CONF.signing.keyfile)
  File 
/usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/common/cms.py, 
line 140, in cms_sign_token
output = cms_sign_text(text, signing_cert_file_name, 
signing_key_file_name)
  File 
/usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/common/cms.py, 
line 135, in cms_sign_text

raise subprocess.CalledProcessError(retcode, openssl)
CalledProcessError: Command 'openssl' returned non-zero exit status 3

Kindly help me resolve the issue

--
Regards,
--
Trinath Somanchi,
+91 9866 235 130


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] keystone + LDAP username only with numbers

[Adam Young]

On 01/18/2013 08:18 AM, Marcelo Mariano Miziara wrote:

Hello to everyone. First of all sorry for my bad english.

Second, i'm implementing openstack here in my company, and we pretend 
to use it with ldap integration. I detected a problem when the 
username is only numbers (in our case we use our ID number to log in):


PLease enter it as a bug.  It looks like the HTML to Python parsing is 
breaking down.




  TypeError at /nova/

sequence item 1: expected string or Unicode, int found
Request Method: GET
Request URL: 	100.10.10.51/horizon/nova/ 
http://100.10.10.51/horizon/nova/

Django Version: 1.4.1
Exception Type: TypeError
Exception Value:
sequence item 1: expected string or Unicode, int found
Exception Location: 
/usr/lib/python2.7/dist-packages/novaclient/client.py in authenticate, 
line 316

Python Executable:  /usr/bin/python
Python Version: 2.7.3
Python Path:
['/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../..',  
'/usr/lib/python2.7',  '/usr/lib/python2.7/plat-linux2',  
'/usr/lib/python2.7/lib-tk',  '/usr/lib/python2.7/lib-old',  
'/usr/lib/python2.7/lib-dynload',  '/usr/local/lib/python2.7/dist-packages',  
'/usr/lib/python2.7/dist-packages',  '/usr/share/openstack-dashboard/',  
'/usr/share/openstack-dashboard/openstack_dashboard']
Server time:Qui, 17 Jan 2013 12:37:11 +


Then I created another user with letters in the user name and this 
error doesn't appear...but then I got another type of error that I'll 
discuss later...someone experienced this error, or am I doing 
something wrong?


Thanks in advance,
Marcelo M. Miziara
Serviço Federal de Processamento de Dados - SERPRO
CDEBW/CDTEC/SUPCD
55 (41) 3593 8277
marcelo.mizi...@serpro.gov.br 
http://mailto:marcelo.mizi...@serpro.gov.br

-


Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), 
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, 
é enviada exclusivamente a seu destinatário e pode conter informações 
confidenciais, protegidas por sigilo profissional. Sua utilização 
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a 
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, 
esclarecendo o equívoco.


This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) 
-- a government company established under Brazilian law (5.615/70) -- 
is directed exclusively to its addressee and may contain confidential 
data, protected under professional secrecy rules. Its unauthorized use 
is illegal and may subject the transgressor to the law's penalties. If 
you're not the addressee, please send it back, elucidating the failure.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Logging Keystone x Remote Syslog

[Adam Young]

On 01/11/2013 07:31 AM, Alex Vitola wrote:

It's possible send to logs to remote server?

Logging is using the standard Python logging module:

In keystone/common/logging:

import logging
import logging.config


You should be able to configure this to use SysLog:

http://docs.python.org/2/library/logging.handlers.html#logging.handlers.SysLogHandler

Or an HTTP logger (Not necessarily recommended without reviewing the 
security implications)


http://docs.python.org/2/library/logging.handlers.html#logging.handlers.HTTPHandler

Using AMQP might make sense IAW this post.


http://notes.variogr.am/post/143623387/broadcasting-your-logs-with-rabbitmq-and-python


Currently it is configured to send to the local file


I believe it is in the file below


/etc/keystone/logging.conf

[logger_root]
level=DEBUG

handlers=file

[handler_production]
class=handlers.SysLogHandler
level=ERROR
formatter=normal_with_name

args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER)

[handler_file]
class=FileHandler
level=DEBUG
formatter=normal_with_name
args=('/var/log/keystone/keystone.log', 'a')


att


Alex Vitola

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [keystone] IBM DB2 configuration

[Adam Young]

What I think we need is a simple way to run our current body of unit 
tests, to include the sql Migration tests, against a Live database, 
kindof the same way as I have et up for the live LDAP test.


The steps:

create a file under keystone/tests  that doesn't trigger the nameing 
scheme that matches for unit tests.  Since I use _ldap_livetest.py  for 
LDAP,  I would recommend _db_livetests.py.


That should then import test_backend_sql and test_sql upgrade. They 
would pull in a custom config file that is .gitignored but that has the 
DB connection info for DB2 etc.  We could post sample ones for 
smokestack etc to pull in for integration testing.


A user then could run against those test  with ./run_tests.sh -x 
_db_livetests






On 12/20/2012 11:55 AM, Dolph Mathews wrote:

(raising to the mailing list)

Which DB2 driver are you using? I was referring to: 
http://code.google.com/p/ibm-db/wiki/README


... which shows an example connection string for sqlalchemy as:

 db2 = 
sqlalchemy.create_engine('ibm_db_sa://db2inst1:sec...@host.name.com:5/pydev 
http://db2inst1:sec...@host.name.com:5/pydev')


-Dolph


On Thu, Dec 20, 2012 at 4:05 AM, Kevin-Yang 
benbenzhufore...@gmail.com mailto:benbenzhufore...@gmail.com wrote:


Dolph,

Really appreciated for your response.

My VM configuration is:

OS -
Red Hat Enterprise Linux Server release 6.3 (Santiago)

DB2 -
Informational tokens are DB2 v9.7.0.0, s090521,
LINUXAMD6497, and Fix
Pack 0
ibm_db -

http://pypi.python.org/packages/source/i/ibm_db/ibm_db-2.0.0.tar.gz#md5=709c576c0ec2379ca15049f5c861beb1
ibm_db_sa -

When i changed from ibmdb - ibm_db_sa, I came with a
different error - Could not determine dialect for 'ibm_db_sa'.

##
Traceback (most recent call last):
  File /usr/local/bin/keystone-manage, line 5, in module
pkg_resources.run_script('keystone==2012.2', 'keystone-manage')
  File build/bdist.linux-x86_64/egg/pkg_resources.py, line 499,
in run_script
  File build/bdist.linux-x86_64/egg/pkg_resources.py, line 1239,
in run_script
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/EGG-INFO/scripts/keystone-manage,
line 28, in module
cli.main(argv=sys.argv, config_files=config_files)
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py,
line 164, in main
return run(cmd, (args[:1] + args[2:]))
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py,
line 147, in run
return CMDS[cmd](argv=args).run()
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py,
line 35, in run
return self.main()
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py,
line 56, in main
driver.db_sync()
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/identity/backends/sql.py,
line 136, in db_sync
migration.db_sync()
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/common/sql/migration.py,
line 49, in db_sync
current_version = db_version()
  File

/usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/common/sql/migration.py,
line 61, in db_version
return versioning_api.db_version(CONF.sql.connection, repo_path)
  File string, line 2, in db_version
  File

/usr/local/lib/python2.7/site-packages/migrate/versioning/util/__init__.py,
line 155, in with_engine
engine = construct_engine(url, **kw)
  File

/usr/local/lib/python2.7/site-packages/migrate/versioning/util/__init__.py,
line 140, in construct_engine
return create_engine(engine, **kwargs)
  File
build/bdist.linux-x86_64/egg/sqlalchemy/engine/__init__.py, line
338, in create_engine
  File
build/bdist.linux-x86_64/egg/sqlalchemy/engine/strategies.py,
line 50, in create
  File build/bdist.linux-x86_64/egg/sqlalchemy/engine/url.py,
line 123, in get_dialect

sqlalchemy.exc.ArgumentError: Could not determine dialect for
'ibm_db_sa'.

##

--
You received this bug notification because you are a bug assignee.
https://bugs.launchpad.net/bugs/987121

Title:
  strict constraint for database table creation

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  OpenStack claims that any type of database supporting SQLAlchemy
can be taken as the database for OpenStack use.
  In some databases, if a column is defined as UNIQUE, it must be
specified NOT NULL at the same time, e.g. IBM DB2, which is
SQLAlchemy supporting. I am 

Re: [Openstack] LDAP + Keystone,, Error after authentication..

[Adam Young]

On 12/11/2012 04:15 AM, yasith tharindu wrote:

Hi Team;


I was trying to configure ldap + keystone but it seems not working.  I 
feel like authentication is successful but horizon return me python 
error. Im unable to trace as its does not give any detail.  Following 
I have attached the error, ldap dump, keystone config. I would really 
appreciate if you can note me down any configuration error.





My nova version is::   2012.2 (2012.2-LOCALBRANCH:LOCALREVISION)

If its wrong password it returns, Invalid user name or password.

That sounds right


When type correct credentials but user not in the any of Group it 
return You are not authorized for any projects.


Yes

When type correct credentials and the user is a member of a group (eg: 
cn=demo,ou=Groups,dc=example,dc=com), It returns following error.
It looks like some poor error handling in Horizon, to start.  The Key 
error means token.tenant['name'] is not defined in the object. Which 
probably means that it doesn't have a real token or something.  I'm 
guessing that token.tenant is None at this point.



Does it work from the Keystone CLI?  Isolate your problem, is it 
Keystone, or is it Horizon.








### The error 

KeyError at /auth/login/
'name'
Request Method:POST
Request URL:https://192.168.25.240/auth/login/
Django Version:1.4.1
Exception Type:KeyError
Exception Value:
'name'
Exception 
Location:/usr/lib/python2.7/dist-packages/openstack_auth/user.py in 
create_user_from_token, line 25

Python Executable:/usr/bin/python
Python Version:2.7.3
Python Path:
['/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../..',
 '/usr/share/openstack-dashboard/openstack_dashboard',
 '/usr/lib/python2.7',
 '/usr/lib/python2.7/plat-linux2',
 '/usr/lib/python2.7/lib-tk',
 '/usr/lib/python2.7/lib-old',
 '/usr/lib/python2.7/lib-dynload',
 '/usr/local/lib/python2.7/dist-packages',
 '/usr/lib/python2.7/dist-packages',
 '/usr/lib/pymodules/python2.7',
 '/usr/share/openstack-dashboard/']


Environment:


Request Method: POST
Request URL: https://192.168.25.240/auth/login/

Django Version: 1.4.1
Python Version: 2.7.3
Installed Applications:
('openstack_dashboard',
 'django.contrib.contenttypes',
 'django.contrib.auth',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django.contrib.humanize',
 'compressor',
 'horizon',
 'horizon.dashboards.nova',
 'horizon.dashboards.syspanel',
 'horizon.dashboards.settings',
 'openstack_auth')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'horizon.middleware.HorizonMiddleware',
 'django.middleware.doc.XViewMiddleware',
 'django.middleware.locale.LocaleMiddleware')


Traceback:
File /usr/lib/python2.7/dist-packages/django/core/handlers/base.py 
in get_response
  111. response = callback(request, 
*callback_args, **callback_kwargs)
File 
/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py in 
sensitive_post_parameters_wrapper

  69. return view(request, *args, **kwargs)
File /usr/lib/python2.7/dist-packages/django/utils/decorators.py in 
_wrapped_view

  91. response = view_func(request, *args, **kwargs)
File 
/usr/lib/python2.7/dist-packages/django/views/decorators/cache.py in 
_wrapped_view_func

  89. response = view_func(request, *args, **kwargs)
File /usr/lib/python2.7/dist-packages/openstack_auth/views.py in login
  50.extra_context=extra_context)
File 
/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py in 
sensitive_post_parameters_wrapper

  69. return view(request, *args, **kwargs)
File /usr/lib/python2.7/dist-packages/django/utils/decorators.py in 
_wrapped_view

  91. response = view_func(request, *args, **kwargs)
File 
/usr/lib/python2.7/dist-packages/django/views/decorators/cache.py in 
_wrapped_view_func

  89. response = view_func(request, *args, **kwargs)
File /usr/lib/python2.7/dist-packages/django/contrib/auth/views.py 
in login

  36. if form.is_valid():
File /usr/lib/python2.7/dist-packages/django/forms/forms.py in is_valid
  124. return self.is_bound and not bool(self.errors)
File /usr/lib/python2.7/dist-packages/django/forms/forms.py in 
_get_errors

  115. self.full_clean()
File /usr/lib/python2.7/dist-packages/django/forms/forms.py in 
full_clean

  271. self._clean_form()
File /usr/lib/python2.7/dist-packages/django/forms/forms.py in 
_clean_form

  299. self.cleaned_data = self.clean()
File 
/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py in 
sensitive_variables_wrapper

  34. return func(*args, **kwargs)
File 

Re: [Openstack] S3 Token

[Adam Young]

On 12/11/2012 01:40 AM, Chmouel Boudjnah wrote:
On Mon, Dec 10, 2012 at 4:17 AM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


As a Keystone core developer, I have to say that I don't see it as
a huge burden to keep it in place.  We want to maintain API
backward compatability, and removing it would break that. We
should deprecate it and get people to sign off on a complete
removal before taking it out of keystone.


Thanks for the feedback guy, if that's not much of troubles to keep it 
in keystone we can leave it there.


Cheers,
Chmouel.
That being said,  it probably could use better unit test coverage. Feel 
free to contribute code fragments toward that.


http://admiyo.fedorapeople.org/openstack/covhtml/keystone_contrib_ec2_core.html
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] S3 Token

[Adam Young]

On 12/11/2012 11:11 AM, Adam Young wrote:

On 12/11/2012 01:40 AM, Chmouel Boudjnah wrote:
On Mon, Dec 10, 2012 at 4:17 AM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


As a Keystone core developer, I have to say that I don't see it
as a huge burden to keep it in place.  We want to maintain API
backward compatability, and removing it would break that.  We
should deprecate it and get people to sign off on a complete
removal before taking it out of keystone.


Thanks for the feedback guy, if that's not much of troubles to keep 
it in keystone we can leave it there.


Cheers,
Chmouel.
That being said,  it probably could use better unit test coverage. 
Feel free to contribute code fragments toward that.


http://admiyo.fedorapeople.org/openstack/covhtml/keystone_contrib_ec2_core.html

Make that:


http://admiyo.fedorapeople.org/openstack/covhtml/keystone_contrib_s3_core.html
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] S3 Token

[Adam Young]

On 12/08/2012 08:22 AM, Chmouel Boudjnah wrote:

Hi,

I'm working on removing the swift+keystone middleware from keystone, 
we have moved it already as keystoneauth since last OpenStack release 
into the main swift repository.


One thing that left in keystone is the s3_token middleware. Since in 
OpenStack/Swift we are not supporting third party API this could not 
be moved there.


The options :

1) Keep s3token in keystone


As a Keystone core developer, I have to say that I don't see it as a 
huge burden to keep it in place.  We want to maintain API backward 
compatability, and removing it would break that.  We should deprecate it 
and get people to sign off on a complete removal before taking it out of 
keystone.




2) Remove s3token from keystone and try to convince the swift3 
maintainer to integrate it.


3) Try to figure out if there is actually people using this and if not 
just nuke it.


4) move s3token to its own repo on github somewhere.

i personally would vote for number three, I don't  think much people 
using this (i.e: swift+keystone+s3) or at least I didn't hear many 
feedback about the middleware.


Chmouel.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [devstack] keystone failed to get-token

[Adam Young]

On 12/03/2012 05:57 AM, benzwt benzwt wrote:

I gitted the devstack with version 6540d8910194bb523601ffdd06cdf4c2126e3fd0

I ran it but it returned
glance: error: argument --os-auth-token: expected one argument

after tracing the code I found that
it was due to
line 1662 in stack.sh

as the keystone failed to get-token, the value of --os-auth-token is empty

You have to find out why Keystone failed.I usually do something like:

. openrc
keystone token-get

And look at the log messages from the Keystone. If you look in the 
screens  (run screen -x) , Keystone is usually screen 3 (ctrl-a 3). 
ctrl-d to detach afterwards.





can somebody helps me ?


Best regards,
reynolds

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] [Keystone] LDAP Backend for Catalog

[Adam Young]

Right now, only the Identity submodule has an LDAP backend.  This is 
user, tenants, and roles.  Is there any requirement for the Catalog to 
have an LDAP back end?  Endpoints and Services do not necessarily map 
directly to the LDAP view of machines, but could probably be made to 
fit.  I will start investigating the feasibility if there is any demand 
for it.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Configuring keystone with ldap

[Adam Young]

On 11/29/2012 11:47 PM, yasith tharindu wrote:



I was trying to enable enable keystone with ldap. but always return me 
with a  this error. *Error: *Invalid user name or password. and no 
log trace can be found.


All I can say is it looks correct enough, but you obviosuly have a 
problem in your LDAP to Keystone configuration.  Authentication to LDAP 
is done using a simple bind, based on what you have for the 
user_tree_dn.  Make sure you can do that same bind from a command line 
LDAP tool.




my keystone config as following


[ldap]
url = ldap://ldap.example.org http://ldap.example.org
tree_dn = dc=ldap,dc=example,dc=org
user_tree_dn = ou=user,dc=ldap,dc=example,dc=org
tenant_tree_dn = ou=group,dc=ldap,dc=example,dc=org
user = uid=ldapuser,ou=user,dc=ldap,dc=example,dc=org
password = password
suffix = dc=ldap,dc=example,dc=org
user_name_attribute = uid


[identity]
driver = keystone.identity.backends.ldap.Identity




I have few questions.

what am i missing here.
what is the purpose of role_tree_dn config does that necessarily needed.
can we enable logs.
there are many groups under tenant_tree_dn do I have to setup which 
group to look at.

Is there a sample ldap ldif file and keystone config to loook at?

Thanks


--
Thanks..
Regards...

Blog: http://www.yasith.info
Twitter : http://twitter.com/yasithnd
LinkedIn : http://www.linkedin.com/in/yasithnd
GPG Key ID : *57CEE66E*





___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

[Adam Young]

On 11/10/2012 10:58 AM, David Chadwick wrote:
I agree with the vast majority of what Jorge says below. The idea I 
would like to bounce around is that of the unscoped token.


What does it mean conceptually? What is its purpose? Why do we need 
it? Why should a user be given an unscoped token to exchange at a 
later time for a scoped token?


My view is as follows:
i) a user is authenticated and identified, and from this, keystone can 
see that the user has access to a number of different tenants and 
services. Keystone creates an unscoped token to encapsulate this. Note 
that the unscoped token is scoped to the services/tenants available to 
this user, and consequently it is different for each identified user. 
Thus it does have some scope i.e. it cannot be swapped for access to 
any service by any tenant.
ii) the user must choose which service/tenant he wishes to activate. 
This is in line with the principle of least privileges.
iii) the user informs keystone which service(s) and tenant(s) he 
wishes to access and Keystone swaps the unscoped token for one that is 
scoped to the choice of the user.


The issue then becomes, what is the allowable scope of a scoped token? 
Jorge below believes it should cover multiple 
services/endpoints/tenants. So one must then ask, what is the 
difference between the most widely scoped scoped-token and the 
unscoped token? Surely they will have the same scope won't they? In 
which case there is no need for both concepts.


let's compare with Kerberos:  In my view an unscoped token is 
comparaable with a ticket granting ticket:  it cannot be used with any 
service other than the KDC, and it can only be used to get service 
tickets. A service ticket can only be used with a specific service.  If 
that service gets compromised, any tickets it has are useless for access 
to other resources.



If an unscoped token can be used against a wide array of services, we 
have just provided a path for an elevation of privileges attack. If I 
know that a service consumes tokens which can be used on a wide number 
of other services, I can target my attacks against that service in order 
to get access everywhere.


If we are going to provide this functionality, it should be turned off 
by default.




Comments please

regards

David

On 23/10/2012 06:25, Jorge Williams wrote:

Here's my view:

On making the default token a configuration option:  Like the idea.
  Disabling the option by default.  That's fine too.

On scoping a token to a specific endpoint:  That's fine, though I
believe that that's in the API today.  Currently, the way that we scope
tokens to endpoints is by validating against the service catalog. I'm
not sure if the default middleware checks for this yet, but the Repose
middleware does.  If you try to use a token in an endpoint that's not in
the service catalog the request fails -- well, if the check is turned 
on.


Obviously, I'd like the idea of scoping a single token to multiple
tenants / endpoints.

I don't like the idea of calling tokens sloppy tokens -- it's
confusing.   All you have to say is that a token has a scope -- and the
scope of the token is the set of resources that the token can provide
access to.  You can limit the scope of a token to a tenant, to a
endpoint, to a set of endpoints or tenants etc -- what limits you place
on the scope of an individual token should be up to the operator.

Keep in mind that as we start digging into delegation and fine grained
authorization (after Grizzly, I'm sure), we'll end up with tokens that
have a scope of a subset of resources in a single or multiple tenants.
  So calling them sloppy now is just confusing.  Simply stating that a
token has a scope (as I've defined above) should suffice.  This is part
of the reason why I've never liked the term unscoped token, because an
unscoped token does have a scope. It just so happens that the scope of
that token is the resource that provides a list of available tenants.

-jOrGe W.

On Oct 22, 2012, at 9:57 PM, Adam Young wrote:


Are you guys +1 ing the original Idea, my suggestion to make it
optional, the fact that I think we should call these sloppy tokens?

On 10/22/2012 03:40 PM, Jorge Williams wrote:

+1 here too.

At the end of the day, we'd like the identity API to be flexible
enough to allow the token to be scoped in a manner that the deployer
sees fit.  What the keystone implementation does by default is a
different matter -- and disabling multiple tenant  scope by default
would be fine by me.

-jOrGe W.


On Oct 21, 2012, at 11:10 AM, Joe Savak wrote:


+1. ;)

So the issue is that the v2 API contract allows a token to be scoped
to multiple tenants. For v3, I'd like to have the same flexibility.
I don't see security issues, as if a token were to be sniffed you
can change the password of the account using it and use those creds
to scope tokens to any tenant you wish.

Scope should always be kept as limited as possible. Personally, I
don't feel like limiting the tenant

Re: [Openstack] [keystone] Domain Name Spaces

[Adam Young]

On 10/30/2012 06:43 AM, David Chadwick wrote:

On 27/10/2012 00:17, Henry Nash wrote:

So to pick up on a couple of the areas of contention:

a) Roles.  I agree that role names must stay globally unique. One way
of thinking about this is that it is not actually keystone that is
creating the role name space it is the other services (Nova etc.) by
specifying roles in their policy files.  Until those services support
domain specific segmentation, then role names stay global.


I addressed this issue in my Federation design doc (in Appendix 2). 
Here is the text to save you having to look it up (note that an 
attribute is simply a generalisation of role and is needed in the 
broader authz context. Roles are too limiting.)


Attributes may be globally defined, e.g. visa attributes, or locally 
defined e.g. member of club X. Globally defined attributes are often 
specified in international standards and may be used in several 
different domains and federations. Their syntax and semantics are 
fixed, regardless of which Attribute Authority (AA) issues them. Local 
attributes are defined by their issuing attribute authority and 
usually are only valid in the domain or federation in which the AA is 
a member. For locally identifiable attributes the attribute authority 
(issuer) must be globally identifiable (in the federation). The 
attribute then becomes globally identifiable through hierarchical 
naming (AA.attribute).


Whilst in a non-federated world the service provider (e.g. Swift) can 
unilaterally define the roles it wants, in a federated world the 
attributes have to be mutually agreed between the issuer (AA) and the 
consumer (e.g. Swift).


To address this issue I proposed a role mapping (attribute mapping) 
service that is run by Keystone, and it maps between the 
role/attribute required by the service, and the actual attribute 
issued by the AA. For example, say Swift requires the role of Admin to 
be assigned to addministrators, whereas company X, the attribute 
authority, assigns the LDAP attribute title=OpenStack Cloud 
Administrator to its admin staff. Keystone will use its attribute 
mapping service to map between these values.




b) Will multi-domains make it more complicated in terms of authorisation
- e.g. will the users have to input a Domain Name into Horizon the whole
time?  The first thing I would say is that if the cloud administrator
has create multiple domains, then the keystone API should indeed require
the domain specification.


Again, in our federated design document we have the concept of a 
realm, which is similar to that of a domain, only in the federated 
case it indicates the place where the user will be authenticated and 
obtain (some of) his authz attributes from. The user can indicate the 
realm/domain name on the command line, but if it is missing, Keystone 
replies with a list of domains that it knows about and asks the user 
to choose one from the list.


I think this is the Key point.  Domain/Realm means who accepts 
responsibility for the user.  And that responsibility needs to be 
unambiguous.




 However, that should not mean it should be

laborious for a Horizon user.  In the case where a Cloud Provider has
created domains to encapsulate each of their customers - then if they
want to let those customer use horizon as the UI, then I would think
they want to be able to give each customer a unique URL which will point
to a Horizon that knows which domain to go to.


this is certainly a possibility.

regards

David

  Maybe the url contains

the Domain Name or ID in the path, and Horizon pulls this out of its own
url (assuming that's possible) and hence the user is never given an
option to chose a domain.  A Cloud Admin would use a non domain
qualified url to get to Horizon (basically as it is now) and hence be
able to see the different domains.  Likewise, in the case of where the
Cloud Provider has not chosen to create any individual domains (and is
just running the cloud in the default domain), then the  non domain
qualified url would be used to a Horizon that only showed one, default
domain and hence no choice is required.


Henry

On 26 Oct 2012, at 17:31, heckj wrote:


Bringing conversation for domains in Keystone to the broader mailing
lists.


On Oct 26, 2012, at 5:18 AM, Dolph Mathews dolph.math...@gmail.com
mailto:dolph.math...@gmail.com wrote:

I think this discussion would be great for both mailing lists.

-Dolph


On Fri, Oct 26, 2012 at 5:18 AM, Henry Nash henry.n...@mac.com
mailto:henry.n...@mac.com wrote:

Hi

Not sure where best to have this discussion - here, as a comment
to the v3api doc, or elsewhere - appreciate some guidance and
will transfer this to the right place

At the Summit we started a discussion on whether things like user
name, tenant name etc. should be globally unique or unique within
a domain.  I'd like to widen that discussion to try and a) agree
a direction, b) agree some changes to our current spec. 

Re: [Openstack] [keystone] Domain Name Spaces

[Adam Young]

On 10/26/2012 07:17 PM, Henry Nash wrote:

So to pick up on a couple of the areas of contention:

a) Roles.  I agree that role names must stay globally unique.  One way 
of thinking about this is that it is not actually keystone that is 
creating the role name space it is the other services (Nova etc.) by 
specifying roles in their policy files.  Until those services support 
domain specific segmentation, then role names stay global.


b) Will multi-domains make it more complicated in terms of 
authorisation - e.g. will the users have to input a Domain Name into 
Horizon the whole time?  The first thing I would say is that if the 
cloud administrator has create multiple domains, then the keystone API 
should indeed require the domain specification.  However, that should 
not mean it should be laborious for a Horizon user.  In the case where 
a Cloud Provider has created domains to encapsulate each of their 
customers - then if they want to let those customer use horizon as the 
UI, then I would think they want to be able to give each customer a 
unique URL which will point to a Horizon that knows which domain to 
go to.
Yes, I think that this is the solution.  It will involve HTTPD virtual 
hosts, and horizon can then get an additional config parameter 
keystone_domain as part of the wsgi config.



 Maybe the url contains the Domain Name or ID in the path, and Horizon 
pulls this out of its own url (assuming that's possible) and hence the 
user is never given an option to chose a domain.  A Cloud Admin would 
use a non domain qualified url to get to Horizon (basically as it is 
now) and hence be able to see the different domains.  Likewise, in the 
case of where the Cloud Provider has not chosen to create any 
individual domains (and is just running the cloud in the default 
domain), then the  non domain qualified url would be used to a 
Horizon that only showed one, default domain and hence no choice is 
required.



Henry

On 26 Oct 2012, at 17:31, heckj wrote:

Bringing conversation for domains in Keystone to the broader mailing 
lists.



On Oct 26, 2012, at 5:18 AM, Dolph Mathews dolph.math...@gmail.com 
mailto:dolph.math...@gmail.com wrote:

I think this discussion would be great for both mailing lists.

-Dolph


On Fri, Oct 26, 2012 at 5:18 AM, Henry Nash henry.n...@mac.com 
mailto:henry.n...@mac.com wrote:


Hi

Not sure where best to have this discussion - here, as a
comment to the v3api doc, or elsewhere - appreciate some
guidance and will transfer this to the right place

At the Summit we started a discussion on whether things like
user name, tenant name etc. should be globally unique or unique
within a domain.  I'd like to widen that discussion to try and
a) agree a direction, b) agree some changes to our current spec.
Here's my view as an opening gambit:

- When a Keystone instance is first started, there is only one,
default, Domain.  The Cloud Provider does not need to create any
new domains, all projects can exist in this default domain, as
will the users etc.  There is one, global, name space.  Clients
using the v2 API will work just fine.


+1


Very much what we were thinking for the initial implemenation and 
rollout to make it backwards compatible with the V2 (non-domain) 
core API



- If the Cloud Provider wants to provide their customers with
regions they can administer themselves and be self-contained,
then they create a Domain for each customer.  It should be
possible for users/roles to be scoped to a Domain so that
(effectively) administrative duties can be delegated to some
users in that Domain.  So far so good - all this can be done
with the v3 API.


Not clear on if you're referring to endpoint regions, or just 
describing domain isolation?


I believe you're describing the key use cases behind the domains 
mechanism to begin with - user and project partitioning to allow for 
administration of those to be clearly owned and managed appropriately.




- We still have work to do to make sure items in other OS
projects that reference tenants (e.g. Images) can take a Domain
or Project ID, but we'll get to that soon enough


Everything will continue to work with projects, but once middleware 
starts providing a DOMAIN_ID and DOMAIN_NAME to the underlying 
service, it'll be up to them to take advantage of it. Images per 
domain is an excellent example use case.



- However, Cloud Providers want to start enabling enterprise
customers to run more and more of the workloads in OpenStack
clouds - over and above, the smaller sized companies that are
doing this today.  For this to work, the encapsulation of a
Domain need, I think, to be able to be stricter - and this is
where the name space comes into play.  I think we need to allow
for a Domain to have its own namespace (i.e. users, roles,
projects etc.) as an option.  I see this as a first step to

Re: [Openstack-qa-team] Changes with ids/uuids?

[Adam Young]

On 10/25/2012 12:49 PM, Daryl Walleck wrote:

You hit the nail on the head. I got a bit jumpy and ended up filing a bug to 
Keystone and got that same response, which explains the token. I suppose the 
flavor id change was intentional as well, but I would've expected it to be a 
uuid instead of a very large int.


You now own the bug report that I will point people at when this issue 
comes up in the future.  Hopefully they will search before filing




From: openstack-qa-team-bounces+daryl.walleck=rackspace@lists.launchpad.net 
[openstack-qa-team-bounces+daryl.walleck=rackspace@lists.launchpad.net] on 
behalf of Jay Pipes [jaypi...@gmail.com]
Sent: Thursday, October 25, 2012 11:38 AM
To: openstack-qa-team@lists.launchpad.net; ayo...@redhat.com
Subject: Re: [Openstack-qa-team] Changes with ids/uuids?

On 10/25/2012 01:13 AM, Daryl Walleck wrote:

While spinning up a new devstack tonight I noticed some very odd
behavior. Keystone is suddenly giving me back a 3000+ character auth
token, and the ids for flavors I'm creating are extremely large ints
(uuids I could see, but not this). Does anyone have any insight into if
either of these changes were intentional?

I believe you have run into the change that Keystone recently made that
switched to using PKI by default for token authentication in the services.

Adam, can you verify this is the case, and a remedy for Daryl?

Thanks much!
-jay

--
Mailing list: https://launchpad.net/~openstack-qa-team
Post to : openstack-qa-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-qa-team
More help   : https://help.launchpad.net/ListHelp



--
Mailing list: https://launchpad.net/~openstack-qa-team
Post to : openstack-qa-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-qa-team
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack-qa-team] Changes with ids/uuids?

[Adam Young]

On 10/25/2012 01:41 PM, David Kranz wrote:
Going forward, such changes should really be announced to the dev 
list. There is no reason people need to be

left to trip over them.
Good point.  It was announced that it was coming for a while, and it 
should be a slide in replacement. But we should have specified the date.




 -David

On 10/25/2012 1:13 PM, Adam Young wrote:

On 10/25/2012 12:49 PM, Daryl Walleck wrote:
You hit the nail on the head. I got a bit jumpy and ended up filing 
a bug to Keystone and got that same response, which explains the 
token. I suppose the flavor id change was intentional as well, but I 
would've expected it to be a uuid instead of a very large int.


You now own the bug report that I will point people at when this 
issue comes up in the future.  Hopefully they will search before 
filing




From: 
openstack-qa-team-bounces+daryl.walleck=rackspace@lists.launchpad.net 
[openstack-qa-team-bounces+daryl.walleck=rackspace@lists.launchpad.net] 
on behalf of Jay Pipes [jaypi...@gmail.com]

Sent: Thursday, October 25, 2012 11:38 AM
To: openstack-qa-team@lists.launchpad.net; ayo...@redhat.com
Subject: Re: [Openstack-qa-team] Changes with ids/uuids?

On 10/25/2012 01:13 AM, Daryl Walleck wrote:

While spinning up a new devstack tonight I noticed some very odd
behavior. Keystone is suddenly giving me back a 3000+ character auth
token, and the ids for flavors I'm creating are extremely large ints
(uuids I could see, but not this). Does anyone have any insight 
into if

either of these changes were intentional?

I believe you have run into the change that Keystone recently made that
switched to using PKI by default for token authentication in the 
services.


Adam, can you verify this is the case, and a remedy for Daryl?

Thanks much!
-jay

--
Mailing list: https://launchpad.net/~openstack-qa-team
Post to : openstack-qa-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-qa-team
More help   : https://help.launchpad.net/ListHelp








--
Mailing list: https://launchpad.net/~openstack-qa-team
Post to : openstack-qa-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-qa-team
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [SWIFT] Proxies Sizing for 90.000 / 200.000 RPM

[Adam Young]

On 10/24/2012 07:45 PM, heckj wrote:

John brought the concern over auth_token middleware up to me directly -

I don't know of anyone that's driven the keystone middleware to these 
rates and determined where the bottlenecks are other than folks 
deploying swift and driving high performance numbers.


The concern that John detailed to me is how the middleware handles 
memcache connections, which is directly impacted by how you're 
deploying it. From John:


Specifically, I'm concerned with the way auth_token handles memcache 
connections. I'm not sure how well it will work in swift with 
eventlet. If the memcache module being used caches sockets, then 
concurrency in eventlet (different greenthreads) will cause problems. 
Eventlet detects and prevents concurrent access to the same socket 
(for good reason--data from the socket may be delivered to the wrong 
listener).


We should probably disable memcache for PKI tokens



I haven't driven any system this hard to suss out the issues, but 
there's the nut of it - how to keep from cascading that load out to 
validation of authorization tokens. The middleware is assuming that 
eventlet and any needed patching has already been done when it's 
invoked (i.e. no monkeypatching in there), and loads the memcache 
module and uses whatever it has in there directly.


This is all assuming you're using the current standard of UUID based 
tokens. Keystone is also supporting PKI based tokens, which removes 
the need to constantly make the validation call, but at the 
computational cost of unspinning the decryption around the signed 
token. I don't know of any load numbers and analysis with that backing 
set up at this time, and would expect that any initial analysis would 
lead to some clear performance optimizations that may be needed.


The fork is the expensive part, but it should also parallelize fairly 
well.  One reason we chose this approach is that it seems to fit in best 
with how Eventlet works:  a fork means there should be no reason to do a 
real thread, and thus it can use greenlets and processes.  But we 
won't know until we try to scale it.


PKI tokens just went default, so we should find out soon.



- joe


On Oct 24, 2012, at 1:20 PM, Alejandro Comisario 
alejandro.comisa...@mercadolibre.com 
mailto:alejandro.comisa...@mercadolibre.com wrote:

Thanks Josh, and Thanks John.
I know it was an exciting Summit! Congrats to everyone !

John, let me give you extra data and something that i've already 
said, that might me wrong.


First, the request size that will compose the 90.000RPM - 200.000 RPM 
will be from 90% 20K objects, and 10% 150/200K objects.
Second, all the GET requests, are going to be public, configured 
through ACL, so, if the GET requests are public (so, no X-Auth-Token 
is passed) why should i be worried about the keystone middleware ?


Just to clarify, because i really want to understand what my real 
metrics are so i can know where to tune in case i need to.

Thanks !
*
*
*---*
*Alejandrito*


On Wed, Oct 24, 2012 at 3:28 PM, John Dickinson m...@not.mn 
mailto:m...@not.mn wrote:


Sorry for the delay. You've got an interesting problem, and we
were all quite busy last week with the summit.

First, the standard caveat: Your performance is going to be
highly dependent on your particular workload and your particular
hardware deployment. 3500 req/sec in two different deployments
may be very different based on the size of the requests, the
spread of the data requested, and the type of requests. Your
experience may vary, etc, etc.

However, for an attempt to answer your question...

6 proxies for 3500 req/sec doesn't sound unreasonable. It's in
line with other numbers I've seen from people and what I've seen
from other large scale deployments. You are basically looking at
about 600 req/sec/proxy.

My first concern is not the swift workload, but how keystone
handles the authentication of the tokens. A quick glance at the
keystone source seems to indicate that keystone's auth_token
middleware is using a standard memcached module that may not play
well with concurrent connections in eventlet. Specifically,
sockets cannot be reused concurrently by different greenthreads.
You may find that the token validation in the auth_token
middleware fails under any sort of load. This would need to be
verified by your testing or an examination of the memcache module
being used. An alternative would be to look at the way swift
implements it's memcache connections in an eventlet-friendly way
(see swift/common/memcache.py:_get_conns() in the swift codebase).

--John



On Oct 11, 2012, at 4:28 PM, Alejandro Comisario
alejandro.comisa...@mercadolibre.com
mailto:alejandro.comisa...@mercadolibre.com wrote:

 Hi Stackers !
 This is the thing, today we have a 24 datanodes (3 copies, 90TB
usables) each datanode has 2 intel hexacores CPU with 

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

[Adam Young]

On 10/23/2012 01:25 AM, Jorge Williams wrote:

Here's my view:

On making the default token a configuration option:  Like the idea. 
 Disabling the option by default.  That's fine too.


On scoping a token to a specific endpoint:  That's fine, though I 
believe that that's in the API today.  Currently, the way that we 
scope tokens to endpoints is by validating against the service 
catalog. I'm not sure if the default middleware checks for this yet, 
but the Repose middleware does.  If you try to use a token in an 
endpoint that's not in the service catalog the request fails -- well, 
if the check is turned on.


Obviously, I'd like the idea of scoping a single token to multiple 
tenants / endpoints.


I don't like the idea of calling tokens sloppy tokens -- it's 
confusing.   All you have to say is that a token has a scope -- and 
the scope of the token is the set of resources that the token can 
provide access to.  You can limit the scope of a token to a tenant, to 
a endpoint, to a set of endpoints or tenants etc -- what limits you 
place on the scope of an individual token should be up to the operator.


Keep in mind that as we start digging into delegation and fine grained 
authorization (after Grizzly, I'm sure), we'll end up with tokens that 
have a scope of a subset of resources in a single or multiple tenants. 
 So calling them sloppy now is just confusing.  Simply stating that a 
token has a scope (as I've defined above) should suffice.  This is 
part of the reason why I've never liked the term unscoped token, 
because an unscoped token does have a scope. It just so happens that 
the scope of that token is the resource that provides a list of 
available tenants.
This is a pretty good distinction.  What we were calling Unscoped is, 
to me, the equivalent of a TGT in Kerberos:  a starting point, that has 
not been specified to any resources.  I'd be willing to entertain a 
different name than Unscoped.  Let me throw out Starting Tokens as a 
straw man, and we can beat it up to come up with a better term.


Sloppy was never meant seriously, but more a way to tweak the noses of 
the project members named Joe.





-jOrGe W.

On Oct 22, 2012, at 9:57 PM, Adam Young wrote:

Are you guys +1 ing the original Idea, my suggestion to make it 
optional, the fact that I think we should call these sloppy tokens?


On 10/22/2012 03:40 PM, Jorge Williams wrote:

+1 here too.

At the end of the day, we'd like the identity API to be flexible 
enough to allow the token to be scoped in a manner that the deployer 
sees fit.  What the keystone implementation does by default is a 
different matter -- and disabling multiple tenant  scope by default 
would be fine by me.


-jOrGe W.


On Oct 21, 2012, at 11:10 AM, Joe Savak wrote:


+1. ;)

So the issue is that the v2 API contract allows a token to be 
scoped to multiple tenants. For v3, I'd like to have the same 
flexibility. I don't see security issues, as if a token were to be 
sniffed you can change the password of the account using it and use 
those creds to scope tokens to any tenant you wish.
Scope should always be kept as limited as possible. Personally, I 
don't feel like limiting the tenant list makes much difference.  THe 
more I think about it, the real benefit comes from limiting the  
endpoints.







On Oct 20, 2012, at 21:07, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:



On 10/20/2012 01:50 PM, heckj wrote:
I sent this to the openstack-dev list, and thought I'd double 
post this onto the openstack list at Launchpad for additional 
feedback.


-joe

Begin forwarded message:

*From: *heckj he...@mac.com mailto:he...@mac.com
*Subject: **[openstack-dev] [keystone] Tokens representing 
authorization to projects/tenants in the Keystone V3 API*

*Date: *October 19, 2012 1:51:16 PM PDT
*To: *OpenStack Development Mailing List 
openstack-...@lists.openstack.org 
mailto:openstack-...@lists.openstack.org
*Reply-To: *OpenStack Development Mailing List 
openstack-...@lists.openstack.org 
mailto:openstack-...@lists.openstack.org


The topic of what a token can or can't represent for the 
upcoming V3 Keystone API  came up - and I wanted to share the 
conversation a bit more broadly to get feedback.



A bit of history:

In the V2 API, when you authenticated with just a username and 
password, the token that was provided wasn't entirely clearly 
defined. The reference implementation that Keystone used was to 
create what's been called an 'unscoped' token - which was 
generally limited to only being able to get a list of possible 
tenants/projects and the capability of getting a token specific 
to a user  tenant/project (what's been called a scoped token)


Likewise, the reference implementation of the rest of the 
OpenStack projects all require a tenant information to be 
included within the token as that token was the identity 
refernce inforoamtion - and most OpenStack services were wanting 
to know the tenant associated with the token

Re: [Openstack] Keystone-dev question

[Adam Young]

On 10/22/2012 02:16 PM, Ken Thomas wrote:

Greetings all,

I'm working on a keystone bug (to get my feet wetter) and I have a 
couple of questions.


Could someone please take a look at comment #2 in 
https://bugs.launchpad.net/python-keystoneclient/+bug/1031245 (Get a 
User by Name) and let me know what y'all think?


Thanks,

Ken

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


 Done!

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

[Adam Young]

Are you guys +1 ing the original Idea, my suggestion to make it 
optional, the fact that I think we should call these sloppy tokens?


On 10/22/2012 03:40 PM, Jorge Williams wrote:

+1 here too.

At the end of the day, we'd like the identity API to be flexible 
enough to allow the token to be scoped in a manner that the deployer 
sees fit.  What the keystone implementation does by default is a 
different matter -- and disabling multiple tenant  scope by default 
would be fine by me.


-jOrGe W.


On Oct 21, 2012, at 11:10 AM, Joe Savak wrote:


+1. ;)

So the issue is that the v2 API contract allows a token to be scoped 
to multiple tenants. For v3, I'd like to have the same flexibility. I 
don't see security issues, as if a token were to be sniffed you can 
change the password of the account using it and use those creds to 
scope tokens to any tenant you wish.
Scope should always be kept as limited as possible. Personally, I don't 
feel like limiting the tenant list makes much difference.  THe more I 
think about it, the real benefit comes from limiting the endpoints.







On Oct 20, 2012, at 21:07, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:



On 10/20/2012 01:50 PM, heckj wrote:
I sent this to the openstack-dev list, and thought I'd double post 
this onto the openstack list at Launchpad for additional feedback.


-joe

Begin forwarded message:

*From: *heckj he...@mac.com mailto:he...@mac.com
*Subject: **[openstack-dev] [keystone] Tokens representing 
authorization to projects/tenants in the Keystone V3 API*

*Date: *October 19, 2012 1:51:16 PM PDT
*To: *OpenStack Development Mailing List 
openstack-...@lists.openstack.org 
mailto:openstack-...@lists.openstack.org
*Reply-To: *OpenStack Development Mailing List 
openstack-...@lists.openstack.org 
mailto:openstack-...@lists.openstack.org


The topic of what a token can or can't represent for the upcoming 
V3 Keystone API  came up - and I wanted to share the conversation 
a bit more broadly to get feedback.



A bit of history:

In the V2 API, when you authenticated with just a username and 
password, the token that was provided wasn't entirely clearly 
defined. The reference implementation that Keystone used was to 
create what's been called an 'unscoped' token - which was 
generally limited to only being able to get a list of possible 
tenants/projects and the capability of getting a token specific to 
a user  tenant/project (what's been called a scoped token)


Likewise, the reference implementation of the rest of the 
OpenStack projects all require a tenant information to be included 
within the token as that token was the identity refernce 
inforoamtion - and most OpenStack services were wanting to know 
the tenant associated with the token for authorization/ownership 
purposes.


Apparently Rackspace's internal implementation provided a token 
that was immediately valid for all possible tenants to which the 
user was associated, and presumably their internal implementations 
of openstack do whatever work is appropriate to discern and 
provide that information to the various openstack services.


The quandary:

In the V3 API, we started off with, and currently define the token 
as being specifically mandated to a single tenant, with a new 
requirement that if you authorize with just a username and 
password, a default tenant is used. If for some reason you have 
no tenant associated with the userid, the authorization is to be 
refused. If the user is associated with more than one 
tenant/project, it's possible to use the token to get a list of 
other tenants/projects and request a new token specific to one of 
those other tenant/projects, but the implementation is expected to 
respect and provide a default.


I would like to make default tenant a configuration option, and 
have it disabled by default.  Unscoped tokens are a very useful 
construct.  In the case where the user has many roles across a 
multitude of projects, it is possible to create huge tokens.  I 
would prefer unscoped tokens to remain, and to be associated with no 
tenant.  The only operation Keystone should provide with them is the 
ability to enumerate tenants, so something like Horizon can then 
request an appropriately scoped token.


I am also in favor of limiting the scope of a token to an endpoint.  
Even more-so than tenants, scoping a token to an end point increases 
security.  Once a token has been scoped to an endpoint, it can only 
be used on that endpoint.  If an endpoint gets compromised, the 
damage is limited to resources that endpoint already has access to.  
This, in conjunction with pre-auths, could allow a user to perform 
an action with a minimum of risk in a public cloud environment.





A few folks from Rackspace touched on this at the very tail end of 
the V3 API review session on Thursday, bringing up that they had 
an issue with the token being scoped to a single tenant. Since 
this has significant implications to both security

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

[Adam Young]

On 10/20/2012 01:50 PM, heckj wrote:
I sent this to the openstack-dev list, and thought I'd double post 
this onto the openstack list at Launchpad for additional feedback.


-joe

Begin forwarded message:

*From: *heckj he...@mac.com mailto:he...@mac.com
*Subject: **[openstack-dev] [keystone] Tokens representing 
authorization to projects/tenants in the Keystone V3 API*

*Date: *October 19, 2012 1:51:16 PM PDT
*To: *OpenStack Development Mailing List 
openstack-...@lists.openstack.org 
mailto:openstack-...@lists.openstack.org
*Reply-To: *OpenStack Development Mailing List 
openstack-...@lists.openstack.org 
mailto:openstack-...@lists.openstack.org


The topic of what a token can or can't represent for the upcoming V3 
Keystone API  came up - and I wanted to share the conversation a bit 
more broadly to get feedback.



A bit of history:

In the V2 API, when you authenticated with just a username and 
password, the token that was provided wasn't entirely clearly 
defined. The reference implementation that Keystone used was to 
create what's been called an 'unscoped' token - which was generally 
limited to only being able to get a list of possible tenants/projects 
and the capability of getting a token specific to a user  
tenant/project (what's been called a scoped token)


Likewise, the reference implementation of the rest of the OpenStack 
projects all require a tenant information to be included within the 
token as that token was the identity refernce inforoamtion - and most 
OpenStack services were wanting to know the tenant associated with 
the token for authorization/ownership purposes.


Apparently Rackspace's internal implementation provided a token that 
was immediately valid for all possible tenants to which the user was 
associated, and presumably their internal implementations of 
openstack do whatever work is appropriate to discern and provide that 
information to the various openstack services.


The quandary:

In the V3 API, we started off with, and currently define the token as 
being specifically mandated to a single tenant, with a new 
requirement that if you authorize with just a username and password, 
a default tenant is used. If for some reason you have no tenant 
associated with the userid, the authorization is to be refused. If 
the user is associated with more than one tenant/project, it's 
possible to use the token to get a list of other tenants/projects and 
request a new token specific to one of those other tenant/projects, 
but the implementation is expected to respect and provide a default.


I would like to make default tenant a configuration option, and have 
it disabled by default.  Unscoped tokens are a very useful construct.  
In the case where the user has many roles across a multitude of 
projects, it is possible to create huge tokens.  I would prefer unscoped 
tokens to remain, and to be associated with no tenant.  The only 
operation Keystone should provide with them is the ability to enumerate 
tenants, so something like Horizon can then request an appropriately 
scoped token.


I am also in favor of limiting the scope of a token to an endpoint. Even 
more-so than tenants, scoping a token to an end point increases 
security.  Once a token has been scoped to an endpoint, it can only be 
used on that endpoint.  If an endpoint gets compromised, the damage is 
limited to resources that endpoint already has access to. This, in 
conjunction with pre-auths, could allow a user to perform an action with 
a minimum of risk in a public cloud environment.





A few folks from Rackspace touched on this at the very tail end of 
the V3 API review session on Thursday, bringing up that they had an 
issue with the token being scoped to a single tenant. Since this has 
significant implications to both security and a potential user 
experience flow, I wanted to bring the issue up across the broader 
community for discussion.


The request outstanding:

Rackspace folks are requesting that the token not be limited to a 
single tenant/project, but instead provides a list of potential 
tenants against which the token should be considered valid.
I would like the world to know that we are affectionately calling such 
tokens sloppy tokens and Joe Savak has adopted the nickname of Sloppy 
Joe for championing them.  Allowing it as an option is fine, but I 
would not recommend that this become the norm, or that we enable this 
feature by default.


Brief (maybe shoddy) analysis:

This would potentially imply changes to what gets passed as a part of 
the authentication reference in the context passed using auth_token 
middleware - multiple tenants possible instead of the currently 
expected single value - so using that as information for create() 
style mechanisms would need to provide some alternative means of 
clearly defining what tenant/project should be owner. It  would 
provide anyone compromising that particular token with a broader 
spectrum of impact on a replay style attack. Likewise, 

Re: [Openstack] A simple guide to install OpenStack Folsom

[Adam Young]

On 10/10/2012 05:27 AM, Skible OpenStack wrote:

Le 10/10/2012 11:23, Alan Pevec a écrit :

On Wed, Oct 10, 2012 at 11:10 AM, Skible OpenStack
skible.openst...@gmail.com wrote:
I am counting on our your feedback to enhance my work and contribute 
it to

the OpenStack Eco System.
I wonder about 
https://github.com/mseknibilel/OpenStack-Folsom-Install-guide/tree/master/Scripts

which say:
# Mainly inspired by
https://github.com/openstack/keystone/blob/master/tools/sample_data.sh

Why not submit that as an improvement to Keystone?
I'd like to propose consolidation of all keystone initialization
scripts around (Keyston's sample_data.sh, Devstack's keystone_data.sh,
scripts like yours) and  move to Lorin's YAML config (see
https://lists.launchpad.net/openstack/msg17204.html)
I'm just not sure yet if additional dependency on YAML is worth it.

Cheers,
Alan

Hi Alan,

That's a very good idea. I personally prefer scripting over YAML since 
it is simpler and easier to use.
devstack's script is way fat to me, it adds things i don't need so i 
had put it on  a diet to come out with a much simpler and easier script.


I will see how i can submit my work to keystone people.


As you would submite anything, of course:  Open a bug on launchpad, 
describe the problem, and then submit a patch, with


Bug id

 in the commit message.  We'll see it.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

[Adam Young]

Role is grouped in the collection under the Tenant, with the userid in 
the members attribute for that role.




On 09/24/2012 03:18 AM, ?? wrote:


Openstack services need user account with 'admin' role. But I could 
not figure out how FreeIPA propagate 'role' into Keystone.


That's why I'm asking the question in mailing list.


On Sep 24, 2012, at 11:30 AM, spring wrote:


Thanks qiujian!
By using this configuration, can we log in through dashboard? If I 
want to implement that, is there any other configuration I have to do?


2012/9/24 ?? qiuj...@meituan.com mailto:qiuj...@meituan.com

BTW, here is my configuration:

[ldap]
url = ldap://10.64.11.199
tree_dn = cn=accounts,dc=mydomain,dc=com
user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
user_objectclass = person
user_name_attribute = uid
user_id_attribute = uid
tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
tenant_objectclass = posixgroup
tenant_id_attribute = cn
tenant_name_attribute = cn
tenant_member_attribute = member
role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
role_objectclass = posixgroup
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = member
user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
password = mysudopassword
suffix = cn=mydomain,cn=com


[identity]
driver = keystone.identity.backends.ldap.Identity

It seems that keystone LDAP requires role nodes the children of
tenant nodes. But FreeIPA has a flat structure.

--
??
??? - ?
??:1381129925
??:qiuj...@meituan.com mailto:qiuj...@meituan.com

On Sep 22, 2012, at 12:27 PM, ?? wrote:


Hi,

I was working on using LDAP of FreeIP as backend of Keystone.

User and tenants information can be fetched from LDAP. However,
I could not figure out how to assign roles to users in specific
tenants. I'm wondering whether someone can help?

I noticed that Mr. Adam Young had post a blog about this topic:

http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/

However, it did not show how to import roles in LDAP. I'm
wondering whether there is any progress about this?

Many thanks.

keystone in use was the latest master branch on github on Sep
21, 2012.


Jian Qiu
___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




--
Huang Shuquan (???)
Software Institute of Nanjing University Nanjing, P.R.China
Mobile: 86 137 7086 4433





___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

[Adam Young]

On 09/10/2012 11:29 AM, boden wrote:

I've been munking with the latest Keystone LDAP identity driver and
based on what I'm seeing the driver does not support the 'list' resource
based methods. For example 'list users', 'list tenants'...

For example, config your keystone.conf up to use an LDAP backend which
contains the supported DIT structure for the driver and then fire up
keystone. Hit keystone with a GET /users or GET /tenants request and
500/501 errors. Switch your identity driver back to the SQL identity
driver and retry -- all is well and you can list users and tenants.

Looking at the code it appears the ldap identity driver does not
implement the list_*() methods (list_users(), list_roles()...)


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
That is correct.  I thought we already had a ticket for this one, but it 
does not appear to be so.  Please go ahead and open one.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

[Adam Young]

On 09/10/2012 02:28 PM, Joseph Heck wrote:

Hey Boden,

It's not scheduled to be fixed in the Folsom release, the linkages to 
milestones and such indicate that.

The original developer that proposed a patch disappeared in that flow, so it 
stagnated. Adam just picked it up and assigned it to himself though to dig 
around on it - so perhaps he can provide more detail there.


In retrospect, the patch is trivial, and it seems to fit a need.  We 
should be able to sneak it in.  I'm trying to test the CLI right now, 
but the unit tests look good.





-joe


On Sep 10, 2012, at 10:31 AM, boden bo...@linux.vnet.ibm.com wrote:

Thanks... Is this defect going to get resolved in the folsom time-frame?
Looks like the target milestone was set to none and the defect has been
inactive for 2.5 months.

On 9/10/2012 12:43 PM, Dolph Mathews wrote:

You thought correct: https://bugs.launchpad.net/keystone/+bug/983304

-Dolph


On Mon, Sep 10, 2012 at 11:32 AM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

On 09/10/2012 11:29 AM, boden wrote:

I've been munking with the latest Keystone LDAP identity driver and
based on what I'm seeing the driver does not support the 'list'
resource
based methods. For example 'list users', 'list tenants'...

For example, config your keystone.conf up to use an LDAP backend
which
contains the supported DIT structure for the driver and then fire up
keystone. Hit keystone with a GET /users or GET /tenants request and
500/501 errors. Switch your identity driver back to the SQL identity
driver and retry -- all is well and you can list users and tenants.

Looking at the code it appears the ldap identity driver does not
implement the list_*() methods (list_users(), list_roles()...)


_
Mailing list: https://launchpad.net/~__openstack
https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~__openstack
https://launchpad.net/~openstack
More help   : https://help.launchpad.net/__ListHelp
https://help.launchpad.net/ListHelp

That is correct.  I thought we already had a ticket for this one,
but it does not appear to be so.  Please go ahead and open one.

_
Mailing list: https://launchpad.net/~__openstack
https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~__openstack
https://launchpad.net/~openstack
More help   : https://help.launchpad.net/__ListHelp
https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

[Adam Young]

On 09/10/2012 03:55 PM, Adam Young wrote:

On 09/10/2012 02:28 PM, Joseph Heck wrote:

Hey Boden,

It's not scheduled to be fixed in the Folsom release, the linkages to 
milestones and such indicate that.


The original developer that proposed a patch disappeared in that 
flow, so it stagnated. Adam just picked it up and assigned it to 
himself though to dig around on it - so perhaps he can provide more 
detail there.


In retrospect, the patch is trivial, and it seems to fit a need. We 
should be able to sneak it in.  I'm trying to test the CLI right now, 
but the unit tests look good.




Please review.

https://review.openstack.org/#/c/12726/



-joe


On Sep 10, 2012, at 10:31 AM, boden bo...@linux.vnet.ibm.com wrote:
Thanks... Is this defect going to get resolved in the folsom 
time-frame?

Looks like the target milestone was set to none and the defect has been
inactive for 2.5 months.

On 9/10/2012 12:43 PM, Dolph Mathews wrote:

You thought correct: https://bugs.launchpad.net/keystone/+bug/983304

-Dolph


On Mon, Sep 10, 2012 at 11:32 AM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

On 09/10/2012 11:29 AM, boden wrote:

I've been munking with the latest Keystone LDAP identity 
driver and
based on what I'm seeing the driver does not support the 
'list'

resource
based methods. For example 'list users', 'list tenants'...

For example, config your keystone.conf up to use an LDAP 
backend

which
contains the supported DIT structure for the driver and 
then fire up
keystone. Hit keystone with a GET /users or GET /tenants 
request and
500/501 errors. Switch your identity driver back to the SQL 
identity
driver and retry -- all is well and you can list users and 
tenants.


Looking at the code it appears the ldap identity driver 
does not

implement the list_*() methods (list_users(), list_roles()...)


_
Mailing list: https://launchpad.net/~__openstack
https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~__openstack
https://launchpad.net/~openstack
More help   : https://help.launchpad.net/__ListHelp
https://help.launchpad.net/ListHelp

That is correct.  I thought we already had a ticket for this one,
but it does not appear to be so.  Please go ahead and open one.

_
Mailing list: https://launchpad.net/~__openstack
https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~__openstack
https://launchpad.net/~openstack
More help   : https://help.launchpad.net/__ListHelp
https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Cannot submit topic for Summit.

[Adam Young]

I've been through the sequence to submit a topic proposal for the summit 
a handful of times.  I submit, and it says You are not logged in.


And yes, I logged back in afterwards.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] LDAP integratiom

[Adam Young]

On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote:

Hi Everyone,

Keystone uses python-ldap library to communicate with LDAP server. 
There are to points where Keystone communicates with LDAP server: 
keystone.common ldap and keystone.identity.backends.ldap packages. 
According to the current Keystone architecture it is solid application 
w/o extensions or plugins. So it will be useful to add python-ldap 
library to pip-requires file. This dependency is already resolved in 
the test-requires with comment: 'Optional backend: LDAP'.


LDAP support is optional, which is why it is not currently in 
pip-requires,  but I suspect that, as it grows in visibility, it will 
make sense to include it.


It would be helpful to  report things like this as a bug and to provide 
a patch.





Best regards,
Ivan Kolodyazhny


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] LDAP integratiom

[Adam Young]

On 09/07/2012 10:31 AM, Dolph Mathews wrote:
pip-requires/test-requires is aimed at developers and is broken up 
into two files more-so for documentation/organization purposes.


IMO, including LDAP as a dependency should be solved by real packaging 
(e.g. $ apt-get install keystone keystone-ldap).



True, and now that I think of it, I would agree that a pip-requires 
would not make sense here.


Where it would make sense is in devstack.

And I have a ticket for that already.

https://bugs.launchpad.net/devstack/+bug/1021319

My thinking is that if we add ldap to the supported list, keystone would 
be configured to use LDAP as the identity store.




-Dolph


On Fri, Sep 7, 2012 at 8:30 AM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote:

Hi Everyone,

Keystone uses python-ldap library to communicate with LDAP
server. There are to points where Keystone communicates with LDAP
server: keystone.common ldap and keystone.identity.backends.ldap
packages. According to the current Keystone architecture it is
solid application w/o extensions or plugins. So it will be useful
to add python-ldap library to pip-requires file. This dependency
is already resolved in the test-requires with comment: 'Optional
backend: LDAP'.


LDAP support is optional, which is why it is not currently in
pip-requires,  but I suspect that, as it grows in visibility, it
will make sense to include it.

It would be helpful to  report things like this as a bug and to
provide a patch.




Best regards,
Ivan Kolodyazhny


___
Mailing list:https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
Post to :openstack@lists.launchpad.net  
mailto:openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack
More help   :https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Creating tenant failed when using ldap as identity backend: 'attribute type undefined'

[Adam Young]

Interesting.  We have this outstanding bug report 
https://code.launchpad.net/bugs/980085


I would appreciate it if you could add what you found to the bug report.




On 09/06/2012 03:50 AM, Yanping Xie wrote:

Hi, All
I have resolved this problem by add 'enabled' attribute to 
class groupOfNames of ldap schema, thanks all the same.


*attributetype ( 2.5.4.66 NAME 'enabled'*
*DESC 'RFC2256: enabled of a group'*
*EQUALITY booleanMatch*
*SYNTAX 1.3.6.1.4.1.1466.115.121.1.7*
*SINGLE-VALUE )*

objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ 
description $ *enabled *) )


2012/9/5 Yanping Xie irs...@gmail.com mailto:irs...@gmail.com

Hi, all

I am trying to setup keystone to use ldap as backend, but failed
on creating the first tenant.

# keystone tenant-create --name=admin
An unexpected error prevented the server from fulfilling your
request. {'info': 'enabled: attribute type undefined', 'desc':
'Undefined attribute type'} (HTTP 500)


Here is my keystone config about ldap(snippets from keystone.log):
--
ldap.tenant_member_attribute   = member
ldap.tenant_name_attribute = ou
ldap.tenant_objectclass= groupOfNames
ldap.tenant_tree_dn= ou=Group,dc=example,dc=com
ldap.url   = ldap://182.xxx.29.250
ldap.use_dumb_member   = False
ldap.user  = cn=Manager,dc=example,dc=com
ldap.user_id_attribute = cn
ldap.user_name_attribute   = sn
ldap.user_objectclass  = inetOrgPerson
ldap.user_tree_dn  = ou=User,dc=example,dc=com
--

Ldap server migration file to initialize ldap:
--
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: The Example Corporation

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=User,dc=example,dc=com
ou: User
objectClass: top
objectClass: organizationalUnit

dn: ou=Role,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
--

Related keytone log is as follows:

---
2012-09-05 18:45:33DEBUG [keystone.common.ldap.core] LDAP
init: url=ldap://182.xxx.29.250
2012-09-05 18:45:33DEBUG [keystone.common.ldap.core] LDAP
bind: dn=cn=Manager,dc=example,dc=com
2012-09-05 18:45:33DEBUG [keystone.common.ldap.core] LDAP add:
dn=cn=7ab0c10b9fc04f89affb66e1650fc694,ou=Group,dc=example,dc=com,
attrs=[('objectClass', ['groupOfNames']), (
'enabled', ['TRUE']), ('ou', ['admin']), ('member',
['cn=dumb,dc=nonexistent'])]
2012-09-05 18:45:33ERROR [root] {'info': 'enabled: attribute
type undefined', 'desc': 'Undefined attribute type'}
Traceback (most recent call last):
  File /usr/lib/python2.6/site-packages/keystone/common/wsgi.py,
line 204, in __call__
result = method(context, **params)
  File
/usr/lib/python2.6/site-packages/keystone/identity/core.py, line
397, in create_tenant
context, tenant_ref['id'], tenant_ref)
  File
/usr/lib/python2.6/site-packages/keystone/common/manager.py,
line 47, in _wrapper
return f(*args, **kw)
  File
/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py,
line 208, in create_tenant
return self.tenant.create(tenant)
  File
/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py,
line 492, in create
return super(TenantApi, self).create(data)
  File
/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py,
line 179, in create
conn.add_s(self._id_to_dn(values['id']), attrs)
  File
/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py,
line 310, in add_s
return self.conn.add_s(dn, ldap_attrs)
  File /usr/lib64/python2.6/site-packages/ldap/ldapobject.py,
line 194, in add_s
return self.result(msgid,all=1,timeout=self.timeout)
  File /usr/lib64/python2.6/site-packages/ldap/ldapobject.py,
line 436, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File /usr/lib64/python2.6/site-packages/ldap/ldapobject.py,
line 440, in result2
res_type, res_data, res_msgid, srv_ctrls =

Re: [Openstack] Keystone PKI support

[Adam Young]

On 09/04/2012 09:36 AM, boden wrote:

Hi,

I'm trying to better understand the current status of PKI
(http://wiki.openstack.org/PKI) and delegated authZ from a folsom
perspective. I can see the blueprint targets folsom-rc1, is marked as
implemented (https://blueprints.launchpad.net/keystone/+spec/pki) and
I've browsed some of the related code dropped into master.

However its not clear to me exactly where this PKI support stands as I
haven't found any docs on setting up the services to use it, nor am I
seeing PKI based tokens used when I run with the latest keystone code.

Is it safe to assume PKI will be supported for folsom and we will see
some updated docs in due time? If so will there be any known limitations?

Thx much


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


The PKI token code is very new.  As such, It has not been enabled by 
default.  There are changes that have gone in to the master branch that 
are not available on Folsom 3 that are necessary to the proper 
functioning of PKI.


I wrote to the Fedora cloud mailing list a quicjk blurb on testing them.

http://www.spinics.net/linux/fedora/fedora-cloud/msg01644.html

I will write up some more detailed steps for general usage.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] ldaps support in keystone?

[Adam Young]

On 08/22/2012 09:38 AM, Yanping Xie wrote:

Hi, all

Could I ask if ldaps is supported in keystone? I do know that ldap is 
supported in keystone, but I couldn't find any information about ladps 
support in keystone via google nor openstack doc.

Could anyone give some explicit information about that? Thanks.

Best Regards.

Yanping



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
LDAPS is not currently supported.  Since this is This is the second time 
I've been asked this today, I am filing a ticket for it:


https://bugs.launchpad.net/keystone/+bug/1040115
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Adam Young]

On 08/22/2012 07:15 PM, Bhuvaneswaran A wrote:



On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 07/30/2012 06:00 PM, Doug Hellmann wrote:



On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that
mean the password is

saved

in cleartext? Is the file protected in some way
besides filesystem
permissions?

As mentioned in wiki page, the password is stored in
base64 format.

Which means it's stored in cleartext.  That is Not
Good(tm) :)

Can Keyring be used to store a token instead?  That would A)
 be better than password and B)  avoid a Keystone hit.


Don't tokens expire?



Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry
without going across the wire.


Adam, can you please file a ticket to use keyring to store tokens for 
keystone? I'll work on it.

https://bugs.launchpad.net/keystone/+bug/1040361



--
Regards,
Bhuvaneswaran A
www.livecipher.com http://www.livecipher.com


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] implementing custom keystone module

[Adam Young]

On 08/21/2012 05:10 PM, pat wrote:

Hello,

I want to implement custom keystone authentication module. I went through the


What are you trying to do?  There is a good chance that one of the other 
modules can be a good example.



documentation and I'm not sure where to start :-\ Please, could you point me
to specific page describing this? Thanks. And one more: please, could you
point me to document which describes relation between keystone and WSGI? And


WSGI is a standard for writing Web applicaions in Python. Keystone 
complies with the WSGI contract.  THus, while Keystone is usually run in 
the Eventlet web container, it can run in Apache HTTPD as well.  Both 
are WSGI containers.




yes, I've never used python :-)

Thanks for help.

  Pat

P.S. I've googled a lot, but keystone is too common world :-(


Google for Openstack Keystone and you will have more success.



Freehosting PIPNI - http://www.pipni.cz/


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] keystone initialization problem

[Adam Young]

OK, SERVICE_TOKEN is the same as --token


You can follow the steps here:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/


Specifically:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/1/html/Getting_Started_Guide/ch02.html#id3165390
||  *|export SERVICE_TOKEN=$(openssl rand -hex 10)|*
||  *|export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0|*
||  *|echo $SERVICE_TOKEN  /tmp/ks_admin_token|*
||  *|sudo openstack-config --set /etc/keystone/keystone.conf \|*
  *|DEFAULT admin_token $SERVICE_TOKEN|*



and that should be the admin_token value that you have.

If nothing is in the log, it probably means you have not actually hit 
the right server.




On 08/17/2012 05:47 PM, Dolph Mathews wrote:
The admin_token value from keystone.conf is not a real token; it 
exists as a string in memory and has no context, user or actual roles 
associated with it (hence it does not appear in your token table).


As for your actual issue, I don't see anything obviously wrong with 
what's below. Is logging enabled  working, otherwise? Have you tried 
verbose = True and debug = True? Have you tried running that 
command from the compute node itself, rather than over the internet 
IP? What happens when you curl / GET / whatever http://internet_ip of 
the controller node:35357/v2.0 and/or http://127.0.0.1:35357/v2.0 ?


-Dolph

On Fri, Aug 17, 2012 at 3:26 PM, Xin Zhao xz...@bnl.gov 
mailto:xz...@bnl.gov wrote:


Hello,

I newly install keystone on the RHEL6 machine, but it is not
working. The following command fails:

$ keystone --token admin_token string from keystone.conf
--endpoint http://internet_ip of the controller node:35357/v2.0
tenant-create --name openstackDemo --description Default Tenant
--enabled true

Unable to communicate with identity service: (403, 'Forbidden').
(HTTP 400)

There is no relevant log in the keystone.log file.

Here is the instruction I follow:

http://docs.openstack.org/essex/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles.html

This is done on the controller node itself. I can telnet to
internet_ip of the controller node:35357. I can also
log into mysql DB as keystone user, although there is no
admin_token entry in any of the keystone tables.

Any idea what is going wrong here?

Thanks,
Xin


___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] The Return of Hyper-V

[Adam Young]

On 08/13/2012 11:26 AM, Peter Pouliot wrote:


Hello Everyone,

I would like to take this moment to make everyone aware of the following:

https://review.openstack.org/#/c/11276/

I would like to thank the following individuals, who have given so 
much to help this project progress to this state.  Without their 
efforts this project would be dead in the water.


Jordan Rinke: Thank you for doing the original work to bring back base 
Essex functionality and   your effort help jump start this community 
and for that I am grateful.  You are one of the original champions of 
Hyper-V.


Alessandro Pilotti (CloudBase Solutions): Thank you for all the 
tremendous amount of code you produced.   We would not have the 
feature set, unit tests or the Folsom integration without the many 
hours you graciously contributed to the project.   I am truly grateful 
for the effort  you produced.   At times I thought this project was 
going to fail.  Without your effort it most certainly would have.


Pedro Navarro Perez:  Thank you reaching out to me at the OpenStack 
summit and being the first hyper-v community member.   Your efforts on 
Volume Attach/Detach and boot from volume are greatly appreciated.  
Thank you for the collaboration with other members to test, 
troubleshoot and advance our efforts.  Your  effort over this weekend 
helping Alessandro to this point was necessary for this submission to 
occur.


Jose Castro Leon:  Jose, thank you for  your assistance testing.  
  Given all that is going on these days at CERN, you still found time 
to help us test Hyper-V.


To Vish, Monty and Stef, thank you for all of your guidance in this 
process.   Hopefully because of your help and wisdom it will be a 
quick and painless approval and integration process.


And last and most importantly:

To Hashir Abdi, my colleague at Microsoft.   I am grateful for you 
believing in this project.  From the early days in the Interop lab, 
you saw the true potential. Thank you for the hours you have spent 
making sure that this project progressed forward.   We have busy days 
ahead.


Once again, thank you everyone for your assistance.

p

Peter J. Pouliot, CISSP

Senior SDET, OpenStack

Microsoft

New England Research  Development Center

One Memorial Drive,Cambridge, MA 02142

ppoul...@microsoft.com mailto:ppoul...@microsoft.com | Tel: +1(857) 
453 6436




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Well done, Peter and company.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue on 
the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is a 
specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


I have written up a blueprint for PKI token revocation.  Please provide 
feedback.



https://blueprints.launchpad.net/keystone/+spec/pki-revoke



Thanks,


Maru




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/02/2012 10:54 PM, Nathanael Burton wrote:


Adam,

I haven't yet had a chance to review how the new PKI signed tokens is 
implemented, but what you're describing sounds quite similar to online 
certificate status protocol (OCSP) but for tokens.




Yes, I don't really have new idea here, just reimplementaiton of ideas 
from other projects.



Nate

On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 08/01/2012 11:05 PM, Maru Newby wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware
that what I perceive as a very serious security concern was
openly discussed.  The arguments against revocation support, as
you've described them, seem to be:

 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the
potential security hole that a lack of revocation represents, but
I suppose a 'short enough' token lifespan could minimize that
hole.  But how short a span are you suggesting as being acceptable?

The delay between when a user's access permissions change
(whether roles, password or even account deactivation) and when
the ticket reflects that change is my concern.  The default in
Keystone has been 24h, which is clearly too long.  Something on
the order of 5 minutes would be ideal, but then ticket issuance
could become the bottleneck.  Validity that's much longer could
be a real problem, though.  Maybe not at the cloud administration
level, but for a given project I can imagine someone being fired
and their access being revoked.  How long is an acceptable period
for that ticket to still be valid?  How much damage could be done
by someone who should no longer have access to an account if
their access cannot be revoked, by anyone, at all?



I realize that I had been thinking about the revocation list as
something that needs to be broadcast.  This is certainly not the case.

A much better approach would be for the Keystone server to have a
list of revoked tokens exposed in an URL.  Then, as service like
Glance or Nova can query the Revocation list on a simple
schedule.  The time out would be configurable, of course.

There is a question about what to do if the keystone server cannot
be reached during that interval.  Since the current behavior is
for authentication to fail,  I suppose we would continue doing
that,  but also wait a random amount of time and then requery the
Keystone server.

In the future, I would like to make the set of Keystone servers a
configurable list, and the policy for revocation checking should
be able to vary per server:  some Keystone servers in a federated
approach might not be accessible.  In those cases,  it might be
necessary for one Keystone server to proxy the revocation list for
another server.

Let me know if this scheme makes sense to you.  If so, we can
write it up as an additional blueprint.  It should not be that
hard to implement.




I'm hearing that you, as the implementer of this feature, don't
consider the lack of revocation to be an issue.  What am I
missing?  Is support for revocation so repugnant that the
potential security hole is preferable?  I can see that from a
developer's perspective, but I don't understand why someone
deploying Keystone wouldn't avoid PKI tokens until revocation
support became available.

Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:

I see that support for PKI Signed Tokens has been added to
Keystone without support for token revocation.  I tried to
raise this issue on the bug report:

https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if
there is a specific reason why nobody responded to my question
as to why revocation is not required for this new token scheme.
  Anybody?


It was discussed back when I wrote the Blueprint.  While it is
possible to do revocations with PKI,  it is expensive and
requires a lot of extra checking.  Revocation is a policy
decision, and the assumption is that people that are going to
use PKI tokens are comfortable with out revocation.  Kerberos
service tickets have the same limitation, and Kerberos has been
in deployment that way for close to 25 years.

Assuming that PKI ticket lifespan is short enough,  revocation
should not be required.  What will be tricky is to balance the
needs of long lived tokens (delayed operations, long running
operations) against the needs for reasonable token timeout.

PKI Token revocation would look like CRLs

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/02/2012 01:56 AM, Joseph Heck wrote:

Hey Maru,

I think you're putting too many words in Adam's mouth here. First, 
Adam didnt assert is wasnt valuable, useful, or nessecary - simply 
that it wasnt in the first cut and not in the list that we agreed was 
critically essential to an initial implementation. As you noted, its a 
complex and somewhat tricky issue to get right.


There's always room for more participation to correct the flaws you 
see in the existing system - the beauty of open source. I would love 
to see continued work on the signing and revocation work to drive in 
these features that mean so much to you.  I'd be happy to open a 
blueprint if you can stand behind it, define what you think it 
required, and commit to the work to implement that revocation mechanism.


Implying negative emotions on Adam's part when he's been one driving 
the implementation and doing the work is simply inappropriate. Please 
consider the blueprint route, definition of a viable solution, and 
work to make it happen instead of name calling and asserting how the 
developers doing the work are screwing up.


Thanks for the support Joe.  I don't think Maru was being too harsh.  So 
long as he doesn't start calling me Sir as that is always an followed 
by you are making a scene.


- joe

On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com 
mailto:mne...@internap.com wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware 
that what I perceive as a very serious security concern was openly 
discussed.  The arguments against revocation support, as you've 
described them, seem to be:


 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the 
potential security hole that a lack of revocation represents, but I 
suppose a 'short enough' token lifespan could minimize that hole. 
 But how short a span are you suggesting as being acceptable?


The delay between when a user's access permissions change (whether 
roles, password or even account deactivation) and when the ticket 
reflects that change is my concern.  The default in Keystone has been 
24h, which is clearly too long.  Something on the order of 5 minutes 
would be ideal, but then ticket issuance could become the bottleneck. 
 Validity that's much longer could be a real problem, though.  Maybe 
not at the cloud administration level, but for a given project I can 
imagine someone being fired and their access being revoked.  How long 
is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to 
an account if their access cannot be revoked, by anyone, at all?


I'm hearing that you, as the implementer of this feature, don't 
consider the lack of revocation to be an issue.  What am I missing? 
 Is support for revocation so repugnant that the potential security 
hole is preferable?  I can see that from a developer's perspective, 
but I don't understand why someone deploying Keystone wouldn't avoid 
PKI tokens until revocation support became available.
I think you have valid concerns.  Realistically, I think 5 minutes is 
too short,  and for many operations, 24 hours would be the right 
granularity.  However,  The timespan of the tokens is configurable, and 
the policy of the deploying organization should dictate.


Remember, this is the administrative interface for virtual machines, and 
not the applications running in them.  Removing someone from access to 
creating/rebooting/destroying virtual machines is a much more deliberate 
decision than banning someone from a public forum.  Aside from someone 
getting fired, I am not sure how essential it is that we have rapid 
revocation of tokens.  And firing someone is usually part of the whole 
escort from the building  routine.


So, let me put the onus on you:  make the argument for rapid revocation 
of tokens.





Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue 
on the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is 
a specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is 
possible to do revocations with PKI,  it is expensive and requires a 
lot of extra checking.  Revocation is a policy decision, and the 
assumption is that people that are going to use PKI tokens are 
comfortable with out revocation.  Kerberos service tickets have the 
same limitation, and Kerberos has been in deployment that way for 
close to 25

[Openstack] Fwd: Re: Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

Origianlly respoded just to Christopher.  Forwarding this on to a the 
main list.


First of all, let me say thanks to everyone participating in the 
discussion. This is the only way we are going to identify all of the 
issues and come up with a decent implementation. I knew this would be a 
touchy subject when we first started designing it, and suspected that it 
would take some form of commit before the discussion hit the majority of 
the community.



On 08/02/2012 02:20 PM, Christopher MacGown wrote:

On Thursday, August 2, 2012 at 6:59 AM, Adam Young wrote:


So, let me put the onus on you:  make the argument for rapid 
revocation of tokens.
If you are deploying OpenStack and providing access to third parties, 
and for whatever reason you terminate a relationship with that third 
party — whether they cancel, you've banned them, you've removed a user 
from a tenant/project — you want that third party to immediately lose 
access to whatever capability they had prior to that termination. 
Leaving non-affiliated users with access to resources is a serious 
security risk that would make OpenStack  unusable in a regulated 
environment.


In those cases, you probably want to continue on with online token 
checking,  regardless of UUID/PKI.  That ability will not go away.  We 
probably do need a configuration option for auth_token that indicates 
whether it should verify with PKI or not,  but my guess is that the real 
policy will be dictated by keystone. Perhaps what we really need is for 
the remote services to query this value from the keystone server.  It 
could do the check when it origianally fetches certificates.  The 
certificates themselves could be shorter lived (say 24 hours) and 
refreshed when they expire.


Automatic Management of the certificates probably should also be 
configurable, with many organizations preferring to use Puppet etc.


I suspect that we are going to want a more nuanced policy/mechanism long 
term,  something along the lines of:


Tenant specific PKI tickets are short lived, say 5 minutes.
Non-tenant specific tickets are used to get tenant specific tickets.
Long running tasks will call back to Keystone to verify ticket validity 
using  UUID tokens.



If we start doing something along the lines of Federation as I've started
https://blueprints.launchpad.net/keystone/+spec/federation
You would also have the option of revoking the signing certificate for a 
whole domain,  which would be an effective way to deny access to a swath 
of people, say on a breach of contract.


In large organziations, there is always going to be some non-zero delay 
between the decision to  revocation authorization and the implementation 
of that decision.  With LDAP replication,  at a minimum you have the 
replication delay.  The question is what that acceptable delay is in a 
given scenario.  It may not be the same even for all use cases even in a 
large organization.







--
Christopher MacGown, CTO
Piston Cloud Computing, Inc.
w: (650) 24-CLOUD
m: (415) 300-0944
http://www.pistoncloud.com




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/01/2012 11:05 PM, Maru Newby wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware that 
what I perceive as a very serious security concern was openly 
discussed.  The arguments against revocation support, as you've 
described them, seem to be:


 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the potential 
security hole that a lack of revocation represents, but I suppose a 
'short enough' token lifespan could minimize that hole.  But how short 
a span are you suggesting as being acceptable?


The delay between when a user's access permissions change (whether 
roles, password or even account deactivation) and when the ticket 
reflects that change is my concern.  The default in Keystone has been 
24h, which is clearly too long.  Something on the order of 5 minutes 
would be ideal, but then ticket issuance could become the bottleneck. 
 Validity that's much longer could be a real problem, though.  Maybe 
not at the cloud administration level, but for a given project I can 
imagine someone being fired and their access being revoked.  How long 
is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to an 
account if their access cannot be revoked, by anyone, at all?



I realize that I had been thinking about the revocation list as 
something that needs to be broadcast.  This is certainly not the case.


A much better approach would be for the Keystone server to have a list 
of revoked tokens exposed in an URL.  Then, as service like Glance or 
Nova can query the Revocation list on a simple schedule.  The time out 
would be configurable, of course.


There is a question about what to do if the keystone server cannot be 
reached during that interval.  Since the current behavior is for 
authentication to fail,  I suppose we would continue doing that,  but 
also wait a random amount of time and then requery the Keystone server.


In the future, I would like to make the set of Keystone servers a 
configurable list, and the policy for revocation checking should be able 
to vary per server:  some Keystone servers in a federated approach might 
not be accessible.  In those cases,  it might be necessary for one 
Keystone server to proxy the revocation list for another server.


Let me know if this scheme makes sense to you.  If so, we can write it 
up as an additional blueprint.  It should not be that hard to implement.





I'm hearing that you, as the implementer of this feature, don't 
consider the lack of revocation to be an issue.  What am I missing? 
 Is support for revocation so repugnant that the potential security 
hole is preferable?  I can see that from a developer's perspective, 
but I don't understand why someone deploying Keystone wouldn't avoid 
PKI tokens until revocation support became available.


Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue 
on the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is 
a specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is 
possible to do revocations with PKI,  it is expensive and requires a 
lot of extra checking.  Revocation is a policy decision, and the 
assumption is that people that are going to use PKI tokens are 
comfortable with out revocation.  Kerberos service tickets have the 
same limitation, and Kerberos has been in deployment that way for 
close to 25 years.


Assuming that PKI ticket lifespan is short enough,  revocation should 
not be required.  What will be tricky is to balance the needs of long 
lived tokens (delayed operations, long running operations) against 
the needs for reasonable token timeout.


PKI Token revocation would look like CRLs in the Certificate world.  
While they are used, they are clunky.  Each time a token gets 
revoked, a blast message would have to go out to all registered 
parties informing them of the revocation.  Keystone does not yet have 
a message queue interface, so doing that is prohibitive in the first 
implementation.


Note that users can get disabled, and token chaining will no longer 
work:  you won't be able to use a token to get a new token from Keystone.





Thanks,


Maru




___
Mailing list:https://launchpad.net/~openstack
Post to :openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack
More help   :https://help.launchpad.net

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue on 
the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is a 
specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is possible 
to do revocations with PKI,  it is expensive and requires a lot of extra 
checking.  Revocation is a policy decision, and the assumption is that 
people that are going to use PKI tokens are comfortable with out 
revocation.  Kerberos service tickets have the same limitation, and 
Kerberos has been in deployment that way for close to 25 years.


Assuming that PKI ticket lifespan is short enough,  revocation should 
not be required.  What will be tricky is to balance the needs of long 
lived tokens (delayed operations, long running operations) against the 
needs for reasonable token timeout.


PKI Token revocation would look like CRLs in the Certificate world.  
While they are used, they are clunky.  Each time a token gets revoked, a 
blast message would have to go out to all registered parties informing 
them of the revocation.  Keystone does not yet have a message queue 
interface, so doing that is prohibitive in the first implementation.


Note that users can get disabled, and token chaining will no longer 
work:  you won't be able to use a token to get a new token from Keystone.





Thanks,


Maru




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Hiding complexity of paste config files from operators

[Adam Young]

On 07/30/2012 05:12 AM, Thierry Carrez wrote:

Lorin Hochstein wrote:

I wanted to discuss the usability of the paste config files from an
operator's point of view. The paste config files are opaque to
administrators who are trying to stand an OpenStack cloud for the first
time, since they expose a lot of implementation details about the
middleware. I can follow the instructions in the Install and Deploy
guide, but I have no idea what the options I don't edit are, and if the
documentation has deviated from the implementation, I'm pretty much stuck.
[...]

This was mentioned in the Making configuration easier session on the
DevOps track at the last design summit. You can find the notes at:

http://etherpad.openstack.org/FolsomMakingConfigurationEasier

In particular, it was identified that paste configs were evil, failing
to properly separate service/code configuration from end-user configuration.


Assuming that the *-paste.ini files always need to be there, is there some way 
we could avoid requiring admins to edit these files, and instead make it more 
like editing the .conf files? For example, could the paste.ini files be 
generated from the corresponding .conf file as needed?

I would not assume that *-paste.ini files always need to be there...
Paste is a pain point if we are to support Python 3 one day, so it's
also on the black list of the (still inexistant) OpenStack Python3
advocacy group.

So I'd rather investigate a solution that solves our two problems,
rather than adding a layer on top of the current broken solution... That
said I'm not really a specialist of Paste alternatives.

It seems to me that there is nothing that you can do in Paste that you 
cannot do in straight python.  THe advantage of Paste is hat it is 
viewed as a Config file, not as code and thus is a file that end 
system administrators can use.



A paste file is nothing more than an assignment to a variable name from 
a string that is  done at run time.  For example,   the Keystone config 
file has a paste fragment in it:


[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory



This same code could be performed inside the Python code base with 
pretty much the same code interpred as Python.  The issue is that we 
would then want to allow a value such as this to be overridden:


For example, specifying the driver for the token api is done:

[token]
 driver = keystone.token.backends.kvs.Token

Since most of these cases have reasonable defaults,  they should be left 
out of the paste files.  What needs to be available is solid 
documentation of the values that can be overridden this way.  Any keys 
that are not defaulted,  but are not really designed to be overloaded 
should be modified so that they are defaulted, and then the keys removed 
from the paste file.






___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Adam Young]

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean the password is

saved

in cleartext? Is the file protected in some way besides filesystem
permissions?

As mentioned in wiki page, the password is stored in base64 format.

Which means it's stored in cleartext.  That is Not Good(tm) :)
Can Keyring be used to store a token instead?  That would A)  be better 
than password and B)  avoid a Keystone hit.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Performing HPCC Benchmark on OpenStack Cloud

[Adam Young]

On 07/30/2012 10:22 AM, Reza Bakhshayeshi wrote:

Hi

I want to run HPCC benchmark on OpenStack cloud, I want you to help me 
to make the results more real.

How can we impute the results to OpenStack and not to my computers?
Do I really need a server farm to perform the test?
And I think I have to run for example HPL on running instances and not 
on the main servers, is this correct?


Please suggest me more rules and conditions.

Best Regards


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
You need to to an apples-to-apples comparison.  Using the same hardware, 
and a different deployment mechanism, perhaps Rocks.

https://wiki.rocksclusters.org/wiki/index.php/Main_Page

You need a low latency interconnect, like Infiniband in order for the 
results to really mean much more than Yes it runs.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Adam Young]

On 07/30/2012 06:00 PM, Doug Hellmann wrote:



On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean
the password is

saved

in cleartext? Is the file protected in some way
besides filesystem
permissions?

As mentioned in wiki page, the password is stored in
base64 format.

Which means it's stored in cleartext.  That is Not Good(tm) :)

Can Keyring be used to store a token instead?  That would A)  be
better than password and B)  avoid a Keystone hit.


Don't tokens expire?



Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry without 
going across the wire.






Doug



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [keystone] Multi-tenants per user, authentication tokens and global roles

[Adam Young]

On 07/26/2012 08:30 PM, Ryan Lane wrote:

I'm working on upgrading to essex, which means I need to start using
keystone. My use case seems to not fit keystone very well, though...

In my environment, one user can be a member of many projects (some
users are in up to 20-30 projects). Management of projects is done
nearly completely though the web interface, and users may work on
resources in multiple projects at the same time. Our web interface can
show all or a subset of user's project's resources in the same view.

In Nova, using the EC2 API, I could query all resources for a user on
their behalf using an admin user, or I could use their access/secret
key and change the tenant for requesting each project.

From what I can tell in Keystone, when a user authenticates, they get
a token directly linked with a tenant. If I want to do API calls on a
user's behalf in a tenant, I must authenticate them for that tenant.
It seems there's no way for me to make requests on a user's behalf for
multiple projects without authenticating them for every single tenant.
Is this the case? Is there any way for me to handle this? I'd really
like to avoid authenticating a user 30 times on login, then needing to
store all 30 of their tokens.


Not in Essex.  When we discussed the Domains blueprint,  one issue that 
I brought up was nested groups/projects.  That would solve your 
problem.  It is not currently being developed.




I have another issue as well. My environment is meant to be integrated
and more of a private-style cloud. We have a group of administrators
that should be able to manage all instances, networks, etc. In Nova's
auth there were global groups. In Keystone there are no global groups.
Will this ever be added into keystone? It's really annoying to need to
constantly add/remove ourselves from projects to manage them.
Again, this is really a group nesting problem.  I am not sure if the 
domain blueprint would help you out here:

https://review.openstack.org/#/c/8114/
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
http://etherpad.openstack.org/keystone-domains



- Ryan

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Quotas: LDAP Help

[Adam Young]

On 07/25/2012 10:19 AM, Ionuț Arțăriși wrote:

On 07/17/2012 11:33 PM, Joseph Heck wrote:
That's the general area I was going to head with the Active Directory 
backend I'm hacking on. Chris Hoge of UOregon presented today (@ 
OSCON) on a local keystone hack that they did to enable LDAP AuthN + 
a fail back to SQL based system for their scientific computing 
cluster - follows a very similar model.


-joe

On Jul 17, 2012, at 2:16 PM, Tim Bell tim.b...@cern.ch wrote:
+1 The corporate LDAP should be read-only for a source of user, 
roles and

attributes. Updating the corporate LDAP is not an option in many
environments which can significantly benefit from the structured 
directory

information available.

Thus, at minimum, allow a r/o LDAP and local DB store for any openstack
specific information that needs updating.

Tim


-Original Message-
From: openstack-bounces+tim.bell=cern...@lists.launchpad.net
[mailto:openstack-bounces+tim.bell=cern...@lists.launchpad.net] On 
Behalf

Of Ryan Lane
Sent: 17 July 2012 20:43
To: Adam Young
Cc: Joseph Heck; openstack
Subject: Re: [Openstack] [Keystone] Quotas: LDAP Help


I haven't been thinking about quotas, so bear with me here. A few

thoughts:
Certain deployments might not be able to touch the LDAP backend.  
I am

thinking specifically where there is a corporate AD/LDAP server.  I
tried to keep the scheme dependency simple enough that it could be
layered onto a read-only scenario.  If we put quotas into LDAP,  it
might break on those deployments.


Many, many deployments won't be able to. Applications should generally
assume they are read-only in regards to LDAP.


I can see that we don't want to define them in the Nova database, as
Swift might not have access to that, and swift is going to be one of
the primary consumers of Quotas.  I am Assuming Quantum will have 
them

as well.

As you are aware, there is no metadata storage in the LDAP driver,
instead it is generated from the tenant and role information on the
fly.  There is no place to store metadata in groupOfNames which is
the lowest( common
denominator) grouping used for Tenants.  Probably the most correct
thing to do would be to use a seeAlso  that points to where the
quota data is stored.


Let's try not to force things into attributes if possible.

When LDAP is used, is the SQL backend not used at all? Why not 
store quota

info in Keystone's SQL backend, but pull user info from LDAP, when

enabled?

We should only consider storing something in LDAP if it's going to be

reused
by other applications. LDAP has a strict schema for exactly this 
purpose.

If the
quota information isn't directly usable by other applications we 
shouldn't

store it in LDAP.

Many applications with an LDAP backend also have an SQL backend, 
and use
the SQL as primary storage for most things, and as a cache for 
LDAP, if

it's

used. I think this is likely a sane approach here, as well.

- Ryan

___



Hi,

I just wanted to add a bit to this thread. We're currently working on 
a hybrid backend between LDAP and SQL. I have a working version for a 
specific setup in which the user accounts are stored in LDAP, but 
tenants and roles are all stored in SQL together with other openstack 
user accounts such as the nova admin account.


I basically just Frankensteined the two backends together for user 
processing and left everything else to be handled by the SQL backend. 
I'd like to hear other people's opinion on this or alternative 
implementations.


Are tenants completely in the SQL DB?  If so, how to you list tenants 
for a given user?


Do you copy users from LDAP to SQL for anything?




https://gist.github.com/3176390

-Ionuț

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] 回复： Keystone client could not behave well, call for help

[Adam Young]

On 07/22/2012 09:12 AM, 延生 付 wrote:

reply: 'HTTP/1.1 503 Service Unavailable\r\n'


This seems to be the main problem.  The error message /string indices 
must be integers, not str /seems to be a bug in trying to parse the 
error page.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Identity API v3 - Why allow multi-tenant users?

[Adam Young]

The idea of a Domain is that it is a single administrative entity, such 
as a company.


When a person joins a company,  they get an email adddress.  THat 
address does not change regardless of the position they hold.


Tenants are administrative groupings below that.  It is unfortunate that 
we used the name tenants for this, as it actually contradicts the usual 
meaning of the term.  We will be shortly switching back to using the 
term projects, and I think that is clearer.



It certainly makes sense for a user to belong to one domain, but have 
access to a project controlled in another domain.  Here is a scenario.  
Joe's Sporting Goods and Local Bank are both companies that have a 
presense in a coud provider. Each has their own domain.  
t...@localbank.com  is going to set up a Point of Sale system for Joe.  
So Joe creates a project called joes-point-of-sale and provides access 
to user t...@localbank.com.





On 07/18/2012 02:46 AM, Matt Joyce wrote:
I could see service users and security / operations teams having a 
need to span many domains.


-Matt

On Tue, Jul 17, 2012 at 11:24 PM, Tim Bell tim.b...@cern.ch 
mailto:tim.b...@cern.ch wrote:


I thought that the v3 API supports domains as a group of tenants
which would make the question rather different.

Thus, I guess the question is

A.Should there be users in multiple tenants in a single domain ?

B.Should there be users in multiple domains ?

There are clear use cases for A (such as researchers working on
multiple projects sharing project quotas)

For B, it is less clear as if I am a domain administrator, I do
not want to be told that I cannot allocate user X since another
domain has already taken it. On the other hand, there is a clear
architectural benefit from having the concept of identity (and
authentication) split off from roles and projects.

Tim

*From:*openstack-bounces+tim.bell=cern...@lists.launchpad.net
mailto:cern...@lists.launchpad.net
[mailto:openstack-bounces+tim.bell
mailto:openstack-bounces%2Btim.bell=cern...@lists.launchpad.net
mailto:cern...@lists.launchpad.net] *On Behalf Of *John Postlethwait
*Sent:* 18 July 2012 07:42
*To:* Rouault, Jason (Cloud Services)
*Cc:* openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net


*Subject:* Re: [Openstack] Identity API v3 - Why allow
multi-tenant users?

Forcing a user to remember different usernames and/or passwords
for each project they are a part of, when it is possible they are
part of N projects, really isn't an acceptable option in my opinion.

I believe that regardless of the engineering complexities, the end
users shouldn't have to feel pain in order to make engineering the
solutions and features they interact with easier. Software is for
end users (in their various forms) and as such we need to take
that into account when we make decisions. While no functionality
is lost per se, there is a major end-user impact, and that should
be reason enough to implement it...

John Postlethwait

Nebula, Inc.

206-999-4492 tel:206-999-4492

On Tuesday, July 17, 2012 at 4:15 PM, Rouault, Jason (Cloud
Services) wrote:

One benefit is the user does not need to have multiple sets of
credentials to interact with multiple projects.

Jason

*From:*openstack-bounces+jason.rouault=hp@lists.launchpad.net
mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net
mailto:hp@lists.launchpad.net] *On Behalf Of *Adam Young
*Sent:* Tuesday, July 17, 2012 11:55 AM
*To:* openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
*Subject:* Re: [Openstack] Identity API v3 - Why allow
multi-tenant users?

On 05/29/2012 01:18 PM, Caitlin Bestler wrote:

One of the major complication I see in the API is that
users can be associated with multiple tenants.

What is the benefit of this? What functionality would be
lost if a human user merely had to use a different account
with each tenant?

There are numerous issues with multi-tenant users. For
example, if a user is associated with multiple tenants,
who resets the user's password?



___

Mailing list:https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack

Post to :openstack@lists.launchpad.net  
mailto:openstack@lists.launchpad.net

Unsubscribe :https://launchpad.net/~openstack  
https://launchpad.net/%7Eopenstack

More help   :https://help.launchpad.net/ListHelp

Did you ever get an answer?  This has been discussed in depth

Re: [Openstack] Change user password (not admin)

[Adam Young]

On 06/06/2012 07:24 PM, Sam Morrison wrote:

Hi,

There has been a first attempt at this in keystone.

See https://review.openstack.org/#/c/7437/
And bug: https://bugs.launchpad.net/keystone/+bug/996922

It needs more work to make it secure though.


WHat do you think it needs?  Please open a bug report.  We will try to 
incorperate into the next API.


Cheers,
Sam



On Thu, Jun 7, 2012 at 7:13 AM, Kiall Mac Innes ki...@managedit.ie wrote:

On Wed, Jun 6, 2012 at 7:55 PM, Gabriel Hurley gabriel.hur...@nebula.com
wrote:

Feel free to have at it with them again. ;-)


Feel free to add my +1 next time it comes up! Users being unable to change
their own passwords simply seems wrong to me!

Thanks,
Kiall


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] enforce admin_required with LDAP admin user

[Adam Young]

You need an admin token and to go against port 35357 for those types of 
operations.  A basic user does not have permission to do so.  It has 
nothing to do with LDAP.



On 05/22/2012 11:47 AM, Sharif Islam wrote:

I think my LDAP bind is working by tenant-list and user-list gives me
admin_required error.

Looks like the LDAP admin user does not have any roles. is that the issue?



# keystone discover
Keystone found at http://localhost:5000/v2.0/
 - supports version v2.0 (beta) here http://149.165.159.121:5000/v2.0/
root@i121:~# keystone service-list
++--+--+-+
| id | name | type | description |
++--+--+-+
++--+--+-+
root@i121:~# keystone user-list
No handlers could be found for logger keystoneclient.client
You are not authorized to perform the requested action: admin_required
(HTTP 403)
root@i121:~# keystone tenant-list
No handlers could be found for logger keystoneclient.client
You are not authorized to perform the requested action: admin_required
(HTTP 403)




keystone.common.ldap.core): 2012-05-22 11:36:02,263 DEBUG LDAP init: 
url=ldap://ldap.project.org
(keystone.common.ldap.core): 2012-05-22 11:36:02,263 DEBUG LDAP bind: 
dn=uid=user,ou=People,dc=project,dc=org
(keystone.common.ldap.core): 2012-05-22 11:36:02,271 DEBUG LDAP search: 
dn=ou=ostenants,dc=project,dc=org, scope=1, 
query=((member=uid=admin,ou=People,dc=project,dc=org)(objectClass=groupOfNames))
(root): 2012-05-22 11:36:02,425 DEBUG TOKEN_REF {'id': 
'dfc4b2ecexxxd014x280d91efeecda06', 'expires': datetime.datetime(2012, 5, 23, 
15, 36, 2, 274565), 'user': {'id': 'admin', 'name': 'admin'}, 'tenant': {'id': 
'admin', 'name': 'admin'}, 'metadata': {}}
(eventlet.wsgi.server): 2012-05-22 11:36:02,426 DEBUG 127.0.0.1 - - [22/May/2012 
11:36:02] POST /v2.0/tokens HTTP/1.1 200 1762 0.166139
(keystone.policy.backends.rules): 2012-05-22 11:36:02,439 DEBUG enforce 
admin_required: {'tenant_id': u'admin', 'user_id': u'admin', 'roles': []}



--sharif

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] debugging a db migration script

[Adam Young]

On 07/16/2012 11:59 PM, Jim Fehlig wrote:

I'm working on a patch that adds a column to the compute_nodes table in
the nova db, but it seems my db migration script fails when calling 'db
sync' in stack.sh.  I tried running the command manually, same failure:

stack@virt71:~ /opt/stack/nova/bin/nova-manage --debug -v db
sync2012-07-16 21:42:52 DEBUG nova.utils [-] backend module
'nova.db.sqlalchemy.migration' from
'/opt/stack/nova/nova/db/sqlalchemy/migration.pyc' from (pid=19230)
__get_backend /opt/stack/nova/nova/utils.py:484
/usr/lib64/python2.6/site-packages/sqlalchemy/pool.py:681:
SADeprecationWarning: The 'listeners' argument to Pool (and
create_engine()) is deprecated.  Use event.listen().
   Pool.__init__(self, creator, **kw)
/usr/lib64/python2.6/site-packages/sqlalchemy/pool.py:159:
SADeprecationWarning: Pool.add_listener is deprecated.  Use event.listen()
   self.add_listener(l)
Command failed, please check log for more info

I can't find anything useful in any log (/var/log/*, /opt/stack/log/*).
I ran the above in strace and saw my migration script was opened and
then shortly thereafter writing of Command failed, please check log for
more info and exit(1) :).

The patch also adds a 'hypervisor_type' column to the instances table,
and that migration script succeeds!

Any hints for debugging a db migration script?

Thanks,
Jim


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


I just went through this with a Keystone change.  What I would suggest is:

1.  Get a blank Database.
2.  Run the DB migration without  your scripts.
3. Get the SQL you want to run to work correctly from that step.
4. Add in a Database appropriate SQL script that has exactly your SQL 
from above.

5. Run the whole migration.

Yes, it is a labor intensive and painful as it sounds.  You want to make 
sure that you have exactly the preconditions that your script expects.  
What I had to do was actually go back and modify earlier DB init code 
due to the SQL alchemy column definition changing.


Note this change:
https://review.openstack.org/#/c/7754/9/keystone/common/sql/migrate_repo/versions/001_add_initial_tables.py
I now have to explicitly create the token table to make sure it is the 
state it would be today.  Since my code had modified the token table, 
had I not done this,  by the end of stage 1 SQL processing, the 
database would have had this table in stage 2 state.


Then I Went and added a SQL script for modifying the table.  Since I was 
altering a a table without dumping the data in it, it was a non-trivial 
change that SQL Alchemy couldn't handl (AFAICT). Instead, I added a SQL 
script:

https://review.openstack.org/#/c/7754/9/keystone/common/sql/migrate_repo/versions/002_mysql_upgrade.sql

Make sure you have a comparable Downgrade script, too.

https://review.openstack.org/#/c/7754/9/keystone/common/sql/migrate_repo/versions/002_mysql_downgrade.sql


For Keystone, we run the upgrade using a stand alone executable 
keystone/bin/keystone-manage.  In nove, it looks like there is 
bin/nova-manage to do the same thing.  I am running using Eclipse and 
PyDev as my development environment, and using the integrated debugger 
to step through the code.  Makes it a lot less painful to debug.




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Quotas: LDAP Help

[Adam Young]

On 07/17/2012 11:18 AM, Everett Toews wrote:
On Mon, Jul 16, 2012 at 7:20 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:



Usually a Quota is a limitation on a resource.  I suspect that the
problem here is we have not nailed down the resource objects that
you would then apply a quota to.  If, for example, we were talking
about disk quotas, we could look at the LDAP schema's that are in
place for disks, automount, and so forth.  For network or CPU
quotas, the concepts don't really exist.

My immediate thought is that maybe these things are not really
Keystone quantities to manage.  Nova has the database that deals
with the actual quantities of disk and so forth.  BUt I know that
LDAP is the system of record for Hosts in many systems,  so the
Data from LDAP needs to feed into Nova somehow


I led the session on quotas at the Folsom Summit where the consensus 
was that, because this data was tied to Tenants, it should be stored 
in Keystone. We've also discussed it on the mailing list at 
http://markmail.org/message/vlk6otl2yggjeouc and 
http://markmail.org/message/7agsnjo3n4il56ar (where you'll find links 
to the Summit etherpad, spec, and blueprint).


I searched around a bit for an objectclass that handled generic quotas 
but couldn't find one. I really wouldn't want us to write our own 
objectclass either as it's simply not flexible enough. I don't think 
we want to necessarily nail down the resource objects we want to apply 
a quota to. Each OpenStack project is going to need its own quotas and 
I suspect there are going to be many additions to those quotas over 
the next 2 years so we something that can handle anything.


If we just store some JSON in the backend then that will meet our 
needs nicely. This is how metadata is stored in the SQL backend. I 
simply reused that and it was pretty effective.


Can you post your code to a GIthub repo and send out a link to the
commit so that I could take a look?  It would be much more clear
to discuss with actual code in front of me.

My branch is at https://github.com/everett-toews/keystone/tree/quotas
The SQL implementation is at 
https://github.com/everett-toews/keystone/blob/quotas/keystone/identity/backends/sql.py


Everett


I haven't been thinking about quotas, so bear with me here. A few thoughts:

Certain deployments might not be able to touch the LDAP backend.  I am 
thinking specifically where there is a corporate AD/LDAP server. I tried 
to keep the scheme dependency simple enough that it could be layered 
onto a read-only scenario.  If we put quotas into LDAP,  it might break 
on those deployments.


I'm trying to get an approach to Federation and delegation for 
Keystone.  Imagine where a company has a signing certificate that allows 
it validate the users for only their own tenancy.  In these cases, the 
end user organization then would have the ability to control their own 
quotas.


One reason to do the PKI signed tokens was to minimize the number of 
calls going to Keystone.  This adds yet another one.  The quotas could 
be added to the signed auth token, but it is already huge, I'd hate to 
cram more data in there.


A serialized object block defers a lot of problems, but they will bite 
us later.  For example, there is already a ticket for enabled  which 
does not have the text string normalized.  Doing one for Quotas misses 
validation of both resource names and the units used.  For example, are 
disk quotas in bytes, megabytes, or Gigs?  Are all of those acceptable?  
If so, how do we define which one to use.  I realize you might have 
nailed this down in your code, or at least design, but then the code is 
the contract.


This design seems to address some of those issues.
http://wiki.openstack.org/Boson

I can see that we don't want to define them in the Nova database, as 
Swift might not have access to that, and swift is going to be one of the 
primary consumers of Quotas.  I am Assuming Quantum will have them as well.


As you are aware, there is no metadata storage in the LDAP driver, 
instead it is generated from the tenant and role information on the 
fly.  There is no place to store metadata in groupOfNames which is the 
lowest( common denominator) grouping used for Tenants.  Probably the 
most correct thing to do would be to use a seeAlso  that points to 
where the quota data is stored.










___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] debugging a db migration script

[Adam Young]

On 07/17/2012 11:42 AM, Jim Fehlig wrote:

Hengqing Hu wrote:

There is a test in nova:

You can run run_tests.sh in your nova root like this:
./run_tests.sh -v test_migrations

Thanks for the tip!


To set a breakpoint, you can either run

python -m pdb run_tests.py  

or modify your code and put in :
import pdb; pdb.set_trace()




If there is something wrong in the migration script,
it will show up in the console.

Indeed.  And easy to fix problems once you know the errors :).

Regards,
Jim


On 07/17/2012 11:59 AM, Jim Fehlig wrote:

I'm working on a patch that adds a column to the compute_nodes table in
the nova db, but it seems my db migration script fails when calling 'db
sync' in stack.sh.  I tried running the command manually, same failure:

stack@virt71:~ /opt/stack/nova/bin/nova-manage --debug -v db
sync2012-07-16 21:42:52 DEBUG nova.utils [-] backend module
'nova.db.sqlalchemy.migration' from
'/opt/stack/nova/nova/db/sqlalchemy/migration.pyc' from (pid=19230)
__get_backend /opt/stack/nova/nova/utils.py:484
/usr/lib64/python2.6/site-packages/sqlalchemy/pool.py:681:
SADeprecationWarning: The 'listeners' argument to Pool (and
create_engine()) is deprecated.  Use event.listen().
Pool.__init__(self, creator, **kw)
/usr/lib64/python2.6/site-packages/sqlalchemy/pool.py:159:
SADeprecationWarning: Pool.add_listener is deprecated.  Use
event.listen()
self.add_listener(l)
Command failed, please check log for more info

I can't find anything useful in any log (/var/log/*, /opt/stack/log/*).
I ran the above in strace and saw my migration script was opened and
then shortly thereafter writing of Command failed, please check log for
more info and exit(1) :).

The patch also adds a 'hypervisor_type' column to the instances table,
and that migration script succeeds!

Any hints for debugging a db migration script?

Thanks,
Jim


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp






___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Identity API v3 - Why allow multi-tenant users?

[Adam Young]

On 05/29/2012 01:18 PM, Caitlin Bestler wrote:


One of the major complication I see in the API is that users can be 
associated with multiple tenants.


What is the benefit of this? What functionality would be lost if a 
human user merely had to use a different account with each tenant?


There are numerous issues with multi-tenant users. For example, if a 
user is associated with multiple tenants, who resets the user's password?




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Did you ever get an answer?  This has been discussed in depth.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Quotas: LDAP Help

[Adam Young]

On 07/17/2012 02:42 PM, Ryan Lane wrote:

I haven't been thinking about quotas, so bear with me here. A few thoughts:

Certain deployments might not be able to touch the LDAP backend.  I am
thinking specifically where there is a corporate AD/LDAP server.  I tried to
keep the scheme dependency simple enough that it could be layered onto a
read-only scenario.  If we put quotas into LDAP,  it might break on those
deployments.


Many, many deployments won't be able to. Applications should generally
assume they are read-only in regards to LDAP.


I can see that we don't want to define them in the Nova database, as Swift
might not have access to that, and swift is going to be one of the primary
consumers of Quotas.  I am Assuming Quantum will have them as well.

As you are aware, there is no metadata storage in the LDAP driver, instead
it is generated from the tenant and role information on the fly.  There is
no place to store metadata in groupOfNames which is the lowest( common
denominator) grouping used for Tenants.  Probably the most correct thing to
do would be to use a seeAlso  that points to where the quota data is
stored.


Let's try not to force things into attributes if possible.

When LDAP is used, is the SQL backend not used at all? Why not store
quota info in Keystone's SQL backend, but pull user info from LDAP,
when enabled?

We should only consider storing something in LDAP if it's going to be
reused by other applications. LDAP has a strict schema for exactly
this purpose. If the quota information isn't directly usable by other
applications we shouldn't store it in LDAP.

Many applications with an LDAP backend also have an SQL backend, and
use the SQL as primary storage for most things, and as a cache for
LDAP, if it's used. I think this is likely a sane approach here, as
well.

- Ryan


Yes, it is possible to use LDAP for Identity and SQL for the other 
things, like Tokens and Policy.  Quotas could be done the same way. You 
just have to extract the Quotas calls out of the Identity Provider.  It 
might make sense to go in Policy, or into its own driver.





___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [INTERNAL ONLY (NDA)] Fwd: Reqs for OpenStack from Intel IT - Redhat/OpenStack discussions

[Adam Young]

On 07/17/2012 02:53 PM, Adam Young wrote:

On 07/17/2012 02:01 PM, Perry Myers wrote:

CONFIDENTIAL/INTERNAL ONLY (NDA)

Please do not forward this spreadsheet outside of this list. Please do
not talk about any of these features externally as Something Intel has
asked for.  We can talk about the features themselves upstream, but the
context of Intel asking for them needs to be kept internal.

I'd like to get input from the team on the contents of this spreadsheet.
  Specifically for each item here, I think we need to know things like:

* already a blueprint or launchpad bug for this?  Link please
* feasibility/complexity of the change (e.g. could be done for Folsom
   Milestone 3, needs to be deferred to 'G', probably not even possible
   in 'G', never going to happen)

Basically this list constitutes what Intel believes needs to be closed
from a feature gap perspective, to make OpenStack ready for the
enterprise.  And we need to be able to go back to them next week with
our thoughts on each of these items.

I don't think that we'd be expected to bear the development load of all
of this, but we'll need to be Intel's advocates here in terms of
upstream engagement.

Respond with thoughts via email on this thread and then once we've
gotten enough information captured, I can synthesize and put into the
spreadsheet so that Mark and I can go back to Intel to provide them with
feedback.

Perry



line 16 jumps out at me:   TLS everywhere.  The thing is, Eventlet 
with SSL doesn't make sense, so what should we do for a default?

One bug here: https://bugs.launchpad.net/python-keystoneclient/+bug/1012591/
I have a Patch in for Keystone HTTPD: https://review.openstack.org/#/c/9735/


line 19 On Federation...I have some ideas WRT Keystone and signing 
certs.  I'll write up my ideas in their own document.


line 20:  Multifactor is already on the bug list.

Make that Blueprint:
https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn


line 21 RBAC seems to be stalled.  I can ping the driver behind it to 
see where we are.

https://blueprints.launchpad.net/keystone/+spec/rbac-keystone
http://etherpad.openstack.org/FolsomRBAC


line 22 Quota Support:  I was just looking into it.  There is a patch 
brewing for the SQL backends, but there is no clear way to map it to 
LDAP.  Not sure I agree that it should be per user:  the discussion at 
the summit started off with per user and then dropped it.

http://etherpad.openstack.org/SwiftQuotas
http://markmail.org/message/7agsnjo3n4il56ar
https://blueprints.launchpad.net/keystone/+spec/store-quota-data



line 14 OpenID  That is a one solution to SSO, but not necessarily a 
good one.










___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] API Question

[Adam Young]

On 07/17/2012 03:47 PM, Matt Joyce wrote:
As a non admin user.  Querying the keystone v2 API is there a way for 
me to get a list of the tenants that I am a member of?  Or is that 
only a v3 thing?


-Matt


 I was just looking into it, and there is no such API yet.  The 
underlying Identity provider call is get_tenants_for_user and there does 
not seem to be a route set up that calls that.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] API Question

[Adam Young]

On 07/17/2012 03:55 PM, Matt Joyce wrote:
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 07/17/2012 03:47 PM, Matt Joyce wrote:

As a non admin user.  Querying the keystone v2 API is there a
way for me to get a list of the tenants that I am a member of?
 Or is that only a v3 thing?

-Matt


 I was just looking into it, and there is no such API yet.  The
underlying Identity provider call is get_tenants_for_user and
there does not seem to be a route set up that calls that.



8(   --- sad panda face.

That would have been a very useful call for me right now.  I hope we 
have something by folsom ( albeit s/tenant/project/ig )


-Matt

You can try this one out:

https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] API Question

[Adam Young]

On 07/17/2012 04:05 PM, Matt Joyce wrote:

curl -H X-Auth-Token:123456789001234http://localhost:5000/v2.0/tenants
that seems to do the trick for me for now.


Ah, I see that is hooked up to: get_tenants_for_token,  I was looking 
for the wrong API.  That then calls:  tenant_ids = 
self.identity_api.get_tenants_for_user(context, user_ref['id'])


I'm not sure that this is the right semantics for it,  but it looks like 
it does what you want.






On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 07/17/2012 03:55 PM, Matt Joyce wrote:

On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

On 07/17/2012 03:47 PM, Matt Joyce wrote:

As a non admin user.  Querying the keystone v2 API is
there a way for me to get a list of the tenants that I am
a member of?  Or is that only a v3 thing?

-Matt


 I was just looking into it, and there is no such API yet.
 The underlying Identity provider call is
get_tenants_for_user and there does not seem to be a route
set up that calls that.



8(   --- sad panda face.

That would have been a very useful call for me right now.  I hope
we have something by folsom ( albeit s/tenant/project/ig )

-Matt

You can try this one out:


https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca






___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] API Question

[Adam Young]

On 07/17/2012 06:06 PM, Matt Joyce wrote:
Anyone by any chance know how to read out the auth_token or raw_token 
that is acquired in keystoneclient when it performs a client.Client() 
Authenticate?


The token is just a UUID,  randomly generated.

In the PKI proposal, it is a base64 encoding of a Signed document in CMS 
format.




I'd love to be able to read that.  And it's totally not documented 
anywhere if it exists.


-Matt

On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce 
matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote:


Works for me.  =D


On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews
dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote:

Adam speaks lies ;)

Here's a regular user requesting a list of tenants on port
5000 (notice they only get back 1 tenant):

GET http://localhost:5000/v2.0/tenants
==

X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961


200 OK
==

Status: 200
Content-Length: 133
Content-Location: http://localhost:5000/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:16 GMT
Content-Type: application/json

{
  tenants: [
{
  enabled: true,
  description: null,
  name: my-project,
  id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
}
  ],
  tenants_links: []
}


Here's an admin API call for all tenants in the system (notice
there is an additional tenant the above user did not have
access to):

GET http://localhost:35357/v2.0/tenants
===

X-Auth-Token: ADMIN


200 OK
==

Status: 200
Content-Length: 236
Content-Location: http://localhost:35357/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:22 GMT
Content-Type: application/json

{
  tenants: [
{
  enabled: true,
  description: null,
  name: my-project,
  id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
},
{
  enabled: true,
  description: null,
  name: project-x,
  id: 1213c2511f364264b1dfea9a56a225e0
}
  ],
  tenants_links: []
}


-Dolph

On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce
matt.jo...@cloudscaling.com
mailto:matt.jo...@cloudscaling.com wrote:

On Tue, Jul 17, 2012 at 12:55 PM, Adam Young
ayo...@redhat.com mailto:ayo...@redhat.com wrote:

On 07/17/2012 03:47 PM, Matt Joyce wrote:

As a non admin user.  Querying the keystone v2 API
is there a way for me to get a list of the tenants
that I am a member of?  Or is that only a v3 thing?

-Matt


 I was just looking into it, and there is no such API
yet.  The underlying Identity provider call is
get_tenants_for_user and there does not seem to be a
route set up that calls that.



8(   --- sad panda face.

That would have been a very useful call for me right now. 
I hope we have something by folsom ( albeit

s/tenant/project/ig )

-Matt

___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp







___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Routing ReST API Calls by URL

[Adam Young]

On 07/13/2012 05:39 PM, Nathanael Burton wrote:


Dan,

Adam Young was advocating for something like this.  I don't know if a 
consensus was ever reached, but I thought it was a good idea.


https://lists.launchpad.net/openstack/msg10864.html

Nate


Dan,

Here's my proposed scheme.

http://wiki.openstack.org/URLs

I have submitted a patch for running Keystone in Apache:
https://review.openstack.org/#/c/9735/

This assumes that you put admin on https://hostname/admin
and so on.

For Nova,  there is a pretty good write up here:

http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/


Which pretty much takes the same approach.

Glance needs some work to fit into that scheme, too, as I recall.

The Client pieces need to be flexible enough to call with the suburls.  
For example,  look at this patch:


https://review.openstack.org/#/c/7156/





On Jul 13, 2012 5:31 PM, Dan Sneddon d...@cloudscaling.com 
mailto:d...@cloudscaling.com wrote:


I am attempting to find a workable solution for the following use
case, and would like to get feedback from the community about it.

There are some situations when it is required to put a proxy in
front of multiple API endpoints and route by URL. This allows for
more flexible routing/filtering in load balancers and firewalls,
and makes it possible to differentiate between services in unified
HTTP logs. In the current OpenStack model a typical API endpoint
looks something like this:

http(s)://hostname:port/api
version/account/container/object

In essence, separate services have similar URLs, and are separated
by the port number. It is difficult to use a request-header-aware
proxy to route to a particular endpoint, since there is no clear
differentiation between service URLs if the hostname and port are
the same.

With standard HTTP, this can be handled by using several different
hostnames pointing to the same IP. This is particularly a problem
with SSL certificates, which need to match the hostname.

If the URLs contained a service identifier at the beginning of the
URL, this would allow a proxy to make decisions about where to
route requests based on the beginning of the URL, for example the
URL above would become:

http(s)://hostname:port/service/api
version/account/container/object
e.g.
https://api-host:443/compute/v2.0/...
https://api-host:443/auth/v2.0/...
etc.

It seems that the API services are compatible with this through
the use of the urlmap configuration by including both versions of
the URL:

[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v1.1: openstack_compute_api_v2
/v2: openstack_compute_api_v2
/compute/: oscomputeversions
/compute/v1.1: openstack_compute_api_v2
/compute/v2: openstack_compute_api_v2

Is allowing both forms of this URL in all services likely to break
anything down the line? Does this seem like a common enough use
case that it should be considered as an addition to the default
configuration? Also, as services change (such as nova-volume being
replaced by cinder) is there a set of generic service descriptors
defined that can be used to abstract from the particular name of
the service? Some of these are obvious, like network, but it
would be nice to be consistent across versions and instances.

Thank you for your feedback,
--
Dan Sneddon
Senior Engineer, Cloudscaling
d...@cloudscaling.com mailto:d...@cloudscaling.com - @dxs on Twitter
___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] UnifiedCLI suggestion

[Adam Young]

On 06/28/2012 11:54 AM, Dean Troyer wrote:

On Mon, Jun 25, 2012 at 5:28 PM, Doug Hellmann
doug.hellm...@dreamhost.com wrote:

On Mon, Jun 25, 2012 at 6:19 PM, Ken Thomas k...@yahoo-inc.com wrote:

[...]

I've already submitted the keystone changes for review
(https://review.openstack.org/#/c/8958/3/keystoneclient/shell.py) and I'd be
happy to make the same change to UnifiedCLI as well.

Thanks, Ken! That sounds like a good change to make. If you add me as a
reviewer on the patch, I'll make sure to look at the changes.

I created a blueprint for this:
https://blueprints.launchpad.net/python-openstackclient/+spec/password-prompt
linking back to the keystone blueprint.  That looks like a good
solution.

Thanks Ken
dt

Probably would be better to have a deliberate command line flag for it, 
so automated scripts don't hang.


Something like --prompt


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Quotas: LDAP Help

[Adam Young]

On 07/16/2012 07:31 PM, Everett Toews wrote:

Hi All,

I've got a working implementation of quotas in Keystone. However it's 
only working for the KVS and SQL backends right now and I need it to 
work with LDAP before submitting it for review. I have limited 
experience with LDAP and only from an ops perspective, I've never 
developed any application code against an LDAP backed app, so I'm here 
asking for help.


My original plan was to just piggy back on the metadata code in the 
LDAP backend (like I did with SQL). But, as you can see from 
get_metadata [1] and create_metadata [2], it's not really there. Since 
that's not possible I'll need to build something myself but I'm not 
too sure what's the best way to go about doing that. Based on a bit of 
research, I've come up with a couple of options.


Option 1 - Separate Quota ou

Looking at ldap/core.py, I could create a new QuotaApi class with the 
fields


DEFAULT_OU = 'ou=Quota'
DEFAULT_STRUCTURAL_CLASSES = []
DEFAULT_OBJECTCLASS = '???'
DEFAULT_ID_ATTR = 'cn'
DEFAULT_MEMBER_ATTRIBUTE = 'cn'
options_name = 'quota'
attribute_mapping = {'quota': 'cn'}
model = models.Quota

The idea being that quota information is an ou associated with a 
tenant (somehow). I'm not sure how best to store the quota data itself 
in this case. Could it just be stored as JSON in the cn? I'm not sure 
if that's a good idea or a bad idea but I suspect bad...


That does not sound right.



Option 2 - Metadata Attribute on Tenant

Quotas are just an attribute of a Tenant so why not just add a single 
'quotas' attribute to the Tenant ou. Then the quotas JSON could be 
stored in this attribute. This seems like a simple and 
straight-forward solution but I don't know how to add this attribute 
via an objectclass to Tenant.


How would I add a quotas attribute to the Tenant ou?
How would I reference that attribute?
Is there an existing attribute on Tenant where I could reasonably 
store the quotas JSON instead of adding another one?


Usually a Quota is a limitation on a resource.  I suspect that the 
problem here is we have not nailed down the resource objects that you 
would then apply a quota to.  If, for example, we were talking about 
disk quotas, we could look at the LDAP schema's that are in place for 
disks, automount, and so forth.  For network or CPU quotas, the concepts 
don't really exist.


My immediate thought is that maybe these things are not really Keystone 
quantities to manage.  Nova has the database that deals with the actual 
quantities of disk and so forth.  BUt I know that LDAP is the system of 
record for Hosts in many systems,  so the Data from LDAP needs to feed 
into Nova somehow


Can you post your code to a GIthub repo and send out a link to the 
commit so that I could take a look?  It would be much more clear to 
discuss with actual code in front of me.






Thoughts or feedback on these options? Are there any other options I'm 
missing?


Thanks,
Everett


[1] 
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L140-147
[2] 
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L205-206




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Keystone Federation

[Adam Young]

I am contemplating writing up a post-Folsom Blueprint for Keystone 
Federation and /or replication, and would like to solicit input from the 
community.


With Signed tokens,  we can provide the name of the Keystone server that 
signed the token.  With this comes the need to verify that the specified 
Keystone server is a valid server.  The logical way would be to check it 
against the service catalog.  I think the flow should go something like 
this:


when you start up a service like glance it should have a Keystone server 
specified.


When a token comes in with Keystone server that it does not recognize,  
it queries the known Keystone server's service catalog to see if the 
keystone server is a registered endpoint.  This service catalog can get 
cached for some short amount of time to ensure we don't trigger a flurry 
of activity on a series of bogus requests.


When a new Keystone server comes on line,  it gets registered with an 
existing Keystone server.  At this point, it requests its token signing 
certificate.  Once it recieves the signing cert, an  AMQP message then 
goes out to the other Keystone servers announcing the new keystone service.


Retirement of a Keystone server would be done in a similar way.

There are three scenarios I could see:

1)  No one Keystone server would hold a complete user or tenant list.  
Instead,  each would hold a subset of the tenants.  A user might exist 
in multiple Keystone databases if they are enrolled in multiple tenants, 
some of which are in one Keystone, some of which are in another.


2)  The entire user database is synchronized across all of the keystone 
instances.


3)  The Keystone instances use a single shared DBMS and are 
automatically synchronized.  Federation is just for redundancy and scaling.


I don't want to build this just to build it.  I'd like to know if A)  
there is a real need for Keystone Federation and B) If anyone else has 
thought through the problem and encountered issues I have not 
enumerated.  If there is enough interest, I will edit the discussion 
into a blueprint.




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone Federation

[Adam Young]

On 07/05/2012 03:12 PM, Matt Joyce wrote:

Don't know if we want it.


So the justifications are:

1.  Redundancy
2.  Scalability
3.  Separation of concerns.

For example,  I could see a Set up where there are two Keystone servers 
with different back ends,  one using the corporate LDAP for in house 
use, one using a MySQL database for partners.


I could see variations where a Keystone instance gets deployed inside a 
corporate firewall,  using a strict auth mechanism like Kerberos or 
Smart Cards,  and those  tokens are used to talk to a remove Openstack 
install.  Again,  just for a subset of users.




But we may want to consider the idea of satellite read only keystone 
servers.


Not sure we can do strict read only, if the satellite serverws are 
responsible for issuing out tokens.




Mind you that may just be solving problems we don't even have yet.

-Matt

On Thu, Jul 5, 2012 at 11:26 AM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


I am contemplating writing up a post-Folsom Blueprint for Keystone
Federation and /or replication, and would like to solicit input
from the community.

With Signed tokens,  we can provide the name of the Keystone
server that signed the token.  With this comes the need to verify
that the specified Keystone server is a valid server.  The logical
way would be to check it against the service catalog.  I think the
flow should go something like this:

when you start up a service like glance it should have a Keystone
server specified.

When a token comes in with Keystone server that it does not
recognize,  it queries the known Keystone server's service catalog
to see if the keystone server is a registered endpoint.  This
service catalog can get cached for some short amount of time to
ensure we don't trigger a flurry of activity on a series of bogus
requests.

When a new Keystone server comes on line,  it gets registered with
an existing Keystone server.  At this point, it requests its token
signing certificate.  Once it recieves the signing cert, an  AMQP
message then goes out to the other Keystone servers announcing the
new keystone service.

Retirement of a Keystone server would be done in a similar way.

There are three scenarios I could see:

1)  No one Keystone server would hold a complete user or tenant
list.  Instead,  each would hold a subset of the tenants.  A user
might exist in multiple Keystone databases if they are enrolled in
multiple tenants, some of which are in one Keystone, some of which
are in another.

2)  The entire user database is synchronized across all of the
keystone instances.

3)  The Keystone instances use a single shared DBMS and are
automatically synchronized.  Federation is just for redundancy and
scaling.

I don't want to build this just to build it.  I'd like to know if
A)  there is a real need for Keystone Federation and B) If anyone
else has thought through the problem and encountered issues I have
not enumerated.  If there is enough interest, I will edit the
discussion into a blueprint.



___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp





___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] PKI Token Generation

[Adam Young]

The discussion during the Keystone meeting today had a couple of key 
points I'd like to address.



The Current token length is 32 characters long.  An example:
 e50d580692d644cfb8bec0246aede2c2

With PKI Signed tokens,  they will be much longer

MIICgAYJKoZIhvcNAQcCoIICcTCCAm0CAQExCTAHBgUrDgMCGjCCAWEGCSqGSIb3\
DQEHAaCCAVIEggFOeyJhY2Nlc3MiOiB7InRva2VuIjogeyJleHBpcmVzIjogIjIw\
MTItMDYtMDJUMTQ6NDc6MzRaIiwgImlkIjogInBsYWNlaG9sZGVyIiwgInRlbmFu\
dCI6IHsiZW5hYmxlZCI6IHRydWUsICJkZXNjcmlwdGlvbiI6IG51bGwsICJuYW1l\
IjogInRlbmFudF9uYW1lMSIsICJpZCI6ICJ0ZW5hbnRfaWQxIn19LCAidXNlciI6\
IHsidXNlcm5hbWUiOiAidXNlcl9uYW1lMSIsICJyb2xlc19saW5rcyI6IFsicm9s\
ZTEiLCJyb2xlMiJdLCAiaWQiOiAidXNlcl9pZDEiLCAicm9sZXMiOiBbeyJuYW1l\
IjogInJvbGUxIn0sIHsibmFtZSI6ICJyb2xlMiJ9XSwgIm5hbWUiOiAidXNlcl9u\
YW1lMSJ9fX0NCjGB9zCB9AIBATBUME8xFTATBgNVBAoTDFJlZCBIYXQsIEluYzER\
MA8GA1UEBxMIV2VzdGZvcmQxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNV\
BAYTAlVTAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAUcweczLJw0SMQhli\
qVSFTWnPKzCnh9qaAxY+29YKFIGYmsX4x+Eh+3D4-xND0gqpdh-CD-Fe7dwsAP4K\
YHCj4W13Z0EyucgXiIbdY+XBaUInYowNmBqMRzOXMO8UGOjYMEgFvRJApb6sS4PN\
wlctpz0dJe2rTELD28EmckkApeU=

However, nothing in the API comments on the token length.  You cannot 
assume that even under the current scheme they will be 32 characters long.


the code for just the token generation has been split from the 
auth_token changes.  You can see it here:


https://github.com/admiyo/keystone/tree/pki-token-generation

It is not up for code review yet as there are still a few changes required.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] OVF vs. bare container formats for qcow2 images

[Adam Young]

On 04/01/2012 11:15 AM, Lorin Hochstein wrote:



On Mar 29, 2012, at 12:40 PM, Daniel P. Berrange wrote:


On Wed, Mar 28, 2012 at 04:41:28PM -0400, Lorin Hochstein wrote:

All:

Given that I have a qcow2 image from somewhere (e.g., downloaded
it from a uec-images.ubuntu.com http://uec-images.ubuntu.com, 
created one from a raw image using

qemu-img) that i want to add to glance:

1. How can I tell whether it's an ovf or bare container format?


You are mixing up terminology here. Disk image formats are things like
raw, qcow2, vmdk, etc.

OVF refers to the format of a metadata file provided alongside the
disk image, which describes various requirements for running the
image.

The two are not tied together at all, merely complementary to
each other.



Thanks, that clears things up. I was confused by this language, which 
sounded to me like the metadata was embedded in the disk image file:


http://glance.openstack.org/formats.html

The container format refers to whether the virtual machine image is 
in a file format that also contains metadata about the actual virtual 
machine.


In addition, the docs have examples like this, which clearly aren't 
meaningful:

http://glance.openstack.org/glance.html#important-information-about-uploading-images


Just to add to the confusion  the OVF can contain both the metadata file 
and the disk image file in a single archived file.


An OVF package consists of several files, placed in one directory. A 
one-file alternative is the OVA package, which is a TAR file with the 
OVF directory inside.


http://en.wikipedia.org/wiki/Open_Virtualization_Format#Technical_description


I think that what you are reading above refers to the single file 
alternative.



$ glance add name=My Image is_public=true \
  container_format=ovf disk_format=raw  /tmp/images/myimage.iso

I'll propose a change to the docs for that.




Whenever I add a qcow2 image to glance, I always choose ovf,
even though it's probably bare, because I saw an example
somewhere, and it just works, so I keep doing it. But I don't
know how to inspect a binary file to determine what its container
is (if file image.qcow2 says it's a QEMU QCOW2 Image (v2), does
that mean it's bare?). In particular, why does the user need to
specify this information?


If you simply have a single  someimage.qcow2 file, then you simply
have a disk image. Thus there is no OVF metadata involved at all.

eg, this is the (qcow2) disk image:

http://uec-images.ubuntu.com/precise/current/precise-server-cloudimg-amd64-disk1.img

While this is an OVF metadata file that optionally accompanies the 
disk image


http://uec-images.ubuntu.com/precise/current/precise-server-cloudimg-amd64.ovf



Gotcha.


It's not clear to me how you would specify the OVF metadata file when 
adding an image file to glance.



Take care,

Lorin
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com https://www.nimbisservices.com/




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Devstack]Keystone authentication problem when installing

[Adam Young]

Can you post your localrc file?  YOu can blank out the passwords.

Also,  what distribution?


On 06/27/2012 09:30 PM, Ke Wu wrote:

Hi,

I can't find a mailing list of devstack so I choose to ask here, hope 
this doesn't spam you guys.


I was trying to build Devstack on my VM (Ubuntu 12.04 server) to start 
a new environment for Horizon development.


Everything went well until it hit the point to start Keystone service, 
the error msg was:


Expecting authentication method via
either a service token, --token or env[SERVICE_TOKEN],
  or credentials, --os_username or env[OS_USERNAME].
+ NOVA_USER_ID=
++ get_field 1
++ read data
++ grep ' service '
++ keystone tenant-list
Expecting authentication method via
either a service token, --token or env[SERVICE_TOKEN],
  or credentials, --os_username or env[OS_USERNAME].
+ NOVA_TENANT_ID=
++ keystone ec2-credentials-create --user --tenant_id
usage: keystone ec2-credentials-create [--user_id user-id]
   [--tenant_id tenant-id]
keystone ec2-credentials-create: error: argument --user_id: expected 
one argument

+ CREDS=
++ failed
++ local r=2
++ set +o xtrace

Anybody has an idea why this happened?

Thanks!

-Ke Wu


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [keystone] Keystone on port 5000 - proposing change default port to 8770

[Adam Young]

That is for admin, 5000 is for normal usage.

Personally, I'd like to see all of the custom ports go away and we use 
an URL scheme as proposed:


http://wiki.openstack.org/URLs

On 06/20/2012 08:56 PM, Mellquist, Peter wrote:

What happened to 35357?

In general, new port #s should be applied through IANA and when approved then 
made public.

Peter.

-Original Message-
From: openstack-bounces+peter.mellquist=hp@lists.launchpad.net 
[mailto:openstack-bounces+peter.mellquist=hp@lists.launchpad.net] On Behalf 
Of Joseph Heck
Sent: Wednesday, June 20, 2012 4:16 PM
To: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: [Openstack] [keystone] Keystone on port 5000 - proposing change 
default port to 8770

At the risk of a terrible public tar and feathering...

I've learned that port 5000 (which Keystone is using for it's default 
public-token-auth stuff) is commonly blocked by many firewalls, as it's been 
registered as a Microsoft uPnP port.

I thought I'd go ahead and propose changing the default to 8770. I picked this 
number because it's close to the Nova ports in common use (8773, 8774, 8775, 
and 8776).

And yes, I'll submit updates to all REST docs, XML docs, devstack, and the code.

So... how many people do I need to worry about murdering me for this next 
design summit?

-joe

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [keystone] v3 API draft (update and questions to the community)

[Adam Young]

On 06/12/2012 04:24 AM, Gabriel Hurley wrote:

Mark,

Apparently you must have missed my lightning talk at the Essex summit... ;-) 
(http://gabrielhurley.github.com/slides/openstack/apis_like_orms/index.html)

Filtering, pagination, and many other API features are *critical* for a rich 
dashboard experience. If you want to talk specifics, the entire Horizon team 
would be happy to have a long chat with you.
Yes and no.  The reality is that it is a  trade off. Server side, you 
pay by doing a network round trip, and having to determine ahead of time 
the mechanisms for sorting, caching, paging, etc.


The real problem is that the parsing of the results can blow out the 
stack space in the browser.




That said, we have also considered the case you propose where you effectively request 
everything and handle it on the client-side... however, I see that as a tremendously lazy 
solution. On the service-provider end you have access to powerful database methods that can do 
these operations in fractions of the time the client-side can (especially with good indexes, etc.). 
And if you've ever worked in mobile applications you'll know that minimizing data across the wire 
is crucial. The only argument I've heard in favor of that is basically it's easier for us not 
to add API features.


At the expense of loading your Database.  Serverside paging and 
filtering both require one of two things:  caching or additional 
Database queries, and both increase your server footprint.  For small 
datasets, or for limited queries,  this is not a problem,  but for 
scalability you want to limit the work you do on the server.


For Keystone using the LDAP backend,  caching and pagination are 
extremely expensive, and not something I would like to support.  an LDAP 
query is not guaranteed to come back in any particular order, so you 
can't just do the SQL trick of executing the query at offset + window 
size.  You have to do the equivalent of a Cursor,  and this places 
serious load on the LDAP server,  the Keystone server, and possibly 
impacts other apps dependand on LDAP.




To speak on the specific feature of pagination, the problem of 'corruption' by 
simultaneous writers is no excuse for not implementing it. You think Google, Facebook, 
Flickr, etc. etc. etc. don't have this problem? If you consume their feeds you'll notice 
you can fetch offset-based pagination with ease. You'd never expect to see a navigation 
element at the bottom of Google search results that said take me to results 
starting with the letter m.


There is a major difference.  We are working with data that has to be 
ACID.  Google, Facebook and flickr do not.  Before you migrate a VM,  
you need to know if the host meets the criteria for the VM. If it 
changes between when you check and when you reserve the space for the 
VM,  you have just over committed.  Get it right eventually does not 
work for management apps.




None of this is a case of someone might use it. The Horizon team has been 
loudly asking for these features for 8+ months now. And not just from Keystone but from 
all the projects. I have a list a mile long of API features we need to really deliver a 
compelling experience. I was just adding some items to it today, in fact.

The rest of your points I have no strong feelings on and generally agree, but 
when it comes to API features... I feel *very* strongly.


Note that I am not saying don't do pagination as I agree, it is 
essential for good user experience.  What I am stating is that we need 
to be smart about the techniques and technologies we choose, as there is 
always an upside and a downside.




All the best,

 - Gabriel



-Original Message-
From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net
[mailto:openstack-
bounces+gabriel.hurley=nebula@lists.launchpad.net] On Behalf Of
Mark Nottingham
Sent: Monday, June 11, 2012 10:27 PM
To: Joseph Heck
Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: Re: [Openstack] [keystone] v3 API draft (update and questions to
the community)

On 11/06/2012, at 6:58 AM, Joseph Heck wrote:


First - what's the current thought of support for PATCH vs PUT in updating

REST resources? Are there any issues with clients being able to use a PATCH
verb? It's not something I'm super familiar with, so I'm looking for feedback
from the community here. Ideally, I'd like to support the semantics of the
PATCH HTTP verb, and possibly just assert no support for the PUT verb to be
clear about intended functionality. Is that going to throw anyone for a loop?

I answered a question about PATCH before; don't want to repeat myself, but
it should be workable. Happy to chat more about it if you have specific
questions.


Second - filtering/searching for resources. The draft includes a section

labelled Query By Name, which is probably mis-labelled, as it's intended to
cover the general idea of passing in query parameters to general listing
resource endpoints to 

[Openstack] noVNC and EPEL

[Adam Young]

I have a working noVNC RPM for both F17 and EPEL.

Well...I think it is working...everything is set as best as I can tell 
to what it should be.  However, I have not been able to get a VNC 
console on a VM from the Web UI.  I have been able to do so using 
noVNC,  so we have a partial solution.  I've been advised that 
misconfiguration of the compute nodes is often at fault for noVNC not 
working:


sleepsonthefloor ayoung: it is very common for people to misconfigure 
flags on the compute hosts
sleepsonthefloor FLAGS.vncserver_proxyclient_address and 
FLAGS.novncproxy_base_url


My packages are at:
http://admiyo.fedorapeople.org/noVNC/

Paidrig pixelbeat Brady has tweaked them and gotten them blessed into 
the Fedora and EPEL system.


With the RPM installed, the steps to get novnc_server (not the Nova 
proxy) working are:


1.  Generate a key. I put this in /etc/nova:
 openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem

2.  Figure out the port for the vnc server you want.  This will depend 
on the VM.  In general, the first VM you spin up will have 9000,  the 
next 9001.  You can  brute force the search using


qemu-syst 21809  qemu   13u IPv4 178192 0t0
TCP localhost:vnc-server (LISTEN)
qemu-syst 26373  qemu   11u IPv43446722 0t0
TCP localhost:5901 (LISTEN)


Note that the first line lists the port by service name (vnc-server) out 
of /etc/services  (technically the NSSwitch services database, but we 
all probably have that set to files.)


I ensured I could connect to the server using the  tiger-vnc package and 
vncviewer.



3.  Run the novnc server.  In the upstream, this is launch.sh.  For 
Fedora we've given it the slightly more descriptive name novnc_server.


cd /usr/share/novnc
novnc_server --cert /etc/nova/self.pem --vnc localhost:5901


4.  Get the self signed cert into your browser by pointing at the server 
using https://hostname:6080.  This will kick you into the invalid 
certificate  dialog.  Accept the Cert and it will forward you to 
noVNC.  No password is required:  click connect and you should be 
viewing the appropriate VM.




I have not been able to get the Horizon Dashboard to noVNC integration 
working.  I suspect that the correct command line should be something like:


 nova-novncproxy  --flagfile=/etc/nova/nova.conf 
--web=/usr/share/novnc/ --cert=/etc/nova/self.pem 
--log-file=/var/log/nova/novnc.log


But no connections go through.  Nothing shows up in the log (and I have 
confirmed that is not due to permissions).  Nothing shows up on the 
command line, either except the startup information:


[root@ayoung-stack2 novnc]# nova-novncproxy 
--flagfile=/etc/nova/nova.conf   --web=/usr/share/novnc/ 
--cert=/etc/nova/self.pem --log-file=/var/log/nova/novnc.log

WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - Web server. Web root: /usr/share/novnc
  - SSL/TLS support
  - proxying from 0.0.0.0:6080 to ignore:ignore


For Fedora,  we cannot ship the binary Flash blob.  I've been working 
under the assumtion that the Nova noVNC proxy uses the browsers 
websocket support




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Signed Tokens

[Adam Young]

On 06/01/2012 05:56 PM, Adam Young wrote:
The signed tokens work has been updated.  I think this is the final 
architecture.


https://github.com/admiyo/keystone/commits/signed-tokens-5

Not all of the unit tests run. Some of the Memcache tests are suspect, 
and I wonder if we even need memcache support for tokens in the middle 
ware.  I think we don't.


Also,  the Diablo tokens are not supported.  I think we can safely 
deprecate them for Folsom.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



Responses to Guang Yee's comments on Git hub:

keystone/config.py
line 156
gyee:  Maybe token_signing instead of signing? Signing still sound 
too generic:
ayoung:This is a generic signing cert,  although it is only used for 
tokens,  it could be used for something else as well.  I think signing 
is appropriate


keystone/middleware/auth_token.p
line 146:
gyee:May want to do os.umask() to protect the signing dir.
ayoung: agreed.

line 597:
gyee: You are assuming openssl is available. May want to do a sanity 
check first.
ayoung:  the Packages will 'Require' Openssl, and we will put it into 
the package list for Devstack as well.


gyee: May want to introduce some timeout logic to force process 
termination in case it hangs or did not finish on time.
ayoung:  We are not consuming entropy  with the signing or verification 
process, so hanging is likely not an issue.  I don't think Eventlet 
makes that kind of code easy to write,  either.  If we see signs of 
hanging, then we will deal with it.



keystone/service.py
line 505:
gyee: certfile.close
ayoung: yes




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Websocket support long term

[Adam Young]

On 06/04/2012 09:55 AM, Jay Pipes wrote:

On 05/30/2012 09:28 PM, Adam Young wrote:

The recent discussion about node.js made me rethink the state of
Websocket support for Apache and Openstack. A quick recap:

1) neither mod_wsgi nor mod_proxy support Web sockets.
2) There is a Websocket Module for Apache, but using it requires an
additional apache module.
3) There is websocket support in Eventlet.
4) The argument for node.js is the same for Eventlet: rapid dispatch to
support a large number of connections
5) noVNC currently uses websockify, and uses a simplistic web server to
proxy over VNC traffic.

The more I think about it, the more I think that the simplest, and most
correct path forward is to use the websocket Apache module, and to write
an additional module that will hook it up to Eventlet. Eventlet can
listen on a local Port (127.0.0.1 only) and Apache will map that to a
suburl. I'll code name it mod_websocket_proxy for now.


snip

Adam, other than the NoVNC piece in Nova and the Horizon project in 
general, where do you see the need for Websockets in OpenStack? I 
could easily be mistaken (happens a lot!), but I see Websockets as a 
great tool for client-side and UI interaction, and not so much useful 
in the eventlet servers that we use for so many OpenStack services 
(nova-api, swift-proxy, glance-api, glance-registry, keystone-api, 
etc). Could you elaborate how you see Websockets (and your proposed 
mod_websocket_proxy) being useful to OpenStack services outside of 
horizon and noVNC?


Jay,

This is predominantly for Horizon.  For other communication,  I think 
AMQP suffices,  but we might want to revisit that assumption in the future.


I think that demand for Websockets is what is driving the push toward 
Node.js.  It is a natural complement to an event driven webserver.


While I think the quetion of noVNC itself justifies investigating 
Websocket approaches,  I can see the need for Websocket style 
development where:


1. We need to traverse firewalls
2. We need the application to predominantly post data to the browser

Thus far we would otherwise choose AMQP for notifications, but it 
doesn't seem to be the right solution for these cases.  So, what are 
these cases?


Log streaming seems to be the first case:  a long running task 
generating a lot of events,  and a user wants to track what is happening 
as quickly as they occur.  This covers a lot of use cases.











Thanks!
-jay


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Need testing of devstack change on different platforms.

[Adam Young]

A couple changes in the larger Linux world will affect devstack.  In 
F17,  we've already seen a change in the response format of ifconfig 
which breaks devstack.  Upon closer inspection, it appears ifconfig 
itself is deprecated, and the correct solution is to use the ip command 
instead.


https://review.openstack.org/#/c/8018/

I've tested this on F17  and the output is the same on F16.  Getting 
this change in will help future proof devstack,  but I'd like a little 
bit more testing,  especially if people are running devstack on 
platforms other than those that are officially sanctioned and supported.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp