[Openstack] python-keystoneclient v0.3.0 released
python-keystoneclient v0.3.0 has been released to pypi [1]. Bug fixes [2] since v0.2.5 include two security vulnerabilities [3] [4] related to keystoneclient.middleware.auth_token's handling of signing encryption for memcache. This release also includes support for Identity API v3 [5] auth and identity management through the Python API. Identity API v3 support will be exposed on the CLI through the python-openstackclient project [6]. [1]: https://pypi.python.org/pypi/python-keystoneclient/ [2]: https://bugs.launchpad.net/python-keystoneclient/+milestone/0.3.0 [3]: https://bugs.launchpad.net/bugs/1175367 [4]: https://bugs.launchpad.net/bugs/1175368 [5]: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md [6]: https://launchpad.net/python-openstackclient/ -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] OpenStack API versions and release content
On Tue, Jun 11, 2013 at 4:46 PM, Farhan Patwa farhan.pa...@utsa.edu wrote: Hi all, I am just trying to understand the motivation behind creations API versions and how that ties in to a release content. As per listed documentation ( http://docs.openstack.org/api/openstack-compute/2/content/Versions-d1e1193.html ) New Features and functionality that break API-compatibility necessitate a new version. When new API version are released older versions are marked as deprecated. My questions are: 1.) Is the assumption here that operators may update the release but opt to stay with an older API version to get bug fixes etc.? See #2 below. 2.) Do new versions have to be deployed with a new release? Keystone has V3 version, but I don't see it being available for use in devstack or Grizzly release (based on my assumption that the command 'keystone discover' will display supported API versions) Not necessarily. Keystone grizzly/2013.1 ships with a revised paste configuration which deploys the new Identity API v3 via pipeline:api_v3 [1]. You don't need to deploy this new pipeline at all, and a folsom paste configuration will deploy an Identity API v2 implementation just as it did in folsom. The output of keystone discover operates based on how the service catalog is populated, which doesn't necessarily reflect the configured pipeline or what's provided by the implementation. [1]: https://github.com/openstack/keystone/blob/64738924b87e6fb31d999e25da23f889a2658940/etc/keystone-paste.ini#L78 3.) Do versions have their own release schedule (so Keystone V3 is part of Grizzly code but the implementation is not yet complete or supported??) There's no such thing as Keystone v3, although that's a common misnomer. The Identity API (v2.0 - v3.0 - v3.1) is versioned independently from it's implementation, Keystone (... essex/2012.1 - folsom/2012.2 - grizzly/2013.1 - etc). Several releases of keystone could be made without incrementing the API version. A release of keystone may contain an experimental/unstable/partial and unrecommended/undocumented implementation of a newer API. A release of keystone may even skip an API version if there was reason to do so. So, for example: - diablo supports Identity API v2.0 and was extensible to support a non-OpenStack Identity API (v1.1) - essex supports Identity API v2.0 - folsom supports Identity API v2.0 - grizzly supports Identity API v2.0 and Identity API v3.0 - havana will support Identity API v2.0 and Identity API v3.1 - icehouse will support Identity API v2.0 and at least Identity API v3.1 (if not v3.2) - J*release is not guaranteed to support Identity API v2.0 and will support at least Identity API v3.1 (if not v3.3) (where minor version bumps, e.g. v3.0 - v3.1 are backwards compatible) In reality, if we ship a recommended API implementation, that API version is effectively feature frozen. So, while we could have continued to develop Identity API v3.0 past 2013.1, we documented it in the default configuration (keystone.conf.sample, devstack, etc) and shipped it with grizzly and are now working towards introducing backwards-compatible features under a minor version bump to the API that will ship with havana. I would really appreciate if someone can shed light on this. Thanks for your time, -Farhan Patwa. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] python-keystoneclient 0.2.4 available on pypi
Just a small update... the --version flag was broken in 0.2.4 [1], so 0.2.5 has now been released to pypi [2] specifically to fix this issue. [1]: https://launchpad.net/python-keystoneclient/+milestone/0.2.5 [2]: https://pypi.python.org/pypi/python-keystoneclient/ -Dolph On Wed, May 29, 2013 at 12:33 PM, Dolph Mathews dolph.math...@gmail.comwrote: python-keystoneclient 0.2.4 is primarily a security bug fix release [1] and is now available on pypi [2]. A few highlights concerning the auth_token middleware: - Expired PKI tokens are now rejected [3] - PKI token revocations lists are now cached using a configurable expiration (revocation_cache_time) [4] - The signing_dir configuration option now defaults to a secure, temporary directory rather than the user's home directory [5] Additionally, updating a user's password on the CLI can now be done securely [6]. [1]: https://launchpad.net/python-keystoneclient/+milestone/0.2.4 [2]: https://pypi.python.org/pypi/python-keystoneclient [3]: https://bugs.launchpad.net/python-keystoneclient/+bug/1179615 [4]: https://bugs.launchpad.net/python-keystoneclient/+bug/1076083 [5]: https://bugs.launchpad.net/python-keystoneclient/+bug/1181157 [6]: https://bugs.launchpad.net/python-keystoneclient/+bug/938315 -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] python-keystoneclient 0.2.4 available on pypi
python-keystoneclient 0.2.4 is primarily a security bug fix release [1] and is now available on pypi [2]. A few highlights concerning the auth_token middleware: - Expired PKI tokens are now rejected [3] - PKI token revocations lists are now cached using a configurable expiration (revocation_cache_time) [4] - The signing_dir configuration option now defaults to a secure, temporary directory rather than the user's home directory [5] Additionally, updating a user's password on the CLI can now be done securely [6]. [1]: https://launchpad.net/python-keystoneclient/+milestone/0.2.4 [2]: https://pypi.python.org/pypi/python-keystoneclient [3]: https://bugs.launchpad.net/python-keystoneclient/+bug/1179615 [4]: https://bugs.launchpad.net/python-keystoneclient/+bug/1076083 [5]: https://bugs.launchpad.net/python-keystoneclient/+bug/1181157 [6]: https://bugs.launchpad.net/python-keystoneclient/+bug/938315 -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone 8K header size limit
Apologies, none of these configuration settings were documented in etc/keystone.conf.sample. The last one is the one that controls this behavior. [DEFAULT] # enforced by sizelimit middleware (keystone.middleware:RequestBodySizeLimiter) max_request_body_size = 114688 # limit the sizes of user tenant ID/names max_param_size = 64 # similar to max_param_size, but provides an exception for token values max_token_size = 8192 I also put these docs up for review: https://review.openstack.org/30932 -Dolph On Wed, May 29, 2013 at 1:23 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hi Guang, We are running into a problem with PKI tokens being greater than 8K and having Keystone not able to validate them. Do you know of a workaround? Mark ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone
The SERVICE_TOKEN is not a password; it should either be a valid token that you've generated using credentials + keystone token-get, or the value of keystone.conf's static admin_token option. I'm not familiar with x.sh so I don't know if you should remove SERVICE_* env vars or the OS_* ones, but having both sets is redundant. -Dolph On Tue, May 14, 2013 at 7:43 AM, Mahzad Zahedi ict.mywork2...@gmail.comwrote: I have followed basic install guide openstack on ubuntu (grizzy) so for configuration keystone first, I have created openrc File and added below lines into it: export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=password export OS_AUTH_URL=http://localhost:5000/v2.0/; export SERVICE_ENDPOINT=http://localhost:35357/v2.0; export SERVICE_TOKEN=password and then again I have created a x.sh file for script that is mentioned inside of install doc #!/bin/bash # Modify these variables as needed ADMIN_PASSWORD=${ADMIN_PASSWORD:-password} NOW , when running ./x.sh i have belo errors: Invalid OpenStack Identity credentials. ./bash_script.sh: line 36: 2: command not found Invalid OpenStack Identity credentials. ./bash_script.sh: line 38: 2: command not found Invalid OpenStack Identity credentials. Invalid OpenStack Identity credentials. Invalid OpenStack Identity credentials. usage: keystone user-create --name user-name [--tenant-id tenant-id] [--pass pass] [--email email] [--enabled true|false] keystone user-create: error: argument --tenant-id: expected one argument ./bash_script.sh: line 45: 2: command not found Invalid OpenStack Identity credentials. ./bash_script.sh: line 48: --tenant-id: command not found Invalid OpenStack Identity credentials. ./bash_script.sh: line 51: password: command not found Invalid OpenStack Identity credentials. ./bash_script.sh: line 54: --tenant-id: command not found Invalid OpenStack Identity credentials. Invalid OpenStack Identity credentials. ./bash_script.sh: line 58: 2: command not found usage: keystone user-role-add --user user --role role [--tenant tenant] keystone user-role-add: error: argument --user/--user-id/--user_id: expected one argument usage: keystone user-role-add --user user --role role [--tenant tenant] keystone user-role-add: error: argument --tenant/--tenant-id: expected one argument usage: keystone user-role-add --user user --role role [--tenant tenant] keystone user-role-add: error: argument --tenant/--tenant-id: expected one argument usage: keystone user-role-add --user user --role role [--tenant tenant] keystone user-role-add: error: argument --tenant/--tenant-id: expected one argument ./bash_script.sh: line 63: --role-id: command not found usage: keystone user-role-add --user user --role role [--tenant tenant] keystone user-role-add: error: argument --tenant/--tenant-id: expected one argument usage: keystone user-role-add --user user --role role [--tenant tenant] keystone user-role-add: error: argument --tenant/--tenant-id: expected one argument Invalid OpenStack Identity credentials. Invalid OpenStack Identity credentials. Invalid OpenStack Identity credentials. Invalid OpenStack Identity credentials. ./bash_script.sh: line 72: --description: command not found usage: keystone service-create --name name --type type [--description service-description] keystone service-create: error: argument --description: expected one argument ./bash_script.sh: line 74: OpenStack EC2 service: command not found Invalid OpenStack Identity credentials. usage: keystone endpoint-create [--region endpoint-region] --service-id service-id [--publicurl public-url] [--adminurl admin-url] [--internalurl internal-url] keystone endpoint-create: error: argument --service-id/--service_id: expected one argument ./bash_script.sh: line 77: --publicurl: command not found ./bash_script.sh: line 79: --internalurl: command not found usage: keystone endpoint-create [--region endpoint-region] --service-id service-id [--publicurl public-url] [--adminurl admin-url] [--internalurl internal-url] keystone endpoint-create: error: argument --service-id/--service_id: expected one argument ./bash_script.sh: line 81: --publicurl: command not found ./bash_script.sh: line 83: --internalurl: command not found usage: keystone endpoint-create [--region endpoint-region] --service-id service-id [--publicurl public-url] [--adminurl admin-url] [--internalurl internal-url] keystone endpoint-create: error: argument --service-id/--service_id: expected one argument ./bash_script.sh: line 85: --publicurl: command not found
Re: [Openstack] Cinder ERROR: Malformed request url (HTTP 400) again
It looks like cinderclient is authenticating successfully with keystone, and something unexpected is happening at the cinder endpoint. I'd suggest trying to replay cinderclient's request using something like curl to perhaps provide more insight into what's actually going on. # curl http://10.2.232.6:8776/v1/c625d5b2b9e24f72acb2d298682ab002/volumes/detail-H 'x-auth-token:515e478eca244282a1617e43a8881c0b' --verbose You may need a fresh x-auth-token, but the one above is from your copy/paste and may still be valid (if not, use $ keystone token-get) -Dolph On Wed, May 8, 2013 at 5:52 PM, Erick Turnquist jhujh...@adjectivism.orgwrote: List, I'm a new OpenStack user who has become exceptionally frustrated trying to get Cinder running. I initially installed nova-volume, which appeared to work, and then followed the instructions on https://wiki.openstack.org/wiki/MigrateToCinder to migrate. Here is where I am stuck: seemingly every call I make against Cinder's API results in an HTTP 400. Here's an example call: # cinder --debug list connect: (192.168.128.6, 5000) send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 192.168.128.6:5000\r\nContent-Length: 100\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-cinderclient\r\n\r\n' send: '{auth: {tenantName: admin, passwordCredentials: {username: admin, password: admin}}}' reply: 'HTTP/1.1 200 OK\r\n' header: Vary: X-Auth-Token header: Content-Type: application/json header: Content-Length: 2687 header: Date: Wed, 08 May 2013 22:42:27 GMT connect: (10.2.232.6, 8776) send: u'GET /v1/c625d5b2b9e24f72acb2d298682ab002/volumes/detail HTTP/1.1\r\nHost: 10.2.232.6:8776\r\nx-auth-project-id: admin\r\nx-auth-token: 515e478eca244282a1617e43a8881c0b\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-cinderclient\r\n\r\n' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Content-Length: 65 header: Content-Type: application/json; charset=UTF-8 header: X-Compute-Request-Id: req-7e360dc5-8f54-477f-833c-e0ab0d20aef6 header: Date: Wed, 08 May 2013 22:42:27 GMT DEBUG (shell:473) Malformed request url (HTTP 400) (Request-ID: req-7e360dc5-8f54-477f-833c-e0ab0d20aef6) Traceback (most recent call last): File /usr/lib/python2.6/site-packages/cinderclient/shell.py, line 470, in main OpenStackCinderShell().main(sys.argv[1:]) File /usr/lib/python2.6/site-packages/cinderclient/shell.py, line 421, in main args.func(self.cs, args) File /usr/lib/python2.6/site-packages/cinderclient/v1/shell.py, line 139, in do_list volumes = cs.volumes.list(search_opts=search_opts) File /usr/lib/python2.6/site-packages/cinderclient/v1/volumes.py, line 171, in list volumes) File /usr/lib/python2.6/site-packages/cinderclient/base.py, line 63, in _list resp, body = self.api.client.get(url) File /usr/lib/python2.6/site-packages/cinderclient/client.py, line 138, in get return self._cs_request(url, 'GET', **kwargs) File /usr/lib/python2.6/site-packages/cinderclient/client.py, line 126, in _cs_request **kwargs) File /usr/lib/python2.6/site-packages/cinderclient/client.py, line 109, in request raise exceptions.from_response(resp, body) BadRequest: Malformed request url (HTTP 400) (Request-ID: req-7e360dc5-8f54-477f-833c-e0ab0d20aef6) ERROR: Malformed request url (HTTP 400) (Request-ID: req-7e360dc5-8f54-477f-833c-e0ab0d20aef6) Nothing at all shows up in the Cinder API logs when I make this call, even with the --debug option to cinder-api. After many hours Googling the problem, it would seem that the it's either a malformed endpoint URL or missing auth_strategy, but neither of these are the case: # keystone endpoint-list +--+---+--+-++--+ |id| region | publicurl | internalurl | adminurl | service_id| +--+---+--+-++--+ | 6c2d093802744c0398bbd62dc5fbc070 | RegionOne | http://10.2.232.6:8773/services/Cloud | http://192.168.128.6:8773/services/Cloud| http://192.168.128.6:8773/services/Admin | d4ab7bb8490385bfb5457311b88c | | 8900b9d947d24ec280b67abb8c67b4d1 | RegionOne | http://10.2.232.6:8774/v2/%(tenant_id)s| http://192.168.128.6:8774/v2/%(tenant_id)s | http://192.168.128.6:8774/v2/%(tenant_id)s | bb2a06fefa224e5c898eaeed41295c71 | | 8a7ae87b296f45259060485e37de74f9 | RegionOne | http://10.2.232.6:8776/v1/%(tenant_id)s
Re: [Openstack] glance client not working
You can't bypass authentication with, say, keystone.conf admin_token and get a catalog. A catalog is produced as the result of authentication. Run the client with a set of credentials (user, password, tenant, auth URL) and you'll be able to get a catalog, and glanceclient will probably work as well. -Dolph On Thu, May 2, 2013 at 7:51 AM, Dennis Jacobfeuerborn denni...@conversis.de wrote: On 01.05.2013 20:34, Jay Pipes wrote: On 05/01/2013 02:28 PM, Dennis Jacobfeuerborn wrote: Hi, I'm currently working on setting up OpenStack using Ansible (after giving up on Puppet) and have keystone running and Glance running. The problem I now have is that the client doesn't seem to work: [root@controller1 ~]# glance index ID Name Disk Format Container Format Size --**-- -- -- 'NoneType' object has no attribute 'rfind' [root@controller1 ~]# glance image-list 'NoneType' object has no attribute 'rfind' [root@controller1 ~]# glance image-create --name=cirros-0.3-x86_64 --is-public=true --container-format=bare --disk-format=qcow2 cirros-0.3.0-x86_64-disk.img 'NoneType' object has no attribute 'rfind' Unfortunately I don't get any meaningful error and the api and registry logs don't show anything either despite debug=True. Any ideas how I could find out what the problem is? The problem is likely your image endpoint in the Keystone service catalog. Ineed the endpoint variables in the ansible template weren't substituted due to a typo and after fixing this I no longer get the error and image-list and image-create now work as expected. Thanks! What does `keystone service-catalog` show? There is only a 'catalog' command and that throws an error: [root@controller1 ~]# keystone catalog WARNING: Bypassing authentication using a token endpoint (authentication credentials are being ignored). Configuration error: Client configured to run without a service catalog. Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example. This is strange though because commands like service-list and endpoint-list work without any problem. Any idea what is special about 'catalog' to show this behaviour? Regards, Dennis __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/~openstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone network endpoint doesnt start
I imagine that you need to start quantum by running *quantum-server* -Dolph On Wed, May 1, 2013 at 10:18 AM, Molnár Mihály László lacik...@gmail.comwrote: hi all! I just installed Grizzly following this: https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_MultiNode/OpenStack_Grizzly_Install_Guide.rst I wanted to create tenant network when I got this error: quantum net-create --tenant-id 1f9305114a554a89b02e5fcc786f8175 net_blabla [Errno 111] Connection refused So I started investigation and as I can see keystone network endpoint doesn't listen anywhere netstat output: http://pastebin.com/p44SjK2R keystone endpoint-list output: http://pastebin.com/a7ZFn8cX As I can see, the network endpoint in keystone database exists but doesnt start up. There is no error in keystone log file, or anywhere. I tried reboot, but for now I'm out of idea. Anybody? Thanks! Rusty ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone JSON format access control policy
The JSON approach is rather arbitrary; keystone has an API to manage publish policy blobs of any format (/v3/policies), and the policy engines themselves are completely pluggable. I don't think there's anything preventing a deployment from implementing an XACML based policy solution (if there is a blocker to using XACML, it's certainly a bug). -Dolph On Mon, Apr 29, 2013 at 4:50 AM, Xiangjun Qian xiangjunq...@gmail.comwrote: Hi everyone, I'm currently looking at access control mechanisms of OpenStack and finding that the access control policy is specified using JSON format. I'm wondering why we do not adopt an XML based approach like XACML, is it because of the performance problem, or we just choose JSON as it's simple? Thank you very much for your feedback. Best Regards, -- Xiangjun ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone Grizzly install
What happens when you run keystone-all directly? -Dolph On Wed, Apr 24, 2013 at 4:23 PM, Viktor Viking viktor.viking...@gmail.comwrote: Community, I am trying to install Keystone Grizzly following these instructions: http://docs.openstack.org/trunk/openstack-compute/install/yum/content/install-keystone.html When I try to start the service (before db sync), I get the following error message: Starting keytonestartproc: exit status of parent of /usr/bin/keystone-all 1 failed. /var/log/keystone/keystone.log is not giving me any clue wrt what is wrong. Could anyone let me know where to look? Viktor ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone Identity based notifications
Yes, we've had a few small conversations about it at the summit (don't have an actual session scheduled on the issue, though, nor any registered blueprints). It would be my preferred approach to resolve bugs like this one, which is one of our longest standing and highest priority issues. https://bugs.launchpad.net/keystone/+bug/967832 I'd be eager to hear broader feedback on the issue. -Dolph On Wed, Apr 17, 2013 at 4:16 AM, boden bo...@linux.vnet.ibm.com wrote: All, From an upper level management stack perspective, has anyone else seen the need for AMQP based notifications from Keystone identity and/or heard of any activity in this space? For example, similar to nova's notification system ( https://wiki.openstack.org/**wiki/SystemUsageDatahttps://wiki.openstack.org/wiki/SystemUsageDatabased on https://wiki.openstack.org/**wiki/NotificationSystemhttps://wiki.openstack.org/wiki/NotificationSystem), but for events such as user/role/project/domain CRUD? I've come across this requirement a few times now, but have not turned up any hits via google-foo. Thanks __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/~openstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone Woes
Short answer: yes. There are two types of token_format options available, PKI and UUID. UUID tokens result in increased network chatter as they must be validated remotely, whereas PKI tokens are big, self-signed, and can be validated offline. You can choose which format you'd like by setting keystone.conf [TOKEN] token_format (PKI is the default). On Saturday, April 13, 2013, Daniel Ellison wrote: On 2013-04-13, at 5:24 PM, Dolph Mathews dolph.math...@gmail.comjavascript:; wrote: Hmm, well it looks like you already have debug enabled, which is indicating that the username + password combination is bad (if debug was disabled, you'd get a much more opaque error message). The tenant name you specified would not have been checked yet. If 'admin' appears in your keystone user-list, then the password is definitely wrong. Success! I deleted the admin user and then recreated it using a new, unique password. I removed OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT from my environment. Then I did 'keystone token-get' and got a proper response! Thanks so much for the suggestion, Dolph. One further question: Is the id part of the received token supposed to be ridiculously long? I got an id that is 836 characters long! The examples in Verifying the Identity Service Installation are the same length as the user_id: 32 characters. I just want to be sure everything is working as it should. Thanks, Daniel -- -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone Woes
It looks like you're doing everything correctly, except OS_PASSWORD is *NOT* the same thing as the static admin_token in keystone.conf. Passwords are user-specific attributes created using the --pass argument on user-create for example. You may have set it to be the same as keystone.conf's admin_token, but I necessarily wouldn't recommend that. If you don't know what your password was, you probably need to delete your admin user and recreate it with a known password, and then grant it your admin role again. -Dolph On Sat, Apr 13, 2013 at 12:13 PM, Daniel Ellison dan...@syrinx.net wrote: Hi all, I joined this list just now to solve a particular problem, but once I'm past this I hope to be giving back to the community. I have spent the past week trying to get Keystone installed and configured properly. I want to show a running OpenStack to my manager for a proof of concept I want to build, so I'm installing everything on a server which has a public IP. I don't have more servers, so I'm attempting to install everything on one machine. (Yes, I have a good firewall in place on which I have yet to open Keystone's ports. But I have the same issue with or without a firewall.) The server's OS is Ubuntu 12.04. I'm attempting to install the 'grizzly' release. MySQL is there, and I'm using this as a connection string: connection = mysql://keystone:openstack@204.187.138.2/keystone I have my own admin token set. I used the endpoints.sh and keystone_data.sh scripts to set up the database. Yes, I restarted the keystone service. :) I even went through the same process manually to make sure everything was in place. I logged into MySQL and poked around but everything seemed ok. Using the 'keystone' Python client on the server itself I can successfully execute user-list, endpoint-list, user-get, etc. But when I try to get a token with 'keystone token-get' I get: Configuration error: Client configured to run without a service catalog. Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example. My environment contains: export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin_token export OS_AUTH_URL=http://204.187.138.2:5000/v2.0/; export OS_SERVICE_ENDPOINT=http://204.187.138.2:35357/v2.0; export OS_SERVICE_TOKEN=admin_token When I unset OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN (because I read somewhere these two are used as a pair) and execute keystone --os-username=admin --os-password=admin_token --os-auth-url= http://204.187.138.2:5000/v2.0 token-get I get this in response: Unable to communicate with identity service: {error: {message: Invalid user / password, code: 401, title: Not Authorized}}. (HTTP 401) I've tried a seemingly infinite combination of usernames, passwords, tenants, etc. and nothing has worked. If someone could point me in the right direction I'd be very grateful. I'll answer any questions needed to get past this point. Thanks in advance, Daniel ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Folfsom][Cinder] cinder list ERROR: Malformed request url (HTTP 400)
There's a backslash in your endpoints and a stray closing paren at the end: http://192.168.122.215:8776/v1/$(tenant_id)s) Keystone supports two formats here so you don't have to try and escape anything. Recreate your endpoints with whichever one of the following you prefer: http://192.168.122.215:8776/v1/$(tenant_id)shttp://192.168.122.215:8776/v1/%5C$(tenant_id)s http://192.168.122.215:8776/v1/%(tenant_id)shttp://192.168.122.215:8776/v1/%5C$(tenant_id)s -Dolph On Fri, Apr 5, 2013 at 7:58 AM, Arindam Choudhury arin...@live.com wrote: [(keystone_user)]$ cinder --debug list connect: (158.109.65.21, 5000) send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 158.109.65.21:5000\r\nContent-Length: 97\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-cinderclient\r\n\r\n{auth: {tenantName: user, passwordCredentials: {username: user, password: user}}}' reply: 'HTTP/1.1 200 OK\r\n' header: Vary: X-Auth-Token header: Content-Type: application/json header: Date: Fri, 05 Apr 2013 11:26:46 GMT header: Transfer-Encoding: chunked connect: (158.109.65.21, 8776) send: u'GET /v1/\\e50f4b99747849bfade38bc8a7734731)/volumes/detail HTTP/1.1\r\nHost: 158.109.65.21:8776\r\nx-auth-project-id: user\r\nx-auth-token: a0712823eddc42b6b73dab6ae0a88097\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: python-cinderclient\r\n\r\n' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Content-Length: 65 header: Content-Type: application/json; charset=UTF-8 header: X-Compute-Request-Id: req-3f84bc89-e5a0-47f7-b5b1-b1a9e4293eba header: Date: Fri, 05 Apr 2013 11:26:46 GMT DEBUG (shell:480) Malformed request url (HTTP 400) (Request-ID: req-3f84bc89-e5a0-47f7-b5b1-b1a9e4293eba) Traceback (most recent call last): File /usr/lib/python2.7/site-packages/cinderclient/shell.py, line 477, in main OpenStackCinderShell().main(sys.argv[1:]) File /usr/lib/python2.7/site-packages/cinderclient/shell.py, line 428, in main args.func(self.cs, args) File /usr/lib/python2.7/site-packages/cinderclient/v1/shell.py, line 143, in do_list volumes = cs.volumes.list(search_opts=search_opts) File /usr/lib/python2.7/site-packages/cinderclient/v1/volumes.py, line 184, in list volumes) File /usr/lib/python2.7/site-packages/cinderclient/base.py, line 63, in _list resp, body = self.api.client.get(url) File /usr/lib/python2.7/site-packages/cinderclient/client.py, line 162, in get return self._cs_request(url, 'GET', **kwargs) File /usr/lib/python2.7/site-packages/cinderclient/client.py, line 131, in _cs_request **kwargs) File /usr/lib/python2.7/site-packages/cinderclient/client.py, line 114, in request raise exceptions.from_response(resp, body) BadRequest: Malformed request url (HTTP 400) (Request-ID: req-3f84bc89-e5a0-47f7-b5b1-b1a9e4293eba) ERROR: Malformed request url (HTTP 400) (Request-ID: req-3f84bc89-e5a0-47f7-b5b1-b1a9e4293eba) [(keystone_user)]$ -- From: arin...@live.com To: openstack@lists.launchpad.net Date: Fri, 5 Apr 2013 12:29:20 +0200 Subject: [Openstack] [Folfsom][Cinder] cinder list ERROR: Malformed request url (HTTP 400) Hi, I am trying to install OpenStack Folsom on Fedora 18. So far I have installed: $ openstack-status == Glance services == openstack-glance-api: active openstack-glance-registry:active == Keystone service == openstack-keystone: active == Cinder services == openstack-cinder-api: active openstack-cinder-scheduler: active openstack-cinder-volume: active == Support services == libvirtd: active tgtd: active qpidd:active memcached:inactive (disabled on boot) When I tried to run cinder list, I get this error: [(keystone_user)]$ cinder list ERROR: Malformed request url (HTTP 400) (Request-ID: req-3692a984-8750-47a5-a673-1db9d5fd217a) The instructons I have followed are as follows: # yum install openstack-cinder -y # openstack-db --init --service cinder # openstack-config --set /etc/cinder/cinder.conf DEFAULT auth_strategy keystone # openstack-config --set /etc/cinder/cinder.conf keystone_authtoken admin_tenant_name admin # openstack-config --set /etc/cinder/cinder.conf keystone_authtoken admin_user admin # openstack-config --set /etc/cinder/cinder.conf keystone_authtoken admin_password admin # grep -q /etc/cinder/volumes /etc/tgt/targets.conf || sed -i '1iinclude /etc/cinder/volumes/*' /etc/tgt/targets.conf # service tgtd start # chkconfig tgtd on # truncate --size 20G ~/cinder-volumes # losetup -fv ~/cinder-volumes # vgcreate cinder-volumes /dev/loop0 No physical volume label read from /dev/loop0 Physical volume /dev/loop0 successfully created Volume group cinder-volumes successfully created # vgdisplay
Re: [Openstack] error configuring keystone
An OS_SERVICE_ENDPOINT and/or OS_SERVICE_TOKEN are defined in your environment, and are taking precedence over the credentials you're providing on the command line -- I'm not a fan of this behavior myself :( unset the endpoint token from env, and token-get should behave as expected. -Dolph On Tue, Apr 2, 2013 at 10:24 AM, Arindam Choudhury arin...@live.com wrote: Hi, I am new to OpenStack. I am trying to install OpenStack Folsom on Fedora 18. I am following the online documentation. I am getting this error while configuring keystone: [root@XX ~]# keystone --os-username=admin --os-password=admin --os-auth-url=http://XX:35357/v2.0 token-get WARNING: Bypassing authentication using a token endpoint (authentication credentials are being ignored). Configuration error: Client configured to run without a service catalog. Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example. any help will be highly appreciated. [root@XX ~]# keystone tenant-list +--+-+-+ |id| name| enabled | +--+-+-+ | d9e967e6a5eb424e81831a728a5347ca | admintenant | True | | f0c5c0dc38d8411ab07059c4051d98e4 | service | True | +--+-+-+ [root@XX ~]# keystone user-list +--++-+---+ |id| name | enabled | email | +--++-+---+ | 28284c04ac6f4782b09fb7c662ce5a80 | glance | True | | | 99c6a8b376ca4b6fa9c3e3dad37271d7 | nova | True | | | a8d5cc5b899e4c7f90db6f50d6d46491 | admin | True | | | db3ff8a6cbaa465d8dbee7c7868ae897 | swift | True | | +--++-+---+ [root@XX ~]# keystone role-list +--+---+ |id| name | +--+---+ | 2fd4d8c89f9645eeb43809b219622d97 | admin | +--+---+ [root@XX ~]# keystone user-role-list --user-id=a8d5cc5b899e4c7f90db6f50d6d46491 --tenant-id=d9e967e6a5eb424e81831a728a5347ca +--+---+--+--+ |id| name | user_id |tenant_id | +--+---+--+--+ | 2fd4d8c89f9645eeb43809b219622d97 | admin | a8d5cc5b899e4c7f90db6f50d6d46491 | d9e967e6a5eb424e81831a728a5347ca | +--+---+--+--+ [root@XX ~]# keystone service-list +--+--+--++ |id| name | type | description | +--+--+--++ | 043f8c23d9234618830623375aacfedb | glance |image | Image Service | | 49f4a54da885427d8b0c729030d4dcc9 | nova | compute|Compute Service | | 9cf4dbfce836418c96f6af9e2bcf52ee | swift | object-store | Object Storage Service | | c8c454fe1bb44e87bdfd6a203575ee47 | keystone | identity |Identity Service| | f66987f86728440f85e69f9a019cc362 | volume |volume| Volume Service | +--+--+--++ [root@XX ~]# keystone endpoint-list +--+---+-+-++--+ |id| region | publicurl| internalurl | adminurl |service_id| +--+---+-+-++--+ | 2df0b5bc99e44b1fae152b561b97455e | RegionOne |http://XX:9292 |http://XX:9292| http://XX:9292 | 043f8c23d9234618830623375aacfedb | | 35e6cc4cfc2b4b2d91c268e6a8d6a650 | RegionOne | http://XX:/v1/AUTH_%(tenant_id)s | http://XX:/v1/AUTH_%(tenant_id)s |http://XX:/v1| 9cf4dbfce836418c96f6af9e2bcf52ee | | 3bae160b577a46bd8dc7d6b732e22b36 | RegionOne | http://XX:8774/v2/%(tenant_id)s |http://XX:8774/v2/%(tenant_id)s | http://XX:8774/v2/%(tenant_id)s |
Re: [Openstack] Keystone Too Many Connections Problem
I'm attempting to reproduce this now (haven't been successful with PKI + sqlite on disk), but in the meantime I opened a bug on this issue for tracking: https://bugs.launchpad.net/keystone/+bug/1162845 -Dolph On Fri, Mar 29, 2013 at 1:35 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hi, ** ** I have a loop that gets PKI tokens from Keystone (RC2). After about 116 loops I get the following error and have to reset Keystone to continue. Has anyone else run into this? ** ** Thanks, ** ** Mark ** ** (keystone.auth.controllers): 2013-03-29 11:14:01,274 ERROR (OperationalError) (1040, 'Too many connections') None None Traceback (most recent call last): File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 286, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 352, in authenticate auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 108, in authenticate user_info = UserAuthInfo(context, auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 36, in __init__ self._validate_and_normalize_auth_data(auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 87, in _validate_and_normalize_auth_data domain_ref = self._lookup_domain(user_info['domain']) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 60, in _lookup_domain context=self.context, domain_name=domain_name) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/manager.py, line 47, in _wrapper return f(*args, **kw) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/sql/core.py, line 272, in wrapper return method(*args, **kwargs) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/identity/backends/sql.py, line 589, in get_domain_by_name ref = session.query(Domain).filter_by(name=domain_name).one() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2184, in one ret = list(self) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2227, in __iter__ return self._execute_and_instances(context) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2240, in _execute_and_instances close_with_result=True) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2231, in _connection_from_session **kw) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 777, in connection close_with_result=close_with_result) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 783, in _connection_for_bind return engine.contextual_connect(**kwargs) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 2489, in contextual_connect self.pool.connect(), File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 236, in connect return _ConnectionFairy(self).checkout() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 401, in __init__ rec = self._connection_record = pool._do_get() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 746, in _do_get con = self._create_connection() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 189, in _create_connection return _ConnectionRecord(self) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 282, in __init__ self.connection = self.__connect() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 344, in __connect connection = self.__pool._creator() File
Re: [Openstack] Keystone Too Many Connections Problem
I also opened bug 1162857, which produces a slightly different symptom with a different configuration (sqlite), but may share the same underlying cause. -Dolph On Mon, Apr 1, 2013 at 10:26 AM, Dolph Mathews dolph.math...@gmail.comwrote: I'm attempting to reproduce this now (haven't been successful with PKI + sqlite on disk), but in the meantime I opened a bug on this issue for tracking: https://bugs.launchpad.net/keystone/+bug/1162845 -Dolph On Fri, Mar 29, 2013 at 1:35 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hi, ** ** I have a loop that gets PKI tokens from Keystone (RC2). After about 116 loops I get the following error and have to reset Keystone to continue. Has anyone else run into this? ** ** Thanks, ** ** Mark ** ** (keystone.auth.controllers): 2013-03-29 11:14:01,274 ERROR (OperationalError) (1040, 'Too many connections') None None Traceback (most recent call last): File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 286, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 352, in authenticate auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 108, in authenticate user_info = UserAuthInfo(context, auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 36, in __init__ self._validate_and_normalize_auth_data(auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 87, in _validate_and_normalize_auth_data domain_ref = self._lookup_domain(user_info['domain']) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 60, in _lookup_domain context=self.context, domain_name=domain_name) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/manager.py, line 47, in _wrapper return f(*args, **kw) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/sql/core.py, line 272, in wrapper return method(*args, **kwargs) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/identity/backends/sql.py, line 589, in get_domain_by_name ref = session.query(Domain).filter_by(name=domain_name).one() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2184, in one ret = list(self) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2227, in __iter__ return self._execute_and_instances(context) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2240, in _execute_and_instances close_with_result=True) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2231, in _connection_from_session **kw) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 777, in connection close_with_result=close_with_result) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 783, in _connection_for_bind return engine.contextual_connect(**kwargs) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 2489, in contextual_connect self.pool.connect(), File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 236, in connect return _ConnectionFairy(self).checkout() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 401, in __init__ rec = self._connection_record = pool._do_get() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 746, in _do_get con = self._create_connection() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 189, in _create_connection return _ConnectionRecord(self) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 282, in __init__ self.connection = self.__connect
Re: [Openstack] Keystone Too Many Connections Problem
Mark, Which token driver are you using? -Dolph On Mon, Apr 1, 2013 at 10:49 AM, Dolph Mathews dolph.math...@gmail.comwrote: I also opened bug 1162857, which produces a slightly different symptom with a different configuration (sqlite), but may share the same underlying cause. -Dolph On Mon, Apr 1, 2013 at 10:26 AM, Dolph Mathews dolph.math...@gmail.comwrote: I'm attempting to reproduce this now (haven't been successful with PKI + sqlite on disk), but in the meantime I opened a bug on this issue for tracking: https://bugs.launchpad.net/keystone/+bug/1162845 -Dolph On Fri, Mar 29, 2013 at 1:35 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hi, ** ** I have a loop that gets PKI tokens from Keystone (RC2). After about 116 loops I get the following error and have to reset Keystone to continue. Has anyone else run into this? ** ** Thanks, ** ** Mark ** ** (keystone.auth.controllers): 2013-03-29 11:14:01,274 ERROR (OperationalError) (1040, 'Too many connections') None None Traceback (most recent call last): File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 286, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 352, in authenticate auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 108, in authenticate user_info = UserAuthInfo(context, auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 36, in __init__ self._validate_and_normalize_auth_data(auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 87, in _validate_and_normalize_auth_data domain_ref = self._lookup_domain(user_info['domain']) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 60, in _lookup_domain context=self.context, domain_name=domain_name) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/manager.py, line 47, in _wrapper return f(*args, **kw) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/sql/core.py, line 272, in wrapper return method(*args, **kwargs) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/identity/backends/sql.py, line 589, in get_domain_by_name ref = session.query(Domain).filter_by(name=domain_name).one() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2184, in one ret = list(self) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2227, in __iter__ return self._execute_and_instances(context) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2240, in _execute_and_instances close_with_result=True) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2231, in _connection_from_session **kw) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 777, in connection close_with_result=close_with_result) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 783, in _connection_for_bind return engine.contextual_connect(**kwargs) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 2489, in contextual_connect self.pool.connect(), File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 236, in connect return _ConnectionFairy(self).checkout() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 401, in __init__ rec = self._connection_record = pool._do_get() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 746, in _do_get con = self._create_connection() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/pool.py, line 189, in _create_connection return _ConnectionRecord(self) File /usr/local/lib/python2.7/dist
Re: [Openstack] Keystone Too Many Connections Problem
Thanks! I was able to reproduce and I've proposed a fix to both master and grizzly. master- https://review.openstack.org/#/c/25831/ grizzly- https://review.openstack.org/#/c/25833/ If you can verify this patch on your system, that would be really helpful. -Dolph On Mon, Apr 1, 2013 at 1:57 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Dolph, ** ** [token] driver = keystone.token.backends.sql.Token ** ** # Amount of time a token should remain valid (in seconds) expiration = 86400 ** ** I get the same results for either UUID or PKI tokens. ** ** Mark ** ** *From:* Dolph Mathews [mailto:dolph.math...@gmail.com] *Sent:* Monday, April 01, 2013 11:56 AM *To:* Miller, Mark M (EB SW Cloud - RD - Corvallis) *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone Too Many Connections Problem ** ** Mark, ** ** Which token driver are you using? ** ** -Dolph ** ** On Mon, Apr 1, 2013 at 10:49 AM, Dolph Mathews dolph.math...@gmail.com wrote: I also opened bug 1162857, which produces a slightly different symptom with a different configuration (sqlite), but may share the same underlying cause. ** ** -Dolph ** ** On Mon, Apr 1, 2013 at 10:26 AM, Dolph Mathews dolph.math...@gmail.com wrote: I'm attempting to reproduce this now (haven't been successful with PKI + sqlite on disk), but in the meantime I opened a bug on this issue for tracking: ** ** https://bugs.launchpad.net/keystone/+bug/1162845 ** ** -Dolph ** ** On Fri, Mar 29, 2013 at 1:35 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hi, I have a loop that gets PKI tokens from Keystone (RC2). After about 116 loops I get the following error and have to reset Keystone to continue. Has anyone else run into this? Thanks, Mark (keystone.auth.controllers): 2013-03-29 11:14:01,274 ERROR (OperationalError) (1040, 'Too many connections') None None Traceback (most recent call last): File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 286, in authenticate_for_token self.authenticate(context, auth_info, auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/controllers.py, line 352, in authenticate auth_context) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 108, in authenticate user_info = UserAuthInfo(context, auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 36, in __init__ self._validate_and_normalize_auth_data(auth_payload) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 87, in _validate_and_normalize_auth_data domain_ref = self._lookup_domain(user_info['domain']) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/auth/plugins/password.py, line 60, in _lookup_domain context=self.context, domain_name=domain_name) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/manager.py, line 47, in _wrapper return f(*args, **kw) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/common/sql/core.py, line 272, in wrapper return method(*args, **kwargs) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.rc2-py2.7.egg/keystone/identity/backends/sql.py, line 589, in get_domain_by_name ref = session.query(Domain).filter_by(name=domain_name).one() File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2184, in one ret = list(self) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2227, in __iter__ return self._execute_and_instances(context) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2240, in _execute_and_instances close_with_result=True) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/query.py, line 2231, in _connection_from_session **kw) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 777, in connection close_with_result=close_with_result) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/orm/session.py, line 783
Re: [Openstack] Keystone Grizzly RC2 available
It wasn't proposed for backporting nor did jenkins link the bug to the review: Review: https://review.openstack.org/#/c/24965/ Bug: https://bugs.launchpad.net/keystone/+bug/1159987 Commit: https://github.com/openstack/keystone/commit/2f0c46179ea2eb7872167941412bdbd5abca08f0 I tagged the bug as grizzly-backport-potential as it's certainly low impact and desirable. -Dolph On Thu, Mar 28, 2013 at 2:40 PM, Brad Topol bto...@us.ibm.com wrote: Andy, Was there a blueprint for this function? Can I get the review ID? I am very interested in the notion of custom token creation. Thanks, Brad Brad Topol, Ph.D. IBM Distinguished Engineer OpenStack (919) 543-0646 Internet: bto...@us.ibm.com Assistant: Cindy Willman (919) 268-5296 From:Andy Smith andys...@gmail.com To:Thierry Carrez thie...@openstack.org Cc:openstack@lists.launchpad.net openstack@lists.launchpad.net Date:03/28/2013 03:27 PM Subject:Re: [Openstack] Keystone Grizzly RC2 available Sent by:openstack-bounces+btopol=us.ibm@lists.launchpad.net -- The change I made to build tokens from existing data (rather than re-querying it all from the db) didn't go in? Without it extensions are not able to build custom tokens (meaning just about any extension that wants to do something with auth is not possible). On Thu, Mar 28, 2013 at 2:34 AM, Thierry Carrez *thie...@openstack.org*thie...@openstack.org wrote: Hello everyone, Due to the renaming of the trust extension and a response backward compatibility issue, we created a new Grizzly release candidate for OpenStack identity (Keystone). You can find the RC2 tarball and the list of fixed bugs at:* **https://launchpad.net/keystone/grizzly/grizzly-rc2*https://launchpad.net/keystone/grizzly/grizzly-rc2 This is hopefully the last Grizzly release candidate for Keystone. Unless new release-critical regressions are found that warrant another release candidate respin, this RC2 will be formally included in the common OpenStack 2013.1 final release next week. You are therefore strongly encouraged to test and validate this tarball. Alternatively, you can grab the code at:* **https://github.com/openstack/keystone/tree/milestone-proposed*https://github.com/openstack/keystone/tree/milestone-proposed If you find a regression that could be considered release-critical, please file it at *https://bugs.launchpad.net/keystone/+filebug*https://bugs.launchpad.net/keystone/+filebugand tag it *grizzly-rc-potential* to bring it to the release crew's attention. Happy regression hunting, -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: *https://launchpad.net/~openstack*https://launchpad.net/~openstack Post to : *openstack@lists.launchpad.net*openstack@lists.launchpad.net Unsubscribe : *https://launchpad.net/~openstack*https://launchpad.net/~openstack More help : *https://help.launchpad.net/ListHelp*https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Project quotas on multi-region
Centralized quotas in keystone: http://summit.openstack.org/cfp/details/83 -Dolph On Wed, Mar 27, 2013 at 6:46 AM, Tom Fifield fifie...@unimelb.edu.auwrote: On 24/03/13 23:36, Tim Bell wrote: The Boson project was looking at this sort of problem (https://wiki.openstack.org/wiki/Boson). There is a session at the summit to review this and other activities since it appears quotas are appearing in many projects and there is a clear need for multi-cell and quota delegation (i.e. domain quota manager gives sub-sections to project quota managers). This sort of function is quite complex to implement and consistency of implementation would be strongly desirable. Indeed. Cells right now supports the centralised quotas that Glaucimar needs, but doesn't deal with situations where certain projects have quotas on certain cells. Tim *From:*openstack-bounces+tim.bell=cern...@lists.launchpad.net [mailto:openstack-bounces+tim.bell=cern...@lists.launchpad.net] *On Behalf Of *Nathanael Burton *Sent:* 24 March 2013 02:31 *To:* Aguiar, Glaucimar (Brazil RD-ECL) *Cc:* OpenStack Development Mailing List; openstack@lists.launchpad.net *Subject:* Re: [Openstack] Project quotas on multi-region On Mar 23, 2013 7:59 PM, Aguiar, Glaucimar (Brazil RD-ECL) glaucimar.agu...@hp.com mailto:glaucimar.agu...@hp.com wrote: Hi, In a deployment scenario where one keystone has several regions registered, how the project quota are managed by, as an example, two nova services in two different regions? I am wondering if is it possible to set quota on the project for all regions or this must to be done on a region by region basis which really means a quota for a project in a region. Thanks in advance, Glaucimar Aguiar ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Glaucimar, Currently quotas are maintained within each nova system so there is not a global view/management/enforcement of quotas. I would love to see a discussion of centralizing things from nova like key pairs, AZs, and quotas in keystone. Thanks, Nate ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Issues with latests trunk
What is the protocol of your sql connection string in keystone.conf? mysql+mysqldb:// ? If so, try changing it to just mysql:// which I think will match what python-mysql installs. http://docs.sqlalchemy.org/en/rel_0_7/core/engines.html#database-urls -Dolph On Tue, Mar 19, 2013 at 6:17 PM, Tyler North tyl...@pistoncloud.com wrote: Avinash, thank you for your response. The python-mysql adapter was installed on the machine, I just tried updating it but still got the same error On Tue, Mar 12, 2013 at 9:29 PM, Prasad, Avinash avinash.pra...@nttdata.com wrote: Hi, Is the MySQL adapter for python isntalled in your machine. Because the error corresponds to th unavailability of the MySQLdb adapter. Kindly have a look into that. Regards, Avinash -- *From:* openstack-bounces+avinash.prasad=nttdata@lists.launchpad.net[openstack-bounces+avinash.prasad= nttdata@lists.launchpad.net] on behalf of Tyler North [ tyl...@pistoncloud.com] *Sent:* Tuesday, March 12, 2013 6:05 PM *To:* openstack@lists.launchpad.net *Subject:* [Openstack] Issues with latests trunk Hey everyone, I'm trying to run the latest version of devstack-trunk( latest commit on git log is: 87387596631602b5f676eae65823b4f0c5c71e66a). Im running it currently on Ubuntu 12.04 and whenever I run ./stack.sh I get the following error: Unable to communicate with identity service: {error: {message: An unexpected error prevented the server from fulfilling your request. No module named MySQLdb, code: 500, title: Internal Server Error}}. (HTTP 500) + KEYSTONE_SERVICE= + keystone endpoint-create --region RegionOne --service_id --publicurl http://10.1.10.231:5000/v2.0 --adminurl http://10.1.10.231:35357/v2.0--internalurl http://10.1.10.231:5000/v2.0 usage: keystone endpoint-create [--region endpoint-region] --service-id service-id [--publicurl public-url] [--adminurl admin-url] [--internalurl internal-url] keystone endpoint-create: error: argument --service-id/--service_id: expected one argument Any help as to where to look for /solve the problem would be appreciated Thanks Tyler __ Disclaimer:This email and any attachments are sent in strictest confidence for the sole use of the addressee and may contain legally privileged, confidential, and proprietary data. If you are not the intended recipient, please advise the sender by replying promptly to this email and then delete and destroy this email and any attachments without any further use, copying or forwarding ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Error while trying to login to Devstack dashboard
Make sure that the certs created by pki_setup are readable by the user running keystone-all -Dolph On Tue, Mar 19, 2013 at 12:19 PM, Abhishek Chanda abhishek.li...@gmail.comwrote: I actually did that and when I ran keystone-all again, I got the same error. The console log in my first mail shows this. Sorry for being vague about this. *abhishek@abhishek-VirtualBox:~$ sudo keystone-manage pki_setup* abhishek@abhishek-VirtualBox:~$ keystone-all /usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py:703: SADeprecationWarning: The 'listeners' argument to Pool (and create_engine()) is deprecated. Use event.listen(). Pool.__init__(self, creator, **kw) /usr/local/lib/python2.7/dist-packages/sqlalchemy/pool.py:160: SADeprecationWarning: Pool.add_listener is deprecated. Use event.listen() self.add_listener(l) 2013-03-18 13:30:55ERROR [keystone.common.cms] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' 2013-03-18 13:30:55 WARNING [keystone.common.wsgi] Unable to sign token. Thanks On Tue, Mar 19, 2013 at 4:53 AM, Chmouel Boudjnah chmo...@chmouel.comwrote: On Mon, Mar 18, 2013 at 7:03 PM, Abhishek Chanda abhishek.li...@gmail.com wrote: 2013-03-18 13:30:55ERROR [keystone.common.cms] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' perhaps by doing this? Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Resolved: Grizzly-3 Keystone SSL Connection Refused
Glad you got it resolved, but can you file a bug on pki_setup not generating SSL certs? I don't believe I've seen that issue. https://bugs.launchpad.net/keystone Thanks! -Dolph On Thu, Mar 14, 2013 at 4:58 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Looks like there’s a bug in pki_setup. It didn’t generate the SSL certs, only the signing certs. Workaround is to make ssl using the signing certs for now. ** ** [ssl] enable = True certfile = /etc/keystone/ssl/certs/signing_cert.pem keyfile = /etc/keystone/ssl/private/signing_key.pem ca_certs = /etc/keystone/ssl/certs/ca.pem cert_required = False ** ** Also, if your keystone process is not running as root, make sure the file permissions for the pem files are set properly. ** ** Guang ** ** ** ** *From:* openstack-bounces+mark.m.miller=hp@lists.launchpad.net[mailto: openstack-bounces+mark.m.miller=hp@lists.launchpad.net] *On Behalf Of *Miller, Mark M (EB SW Cloud - RD - Corvallis) *Sent:* Thursday, March 14, 2013 2:31 PM *To:* openstack@lists.launchpad.net (openstack@lists.launchpad.net) *Subject:* [Openstack] Grizzly-3 Keystone SSL Connection Refused ** ** Hello, ** ** I was able to setup a Grizzly-2 Keystone server with PKI and SSL enabled on an Ubuntu 12.04 server. I updated to Grizzly-3 and am able to enable PKI but not SSL. I get “Connection refused”. Has anyone else run into this problem? Does anyone else have SSL working with Grizzly-3 Keystone? ** ** Regards, ** ** Mark ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Endpoint question
**Ideally** you would provide unversioned endpoints for all services, e.g.: http://keystone:35357/ instead of http://keystone:35357/v2.0/ ... and the client would work out what versions are supported and select a preferred version automatically. However, we're not quite there yet. I can't speak for nova and glance at the moment, but there will probably continue to have recommended endpoints for use in the catalog. For Havana, I would recommend /v2.0/ for keystone at this point (at least for the catalog), unless you know the client you're configuring supports properly supports an unversioned endpoint (auth_token) or a v3 endpoint (python-keystoneclient's python API, openstackclient, and auth_token). -Dolph On Thu, Mar 14, 2013 at 5:41 PM, Logan McNaughton lo...@bacoosta.comwrote: I have a question on service endpoints. I've read that Horizon depends quite heavily on them, and a misconfiguration there can really mess things up. My question is, does the endpoint need to be compatible with Horizon? For instance, as of Grizzly, Keystone will support /v2.0 and /v3 Nova will support /v1.1 and /v2 Glance will support /v1 and /v2 Quantum will support a /v2 Can I safely use the latest endpoints (For instance, Keystone /v3), or does Horizon only support certain endpoint versions? Can I have multiple endpoints and create a /v2.0 and /v3? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone - Domain admin role policies?
That's exactly our goal, but I'm not sure that corresponding well-tested policy.json changes will land in time for Grizzly (also not sure if there would be any other supporting changes required). Adding Brant as he specifically was investigating the same possibility in Grizzly. -Dolph On Tue, Mar 12, 2013 at 8:57 AM, Aguiar, Glaucimar (Brazil RD-ECL) glaucimar.agu...@hp.com wrote: Please note that I know one can edit policy.json to define domain-admin role permissions but with the implementation of domains, it seems that domain-admin role permissions should be defined as admin role permissions are. Thanks in advance, Glaucimar Aguiar -Original Message- From: openstack-bounces+glaucimar.aguiar=hp@lists.launchpad.net[mailto: openstack-bounces+glaucimar.aguiar=hp@lists.launchpad.net] On Behalf Of Aguiar, Glaucimar (Brazil RD-ECL) Sent: terça-feira, 12 de março de 2013 10:34 To: openstack@lists.launchpad.net Subject: [Openstack] Keystone - Domain admin role policies? Hi, While studying keystone v3 and domains feature, I realized that current policy.json file has no domain_admin role as I was expecting. I wonder if this role will be defined in Grizzly timeframe or how do you envision domain_admin role enforcement. Thanks in advance! Glaucimar Aguiar ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone V3 Policy Resource Question
In designing the API, the goal was to simply store policy.json files (or any future iterations of it) in any format as a blob in a centralized location (keystone) that could be retrieved by remote services. While discussing the design, it spawned a lot of great questions about how to map policies to services (one policy file per service type? what if you want different policies in different regions, different domains, or on different endpoints of the same service?); so, the interface was kept as simple as possible. A name attribute was simply not included because it's not applicable to the current policy.json approach. There are several proposed blueprints that will force us to think about how services (and their endpoints), or at least keystoneclient.middleware.auth_token, are/is aware of their appearance in keystone's service catalog (attributes like service ID, service type, region, endpoint ID, endpoint interface, etc): https://blueprints.launchpad.net/keystone/+spec/endpoint-filtering https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-delegation https://blueprints.launchpad.net/keystone/+spec/token-scoped-endpoint The way centralized policies are consumed by other services will be tied closely into the above conversations questions. I'm certainly not opposed to name policies that can be consumed by services simply by name; I think that's a perfectly simple solution. However, we also need to consider domain-owned policies and the impact of domain-specific namespacing). JSON policies of my own For OpenStack services or non-OpenStack services? -Dolph On Fri, Mar 8, 2013 at 11:49 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, ** ** I have been testing the new Policy APIs and looking at the policy table in the Keystone database. When I consider the OpenStack services including Keystone, I find that they all use a policy.json file stored on the file system. So my question is how is this new Keystone policy feature envisioned to be used? I was thinking of using it to store JSON policies of my own, but the only way to GET a policy file is via the UUID which means that I have to store it somewhere and keep track of it. Was there a reason a human readable tag like “policyName” was not included in this new feature? ** ** Regards, ** ** Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone v3 adoption
The v3 API is largely abstracted from other services (horizon being a major exception) using keystoneclient.middleware.auth_token, which is being revised here [1] and here [2]. Because the clients do not necessarily follow the same release schedule as the services, we've obviously been focused on the API and it's server-side implementation. I expect we'll do a v3-compliant release of keystoneclient around the time of grizzly's release. openstackclient (providing CLI exposure) is in the works as well [3]. [1]: https://review.openstack.org/#/c/23401/ [2]: https://review.openstack.org/#/c/21942/ [3]: https://review.openstack.org/#/q/project:openstack/python-openstackclient+status:open,n,z -Dolph On Thu, Mar 7, 2013 at 5:30 AM, Aguiar, Glaucimar (Brazil RD-ECL) glaucimar.agu...@hp.com wrote: Hello, I would like to know the plans for nova, glance, etc to adopt keystone v3 API. Is there an expectation that this happens in Havana timeframe? I am asking as the it seems the Domains feature is not useful until services are capable of validating a v3 token and move to keystone v3 API. Thanks in advance, Glaucimar Aguiar ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone v3 adoption
Yes, exactly. Until keystoneclient.middleware.auth_token is revised, v3 tokens will basically only be useful against keystone. -Dolph On Thu, Mar 7, 2013 at 11:52 AM, Aguiar, Glaucimar (Brazil RD-ECL) glaucimar.agu...@hp.com wrote: Hi Dolph, ** ** Thank you very much for your answer. I really appreciate it. ** ** Are you saying then, that I configure nova (for example) to use v3 middleware, I should be able to call nova with a v3 token and this token will get validated? ** ** Glaucimar Aguiar ** ** ** ** *From:* Dolph Mathews [mailto:dolph.math...@gmail.com] *Sent:* quinta-feira, 7 de março de 2013 11:04 *To:* Aguiar, Glaucimar (Brazil RD-ECL) *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone v3 adoption ** ** The v3 API is largely abstracted from other services (horizon being a major exception) using keystoneclient.middleware.auth_token, which is being revised here [1] and here [2]. ** ** Because the clients do not necessarily follow the same release schedule as the services, we've obviously been focused on the API and it's server-side implementation. I expect we'll do a v3-compliant release of keystoneclient around the time of grizzly's release. openstackclient (providing CLI exposure) is in the works as well [3]. [1]: https://review.openstack.org/#/c/23401/ [2]: https://review.openstack.org/#/c/21942/ [3]: https://review.openstack.org/#/q/project:openstack/python-openstackclient+status:open,n,z ** ** -Dolph ** ** On Thu, Mar 7, 2013 at 5:30 AM, Aguiar, Glaucimar (Brazil RD-ECL) glaucimar.agu...@hp.com wrote: Hello, I would like to know the plans for nova, glance, etc to adopt keystone v3 API. Is there an expectation that this happens in Havana timeframe? I am asking as the it seems the Domains feature is not useful until services are capable of validating a v3 token and move to keystone v3 API. Thanks in advance, Glaucimar Aguiar ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ** ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Possible keystone/common/controller.py Token Bug
This appears to be a valid bug -- we were concerned with v2-v3 token interop when v3 auth merged, but I thought we had ironed out the kinks (we have several related tests in tests/test_v3_auth.py for this reason). I targeted the bug at RC1 as we need to have this fixed for v3 to be useful in grizzly. -Dolph On Tue, Mar 5, 2013 at 3:18 PM, Christopher Armstrong christopher.armstr...@canonical.com wrote: So I've filed a bug on launchpad[1] about the issue discussed in the thread[2] with this subject (sorry, I subscribed after the message went out, so this message isn't properly threaded). Is it really legit? The discussion stopped abruptly. It seems like a pretty major bug; I can't do much with the API right now because of it (I think). [1] https://bugs.launchpad.net/**keystone/+bug/1145541https://bugs.launchpad.net/keystone/+bug/1145541 [2] https://lists.launchpad.net/**openstack/msg21458.htmlhttps://lists.launchpad.net/openstack/msg21458.html -radix __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/~openstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone help! keystone stop/waiting
Just opened a bug to track the public_port string vs integer issue, with a fix in review: https://bugs.launchpad.net/bugs/1147842 -Dolph On Tue, Mar 5, 2013 at 3:28 PM, Brad Knowles bknow...@momentumsi.comwrote: On Mar 5, 2013, at 3:21 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: You aren't alone. I am just glad for this email group to ask questions. Me too! Now change the d/ to s/ in the following lines in keystone.conf. # The base endpoint URLs for keystone that are advertised to clients # (NOTE: this does NOT affect how keystone listens for connections) public_endpoint = http://localhost:%(public_port)s/ admin_endpoint = http://localhost:%(admin_port)s/ Yup, that fixed the crash. I guess now I get to contribute this change back to the project. That, and debugging the next issue. ;-) -- Brad Knowles bknow...@momentumsi.com Senior Consultant ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Fun with OpenStack Grizzly install...
On Tue, Mar 5, 2013 at 5:28 PM, Brad Knowles bknow...@momentumsi.comwrote: On Mar 5, 2013, at 5:20 PM, Matt Joyce matt.jo...@cloudscaling.com wrote: check in horizon and see if you can follow inside of a stack trace there. you can see if any of the context's from the wsgi queries is seeing a 404. Horizon? That's not a service I've heard of before. I'm basically following the structure at http://docs.openstack.org/trunk/openstack-compute/install/apt/content/ap_installinggrizzlyubuntuprecise.html for initial installation, and I've gotten hung on the glance part at http://docs.openstack.org/trunk/openstack-compute/install/apt/content/osfolubuntu-imageservice.html . these would be queries between glance and other backend APIs. example: you --- query glance glance sees you token... glance --- query - keystone if that query from glance to keystone fails... it will report a 404. BUT that won't necessarily show up in logs as you'd expect since it's a backend query. The query from glance to keystone appears to be okay -- I'm seeing 200 status responses in the keystone.log. related idea: verify that your catalog service is pointing to the right API endpoints on keystone. Catalog service? That's another name that I have not heard of before, at least not in the context of OpenStack. The service catalog refers to a subset of keystone's interface that provides a catalog of services and endpoints to authenticated API users. It's the computed result of your service-list and endpoint-list and it's how those users find all the other OpenStack services, like nova and glance. In your case, all or most of your endpoints are wrong (they all contain /v2/ which I'm not sure is correct for any service?), so `glance index` probably can't find glance at all. I generally refer to keystone's sample_data.sh script for a generally idea of what the endpoints should look like: https://github.com/openstack/keystone/blob/master/tools/sample_data.sh -- Brad Knowles bknow...@momentumsi.com Senior Consultant ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Authorization Question
That's correct. Right now, all endpoints registered in keystone are returned to all users, regardless of whether they actually have any sort of authorization on those endpoints. I suspect we'll be having a planning session at the design summit on this topic -- I'd be helpful to better understand your ideal use case in suppressing endpoints from the catalog? In Grizzly, users, groups, projects, and domains have absolutely no relationship with services and endpoints within keystone. That becomes deployment specific when you consider how RBAC is applied service-side with policy.json, etc, but those services are not necessarily aware of how they appear in the service catalog, nor does keystone interpret policy files other than it's own. -Dolph On Mon, Mar 4, 2013 at 2:32 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, ** ** I have been looking over the Keystone v3 API documentation as well as the database table columns. My question concerns endpoint access restrictions. I don’t see any noticeable way to associate endpoints with domains which means that any user can access any endpoint of any domain. Is this correct? The only database column that might come into play is the region column of the endpoint table. ** ** Regards, ** ** Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Help with keystone LDAP backend
Yes, this feature just landed during grizzly-m3. Which docs are you referring to? The variable wasn't included in folsom's etc/keystone.conf.sample, for example. -Dolph On Mon, Mar 4, 2013 at 3:35 PM, Steven Presser spres...@jhu.edu wrote: The answer would appear to be that this flag doesn't do anything in the Folsom release. Apprently this was fixed by: https://bugs.launchpad.net/keystone/+bug/1122181 Unless I'm misreading something. Could we perhaps update the docs to reflect the fact that this isn't available in releases yet? On 03/04/2013 04:08 PM, Steven Presser wrote: This is what came out of my logs. I've bolded what looks relevant to me: LDAP init: url=ldap://typhon.acm.jhu.edu 2013-03-04 16:06:01DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu 2013-03-04 16:06:01DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, *scope=1*, query=(objectClass=inetOrgPerson) Unless I'm reading that very wrong, my scope search request is being ignored. Time to dive into the code, I suppose. Steve On 03/04/2013 10:15 AM, Dolph Mathews wrote: I'd suggest enabling debug=True in keystone.conf and comparing the LDAP queries being issued (shown in logs) against what you're expecting. I believe that [ldap] query_scope=sub does in fact expand queries to apply to subtrees, beyond just a single level (as the default value is query_scope=one). -Dolph On Sun, Mar 3, 2013 at 12:05 PM, Steven Presser spres...@jhu.edu wrote: Hey all, I have some questions about using the LDAP backend for keystone. I'm in what seems to be an odd situation. I have an organization-wide DLAP directory that already exists. All of our users will have access to OpenStack, so we want to tie directly into this directory. However, we can't have service accounts mixed in with the regular users, at least not in any way that might result in you being able to log in to a service account. For neatness, the directory admin would prefer that all the OpenStack stuff be off in its own OU (and has allocated us one so we can do that). In that OU, I've set up the recommended schema from http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html(changing it to my domain, obviously). I then aliased all our users in to ou=Users. The relevant part of my keystone.conf currently looks like: [ldap] url = ldap://[host] user = cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu password = [password] suffix = dc=acm,dc=jhu,dc=edu use_dumb_member = False allow_subtree_delete = False query_scope = sub As near as I can tell, this should correspond to this query: $ ldapsearch -x -D cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu -w [password] -b dc=acm,dc=jhu,dc=edu '(objectclass=inetOrgPerson)' -s sub Which returns my aliased users correctly. (that is, it returns dn: uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu for each user). I really can't figure out whats going on here. Logically, this should work, but (obviously) doesn't. Anyone have some advice for me? My suspicion is that query_scope=sub isn't doing what I expect. (Returning search results from within a subtree) Oh, finally, I have DEREF always enabled in ldap.conf. Thanks, Steve ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Help with keystone LDAP backend
On that note, I very much like how docs.python.org does it, where not only is the current page's version prominently specified at the top of the page, but it also serves as an easy way to switch to another version of the docs, e.g.: http://docs.python.org/2/tutorial/ -Dolph On Mon, Mar 4, 2013 at 4:40 PM, Steven Presser spres...@jhu.edu wrote: Anne, Yes that would. What I think might be a better revision is putting the version somewhere prominently on the page (say, the upper right hand corner, above prev|up|next). Steve On 03/04/2013 05:26 PM, Anne Gentle wrote: I've been wondering whether we should have docs.openstack.org/master/ to match expectations, would that have helped in your case? Thanks for clarifying. Anne On Mon, Mar 4, 2013 at 4:22 PM, Steven Presser spres...@jhu.edu wrote: Apparently the trunk docs. I could have sworn that wasn't what I bookmarked. In any case, maybe explicitly marking trunk docs as newer-than-latest would help? ( http://docs.openstack.org/trunk/openstack-compute/admin/content/reference-for-ldap-config-options.html) On 03/04/2013 05:09 PM, Dolph Mathews wrote: Yes, this feature just landed during grizzly-m3. Which docs are you referring to? The variable wasn't included in folsom's etc/keystone.conf.sample, for example. -Dolph On Mon, Mar 4, 2013 at 3:35 PM, Steven Presser spres...@jhu.edu wrote: The answer would appear to be that this flag doesn't do anything in the Folsom release. Apprently this was fixed by: https://bugs.launchpad.net/keystone/+bug/1122181 Unless I'm misreading something. Could we perhaps update the docs to reflect the fact that this isn't available in releases yet? On 03/04/2013 04:08 PM, Steven Presser wrote: This is what came out of my logs. I've bolded what looks relevant to me: LDAP init: url=ldap://typhon.acm.jhu.edu 2013-03-04 16:06:01DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu 2013-03-04 16:06:01DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, *scope=1*, query=(objectClass=inetOrgPerson) Unless I'm reading that very wrong, my scope search request is being ignored. Time to dive into the code, I suppose. Steve On 03/04/2013 10:15 AM, Dolph Mathews wrote: I'd suggest enabling debug=True in keystone.conf and comparing the LDAP queries being issued (shown in logs) against what you're expecting. I believe that [ldap] query_scope=sub does in fact expand queries to apply to subtrees, beyond just a single level (as the default value is query_scope=one). -Dolph On Sun, Mar 3, 2013 at 12:05 PM, Steven Presser spres...@jhu.eduwrote: Hey all, I have some questions about using the LDAP backend for keystone. I'm in what seems to be an odd situation. I have an organization-wide DLAP directory that already exists. All of our users will have access to OpenStack, so we want to tie directly into this directory. However, we can't have service accounts mixed in with the regular users, at least not in any way that might result in you being able to log in to a service account. For neatness, the directory admin would prefer that all the OpenStack stuff be off in its own OU (and has allocated us one so we can do that). In that OU, I've set up the recommended schema from http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html(changing it to my domain, obviously). I then aliased all our users in to ou=Users. The relevant part of my keystone.conf currently looks like: [ldap] url = ldap://[host] user = cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu password = [password] suffix = dc=acm,dc=jhu,dc=edu use_dumb_member = False allow_subtree_delete = False query_scope = sub As near as I can tell, this should correspond to this query: $ ldapsearch -x -D cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu -w [password] -b dc=acm,dc=jhu,dc=edu '(objectclass=inetOrgPerson)' -s sub Which returns my aliased users correctly. (that is, it returns dn: uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu for each user). I really can't figure out whats going on here. Logically, this should work, but (obviously) doesn't. Anyone have some advice for me? My suspicion is that query_scope=sub isn't doing what I expect. (Returning search results from within a subtree) Oh, finally, I have DEREF always enabled in ldap.conf. Thanks, Steve ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net
Re: [Openstack] Are the Python APIs public or internal?
I believe they should certainly be treated as public API's -- just like any other library. I'd also treat them as stable if they've ever been included in a versioned release. That said, I'm sure it would be easy to find examples of methods attributes within the library that are not intended to be consumed externally, but perhaps either the naming convention or documentation doesn't sufficiently indicate that. In keysoneclient, we're making backwards incompatible changes in a new subpackage (keystoneclient.v3) while maintaing compatibility in the common client code. For example, you should always be able to initialize the client with a tenant_id / tenant_name, even though the client will soon be using project_id / project_name internally to reflect our revised lingo. -Dolph On Thu, Feb 28, 2013 at 11:07 PM, Lorin Hochstein lo...@nimbisservices.comwrote: Here's an issue that came up in the operators doc sprint this week. Let's say I wanted to write some Python scripts using the APIs exposed by the python-*client packages. As a concrete example, let's say I wrote a script that uses the keystone Python API that's exposed in the python-keystoneclient package: https://github.com/lorin/openstack-ansible/blob/master/playbooks/keystone/files/keystone-init.py Are these APIs public or stable in some meaningful way? (i.e., can I count on this script still working across minor release upgrades)? Or should they be treated like internal APIs that could be changed at any time in the future? Or is this not defined at all? Lorin ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Are the Python APIs public or internal?
+1; keystoneclient is not deprecated nor has openstackclient been abandoned. The responsibility of implementing a CLI is simply being handed off to openstackclient. Using 'keystone' on the CLI will therefore be deprecated at some point in favor of using 'openstack'. -Dolph On Fri, Mar 1, 2013 at 11:58 AM, Dean Troyer dtro...@gmail.com wrote: On Fri, Mar 1, 2013 at 11:50 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: I have a question about the keystone client. You just mentioned keystoneclient.v3. I was under the impression that the keystone client was going to be deprecated and replaced by the openstackclient. However, when I checked yesterday I noticed that the openstackclient was listed as “abandoned”. Are you saying that an updated version of the keystoneclient will shortly be made available for V3? If so, would you please post the URL for the project? Where is openstackclient marked abandoned? It is still under development, albiet at a slower pace than I'd like. It is meant to be a single CLI for OpenStack that leverages the libraries provided by the individual project clients. So it uses the keystoneclient python libs but not the cli/shell bits. dt -- Dean Troyer dtro...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] service unavailable
I'm not aware that keystone is capable of raising a 503 Service Unavailable... are you running through a proxy? If so, I assume there's an issue with it's configuration. -Dolph On Wed, Feb 27, 2013 at 8:27 AM, Tomáš Šoltys tomas.sol...@gmail.comwrote: Hi, Yes, the service is running and listening. I can see it via ps as well as by using netstat Here is my keystone.conf - [DEFAULT] log_file = /var/log/keystone/keystone.log admin_token = 012345SECRET99TOKEN012345 [sql] connection = mysql://keystone:12345678@localhost/keystone [identity] driver = keystone.identity.backends.sql.Identity [catalog] template_file = /etc/keystone/default_catalog.templates driver = keystone.catalog.backends.sql.Catalog [token] driver = keystone.token.backends.sql.Token [policy] [ec2] driver = keystone.contrib.ec2.backends.sql.Ec2 [ssl] [signing] [ldap] [filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory [filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory [filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory [filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory [filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory [filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory [filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory [filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory [filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory [filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory [app:public_service] paste.app_factory = keystone.service:public_app_factory [app:admin_service] paste.app_factory = keystone.service:admin_app_factory [pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service [pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service [app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory [app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory [pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service [pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service [composite:main] use = egg:Paste#urlmap /v2.0 = public_api / = public_version_api [composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api / = admin_version_api - 2013/2/27 Sylvain Bauza sylvain.ba...@digimind.com Could you please paste your keystone.conf ? Also, could you please check keystone service is started ? -Sylvain Le 27/02/2013 15:06, Tomáš Šoltys a écrit : Hi, I am trying to setup keystone myself on CentOS using this step-by-step instructions: http://docs.openstack.org/essex/openstack-compute/install/yum/content/install-keystone.html I have followed the steps above but when I try to create a tenant I get Unable to communicate with identity service: (503, 'Service Unavailable'). (HTTP 400) The command I am using is: keystone --os-token 012345SECRET99TOKEN012345 --endpoint http://127.0.0.1:35357/v2.0 tenant-create --name openstackDefault --description Default tenant The service is running and listening on port 35357. Am I missing something? Thanks, Tomáš Šoltys tomas.sol...@gmail.com http://www.range-software.com (+420) 776-843-663 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Tomáš Šoltys tomas.sol...@gmail.com http://www.range-software.com (+420) 776-843-663 ___ Mailing list:
Re: [Openstack] keystone-manage db_sync ERROR
Meant to reply on-list. -Dolph On Tue, Feb 26, 2013 at 2:39 PM, Dolph Mathews dolph.math...@gmail.comwrote: Thanks for the feedback; cc'ing Adam Young. I raised a bug to track the issue: https://bugs.launchpad.net/keystone/+bug/1133608 -Dolph On Tue, Feb 26, 2013 at 2:24 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, I have trying to install Keystone Grizzly-3 and cannot get past the following error. The keystone-manage db_sync command is generating the following error. I have tried deleting and re-creating the MySQL database (connection = mysql://keystonedbadmin:password@15.253.59.37/keystone) but the error remains. Has anyone else run into this problem and found a solution? I noticed the role ID value 9fe2ff9ee4384b1894a90878d3e92bab in file /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/keystone/config.py. Regards, Mark root@build-HP-Compaq-6005-Pro-SFF-PC:~/keystone-2013.1.g3/keystone-2013.1.g3# keystone-manage db_sync Traceback (most recent call last): File /usr/local/bin/keystone-manage, line 5, in module pkg_resources.run_script('keystone==2013.1.g3', 'keystone-manage') File /usr/lib/python2.7/dist-packages/pkg_resources.py, line 499, in run_script self.require(requires)[0].run_script(script_name, ns) File /usr/lib/python2.7/dist-packages/pkg_resources.py, line 1235, in run_script execfile(script_filename, namespace, namespace) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/EGG-INFO/scripts/keystone-manage, line 28, in module cli.main(argv=sys.argv, config_files=config_files) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/keystone/cli.py, line 172, in main CONF.command.cmd_class.main() File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/keystone/cli.py, line 53, in main driver.db_sync() File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/keystone/identity/backends/sql.py, line 171, in db_sync migration.db_sync() File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/keystone/common/sql/migration.py, line 52, in db_sync return versioning_api.upgrade(CONF.sql.connection, repo_path, version) File /usr/lib/python2.7/dist-packages/migrate/versioning/api.py, line 186, in upgrade return _migrate(url, repository, version, upgrade=True, err=err, **opts) File string, line 2, in _migrate File /usr/lib/python2.7/dist-packages/migrate/versioning/util/__init__.py, line 159, in with_engine return f(*a, **kw) File /usr/lib/python2.7/dist-packages/migrate/versioning/api.py, line 366, in _migrate schema.runchange(ver, change, changeset.step) File /usr/lib/python2.7/dist-packages/migrate/versioning/schema.py, line 91, in runchange change.run(self.engine, step) File /usr/lib/python2.7/dist-packages/migrate/versioning/script/py.py, line 145, in run script_func(engine) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1.g3-py2.7.egg/keystone/common/sql/migrate_repo/versions/017_membership_role.py, line 42, in upgrade 'enabled': 'True'})) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 1449, in execute params) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 1584, in _execute_clauseelement compiled_sql, distilled_params File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 1698, in _execute_context context) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/base.py, line 1691, in _execute_context context) File /usr/local/lib/python2.7/dist-packages/SQLAlchemy-0.7.9-py2.7-linux-x86_64.egg/sqlalchemy/engine/default.py, line 331, in do_execute cursor.execute(statement, parameters) File /usr/lib/python2.7/dist-packages/MySQLdb/cursors.py, line 174, in execute self.errorhandler(self, exc, value) File /usr/lib/python2.7/dist-packages/MySQLdb/connections.py, line 36, in defaulterrorhandler raise errorclass, errorvalue sqlalchemy.exc.IntegrityError: (IntegrityError) (1062, Duplicate entry '9fe2ff9ee4384b1894a90878d3e92bab' for key 'PRIMARY') 'INSERT INTO role (id, name, extra) ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Usage of New Keystone Domains with OpenStack
As of Grizzly, the introduction of domains into OpenStack won't have any impact on the rest of the deployment (AFAIK). Rather, the impact is currently isolated to keystone and their use is effectively optional (out of the box, keystone creates a single domain for you to work with -- the 'default' domain). There are a few projects that have expressed interest in consuming domain data, but I'm not aware of anything landing in time for Grizzly. -Dolph On Mon, Feb 25, 2013 at 11:14 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, We are moving from OpenStack Essex to Grizzly and I am trying to find out how the new domain security collection will be used by the OpenStack services like Nova or Glance. I would greatly appreciate any information or documentation pointers. Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] my token generated by curling http://localhost:35357/v2.0/tokens is too long...
+1 However, I'm curious as to what makes it too long, or what's not working. Can you provide an example? -Dolph On Sat, Feb 23, 2013 at 12:33 PM, Anne Gentle a...@openstack.org wrote: I believe this is due to a change in default for grizzly-- token_format defaults to PKI instead of UUID in the [signing] section of the keystone.conf configuration file. http://docs.openstack.org/trunk/openstack-compute/admin/content/certificates-for-pki.html Anne On Sat, Feb 23, 2013 at 12:27 PM, Kun Huang academicgar...@gmail.comwrote: Hi, all My token generated by curling http://localhost:35357/v2.0/tokens is too long... Nearly 4000 chars in this token. I have change the max_token_size in keystone.conf, but it doesn't work. For more, the token is not only long, and also not woring... swift@storage-hk:~$ curl -s -d '{auth: {tenantName: service, passwordCredentials: {username: swift, password:swiftpass}}}' -H 'Content-type: application/json' http://localhost:35357/v2.0/tokens | python -mjson.tool { access: { metadata: { is_admin: 0, roles: [ 9fe2ff9ee4384b1894a90878d3e92bab, acb42117c39945079ecf56bad7f441a1 ] }, serviceCatalog: [ { endpoints: [ { adminURL: http://localhost:8774/v1.1/a20b1ea54bb54614956697b5484c9de1;, id: eeaec0b2f9af4ecbae58225f05f58a13, internalURL: http://localhost:8774/v1.1/a20b1ea54bb54614956697b5484c9de1;, publicURL: http://localhost:8774/v1.1/a20b1ea54bb54614956697b5484c9de1;, region: RegionOne } ], endpoints_links: [], name: nova, type: compute }, { endpoints: [ { adminURL: http://localhost:9292;, id: 7fc9afcca89f44e68875b88e05681dea, internalURL: http://localhost:9292;, publicURL: http://localhost:9292;, region: RegionOne } ], endpoints_links: [], name: glance, type: image }, { endpoints: [ { adminURL: http://localhost:8776/v1/a20b1ea54bb54614956697b5484c9de1;, id: d826fa55273d4ed8bed3b744628629cf, internalURL: http://localhost:8776/v1/a20b1ea54bb54614956697b5484c9de1;, publicURL: http://localhost:8776/v1/a20b1ea54bb54614956697b5484c9de1;, region: RegionOne } ], endpoints_links: [], name: volume, type: volume }, { endpoints: [ { adminURL: http://localhost:8773/services/Admin , id: 83dd85b5af21449ba5d5b9f530602f87, internalURL: http://localhost:8773/services/Cloud;, publicURL: http://localhost:8773/services/Cloud;, region: RegionOne } ], endpoints_links: [], name: ec2, type: ec2 }, { endpoints: [ { adminURL: http://localhost:/v1;, id: 674b345c9a9345978a74ed157f7f646d, internalURL: http://localhost:/v1/AUTH_a20b1ea54bb54614956697b5484c9de1;, publicURL: http://localhost:/v1/AUTH_a20b1ea54bb54614956697b5484c9de1;, region: RegionOne } ], endpoints_links: [], name: swift, type: object-store }, { endpoints: [ { adminURL: http://localhost:35357/v2.0;, id: c7384f41b3b1487b9dda90577f46dda6, internalURL: http://localhost:5000/v2.0;, publicURL: http://localhost:5000/v2.0;, region: RegionOne } ], endpoints_links: [], name: keystone, type: identity } ], token: { expires: 2013-02-24T18:19:09Z, id:
Re: [Openstack] [Keystone][Swift] Problems with admin_user, admin_password, admin_tenant_name
Setting the admin_token config is overriding the admin_user, admin_password, and admin_tenant_name values by specifying a static token. I'd recommend removing it and using the auth credentials you've already provided. -Dolph On Thu, Feb 21, 2013 at 3:10 AM, Kun Huang academicgar...@gmail.com wrote: Following another question: In document: http://docs.openstack.org/developer/keystone/middleware_architecture.html , [filter:tokenauth] paste.filter_factory = keystone.middleware.auth_token:filter_factory auth_host = 127.0.0.1 auth_port = 35357 auth_protocol = http auth_uri = http://127.0.0.1:5000/ admin_token = Super999Sekret888Password777 admin_user = admin admin_password = SuperSekretPassword admin_tenant_name = service ;Uncomment next line and check ip:port to use memcached to cache tokens ;memcache_servers = 127.0.0.1:11211 That admin token is not admin_token = ADMIN in keystone, right? On Thu, Feb 21, 2013 at 4:06 PM, Kun Huang academicgar...@gmail.comwrote: I'm building environment with Swift + Keystone. I have set admin_user, admin_password, admin_tenant_name, but it doesn't work. I followed the document: http://docs.openstack.org/developer/swift/overview_auth.html and chmouel's blog: http://blog.chmouel.com/2011/11/24/swift-and-keystone-middleware-part1/ My swift and keystone run well: [image: Inline image 1] But failed in curl: [image: Inline image 2] I guess the value of admin_user/admin_password/admin_tenant_name doesn't save in db. Which step do I missed? or some problems in my proxy config? Here is my current config. [DEFAULT] bind_port = user = swift [pipeline:main] pipeline = catch_errors healthcheck cache authtoken keystoneauth proxy-server [app:proxy-server] use = egg:swift#proxy account_autocreate = true [filter:keystoneauth] use = egg:swift#keystoneauth operator_roles = admin, swiftoperator [filter:authtoken] # Delaying the auth decision is required to support token-less # usage for anonymous referrers ('.r:*'). paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = keystonehost auth_port = 35357 auth_protocol = http auth_uri = http://keystonehost:5000/ admin_tenant_name = service admin_user = swift admin_password = password [filter:cache] use = egg:swift#memcache set log_name = cache [filter:catch_errors] use = egg:swift#catch_errors [filter:healthcheck] use = egg:swift#healthcheck ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone middleware
On Mon, Feb 18, 2013 at 9:59 AM, pat p...@xvalheru.org wrote: Hello, Sorry to disturb, but I have some questions regarding keystone middleware. Some introduction to problem: I need to integrate OpenStack to our existing infrastructure where all systems are integrated on REST and Web level using SSO-like system (there's generated a token string with specific information). Required behavior is to allow users log-in once in existing infrastructure and without additional log-in access OpenStack components. I assume this is something completely proprietary then? I assume this is possible by implementing custom keystone drivers for identity and token. Is that correct? Should I also implement new policy and/or catalog driver? If you're looking at folsom, you should only need to implement identity, nothing more. You could even extend one of the existing drives (e.g. SQL) and only implement certain methods. In grizzly, we're also introducing pluggable authentication drivers that do nothing more than authenticate users, which is probably more in line with what you're looking for. Your driver could simply authenticate with your existing system, and then create/update a user in keystone's SQL backend, for example. We're providing password authentication out of the box at the API level [1], but you could even implement your own authentication at the API level (you'll need corresponding client-side support as well). [1]: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#the-password-authentication-method If this is possible I expect the keystone token is the token generated by my middleware driver(s) and such token is used by all other OpenStack parts. Is that correct? You actually won't need to write any middleware. Rather, keystone is designed to abstract existing, external authentication systems from OpenStack's internal approach to auth (tokens). By writing a driver in keystone, you're just redefining that abstraction. Does this affect way how the OpenStack internally validates token? Now when validating token the admin token has to be passed to validation request too. I expect not. Your expectations are correct. Is there possible to chain more keystone authentication drivers? E.g. first check my custom and if this one fails then check SQL one. We don't have that today (even with pluggable authentication). This is something I'd like to see implemented... I think it'd be trivial to extend our keystone.conf definitions for authentication method drivers to simply be a prioritized list that keystone could query in order, until a driver authenticates successfully (e.g. keystone's built-in password driver first, then your own driver). I've searched internet to find some example of keystone middleware, but I didn't succeed :-\ Is there an example or step by step documentation (something for an ... :-))? I've read Middleware Architecture documentation and my questions are based on this. That's the best documentation I'm aware of for the middleware architecture, other than reading the source code of keystoneclient.middleware.auth_token itself. Thanks a lot for your help. Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone / horizon :
On Mon, Feb 11, 2013 at 8:02 AM, Mballo Cherif cherif.mba...@gemalto.comwrote: Hi everybody ! I need help for keystone user/password authentication with horizon. **1) **When I try to authenticate with my credential (login/password) In horizon dashboard, I have this message *Unable to retrieve authorized projet *! please what is that mean? How can I fix this issue. It's hard to say for sure, but my instinct is that you have keystone's public endpoint (port 5000) specified on a config somewhere that's expecting keystone's the administrative API instead (port 35357). Check adminUrl entry of the `identity` endpoint in your keystone service catalog and any corresponding horizon configuration. ** ** **2) **How can I trace the horizon call when a user try to authenticate with the dashbord? ** ** ** ** Thanks you for your Answers ** ** ** ** Sherif! ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
As for the client-side implementation, keystoneclient supports v3 as a python library, whereas the CLI is being exposed in a different project (by consuming keystoneclient): https://github.com/openstack/python-openstackclient -Dolph On Mon, Feb 11, 2013 at 11:08 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Guang provided the answer for me with a sample JSON create domain request: { domain:{ name: myDomain } } What through me off were the examples in the identity-api-v3 document. None of the domain JSON examples include the highest level domain element. The same is true for most of the other examples in the document. Mark -Original Message- From: openstack-bounces+mark.m.miller=hp@lists.launchpad.net [ mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.netopenstack-bounces+mark.m.miller=hp@lists.launchpad.net] On Behalf Of Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Thursday, February 07, 2013 1:42 PM To: Adam Young; openstack@lists.launchpad.net Subject: Re: [Openstack] keystone question Hi all, I have spent several days installing Grizzly-2 Keystone with SSL and PKI and think I have been successful. I can see some of the new API resources such as v3/domains, v3/groups, and v3/services, but I don't see these listed as commands in the keystoneclient. Are they simply not implemented yet or was I unsuccessful when I installed Grizzly-2? I also want to know if the above resource APIs are fully functional? Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
On Mon, Feb 11, 2013 at 6:25 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello Dolph, ** ** I was able to get the openstackclient installed after combining information from several wiki pages and modifying the install commands to use the current paths. I have a few more clarification questions if you don’t mind: ** ** - keystoneclient currently provides a python client library for both Identity API v2 and v3 - keystoneclient currently provides a command line interface for Identity API v2 -- but will not do so for Identity API v3 **· **So then I will not see the new v3 Keystone commands for groups or domains in the keystoneclient CLI? No, we don't have any plans to expose Identity API v3 features in keystoneclient. - openstackclient is working towards providing a unified CLI for all openstack projects, by consuming their python client libraries **· **So then I will see the new v3 Keystone commands for groups and domains in the openstackclinet CLI? The reason I ask is because after installing the openstackclient I still do not see the new commands. I can get to them from curl or from a REST client, but not from the command line interface. Yes. There are still several major changes in review, and the effort is still ramping up, relatively speaking. The clients do not follow the same release cycle as the services, so we're lagging on client-side support. So, the answer depends on your use case. If you want to write python, consume keystoneclient directly. If you want to use the CLI, use openstackclient, which uses keystoneclient behind the scenes. **· **I think we want both. We use the CLI to setup a base Keystone server environment and we use the client from Horizon. ** ** Regards, ** ** Mark Miller ** ** ** ** *From:* Dolph Mathews [mailto:dolph.math...@gmail.com] *Sent:* Monday, February 11, 2013 1:09 PM *To:* Miller, Mark M (EB SW Cloud - RD - Corvallis) *Subject:* Re: [Openstack] keystone question - Solved ** ** keystoneclient is not being deprecated. I'd also suggest raising your question to the list. ** ** -Dolph ** ** On Mon, Feb 11, 2013 at 3:00 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello Dolph, Thank you for the answer. So it looks like keystoneclient is getting deprecated. So I tried to install openstackclient on an Ubuntu box and am getting the following error. Do you have any suggestions? Regards, Mark sudo python tools/install_venv.py venv already exists... Installing dependencies with pip (this can take a while)... Traceback (most recent call last): File tools/install_venv.py, line 67, in module main(sys.argv) File tools/install_venv.py, line 61, in main install.install_dependencies() File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 126, in install_dependencies self.pip_install('pip==1.1') File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 116, in pip_install redirect_output=False) File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 76, in run_command check_exit_code)[0] File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 68, in run_command_with_code proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout) File /usr/lib/python2.7/subprocess.py, line 679, in __init__ errread, errwrite) File /usr/lib/python2.7/subprocess.py, line 1249, in _execute_child*** * raise child_exception OSError: [Errno 13] Permission denied root@build-HP-Compaq-6005-Pro-SFF-PC :~/keystone-grizzly-2/python-openstackclient-master# *From:* Dolph Mathews [mailto:dolph.math...@gmail.com] *Sent:* Monday, February 11, 2013 12:09 PM *To:* Miller, Mark M (EB SW Cloud - RD - Corvallis) *Subject:* Re: [Openstack] keystone question - Solved - keystoneclient currently provides a python client library for both Identity API v2 and v3 - keystoneclient currently provides a command line interface for Identity API v2 -- but will not do so for Identity API v3 - openstackclient is working towards providing a unified CLI for all openstack projects, by consuming their python client libraries So, the answer depends on your use case. If you want to write python, consume keystoneclient directly. If you want to use the CLI, use openstackclient, which uses keystoneclient behind the scenes. All that said, work on openstackclient only recently ramped up, and a lot of major changes are still
Re: [Openstack] keystone delegate Athentication
Adam Young is working on introducing delegation in grizzly: https://blueprints.launchpad.net/keystone/+spec/trusts I'm sure he'd appreciate some help if you'd like to contribute! -Dolph On Wed, Feb 6, 2013 at 8:54 AM, Mballo Cherif cherif.mba...@gemalto.comwrote: Hi everybody ! I am wondering if it’s possible to delegate keystone Authentication to an Authentication against a server (I have one Strong Authentication server) or an Identity Provider? If I make modification on keystoneclient code it may be possible? Any ideas? Please help me! ** ** ** ** Thanks ! ** ** Sherif! ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] how to get version information
If you hit keystone's root endpoint you should also get a list of versions in the response -- today that only includes /v2.0/ # curl http://127.0.0.1:5000/ http://127.0.0.1:5000/v2.0/ -Dolph On Mon, Jan 28, 2013 at 3:07 AM, Ajiva Fan aji.zq...@gmail.com wrote: hello everyone, i'm wondering if there is any rest api for componnets' version info. i read the http://api.openstack.org/api-ref.html and find: 1) keystone truly have a rest api for version info: # curl http://127.0.0.1:5000/v2.0/ {version: {status: beta, updated: 2011-11-19T00:00:00Z,... 2) nova says it has, but sadly it does not work for essex # curl -H X-Auth-Token:token-for-admin-tenant http://127.0.0.1:8774/v2 Authentication required # curl -H X-Auth-Token:token-for-admin-tenant http://127.0.0.1:8774/v2.0/ {choices: [{status: CURRENT, so the document may point to folsom, and essex has little difference. there seems no rest api for glance and horizon, and no CLI for nova and horizon while CLI has glance --version and nova-manage version so my question is: 1) is there any rest api for query components' version info in essex and folsom (beside keystone)? 2) if not, will it be implemented in future? thanks for any help. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Glance image upload Keystone error
I've seen this question come up a couple times now; this error handling here needs to be improved with a decent error message. I opened a bug on the issue: https://bugs.launchpad.net/keystone/+bug/1103569 -Dolph On Wed, Jan 23, 2013 at 11:04 AM, Adam Young ayo...@redhat.com wrote: On 01/23/2013 06:34 AM, Trinath Somanchi wrote: Hi Stackers- I have installed glance and Keystone and configured them. Not sure how you installed, but you need to make sure the PKI provisioning is done. You can do it by hand with the keystone_manage command. Make sure you run it as the user that Keystone is going to run as, as it creates the certificates and Keystone (ajnd only Keystone) needs to be able to access those. But When I upload a test image with glance, I got this error in keystone logs (sqlalchemy.engine.base.Engine): 2013-01-23 17:04:57,904 INFO ('106298a47e5a4d129c7b8571e188c51e', 1) (keystone.common.cms): 2013-01-23 17:04:57,990 ERROR Signing error: Error opening signer certificate /etc/keystone/ssl/certs/signing_cert.pem 140702974211744:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/keystone/ssl/certs/signing_cert.pem','r') 140702974211744:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate (root): 2013-01-23 17:04:57,991 ERROR Command 'openssl' returned non-zero exit status 3 Traceback (most recent call last): File /usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/common/wsgi.py, line 215, in __call__ result = method(context, **params) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/token/controllers.py, line 118, in authenticate config.CONF.signing.keyfile) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/common/cms.py, line 140, in cms_sign_token output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name) File /usr/local/lib/python2.7/dist-packages/keystone-2013.1-py2.7.egg/keystone/common/cms.py, line 135, in cms_sign_text raise subprocess.CalledProcessError(retcode, openssl) CalledProcessError: Command 'openssl' returned non-zero exit status 3 Kindly help me resolve the issue -- Regards, -- Trinath Somanchi, +91 9866 235 130 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [heat] Grizzly-2 development milestone available for Heat
Grab a copy of the sample configuration file: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample On Tuesday, January 15, 2013, Mballo Cherif wrote: Hi everybody, I need help! I was trying to install Openstack Keystone standalone on a Ubuntu 12.04 machine using the source tarball from Github http://docs.openstack.org/developer/keystone/installing.html . keystone was apparently installed correctly, however no keystone.conf file was created in either /etc or /etc/keystone folders. Thus, running anything further was not possible. ** ** Can anyone help/direct me about what should be done? ** ** Thanks you! ** ** Sherif ** ** ** ** *From:* openstack-bounces+cherif.mballo=gemalto@lists.launchpad.netjavascript:_e({}, 'cvml', 'gemalto@lists.launchpad.net');[mailto: openstack-bounces+cherif.mballo javascript:_e({}, 'cvml', 'openstack-bounces%2Bcherif.mballo');=gemalto@lists.launchpad.netjavascript:_e({}, 'cvml', 'gemalto@lists.launchpad.net');] *On Behalf Of *Martinx - ? *Sent:* mardi 15 janvier 2013 13:18 *To:* Steven Hardy *Cc:* openstack@lists.launchpad.net javascript:_e({}, 'cvml', 'openstack@lists.launchpad.net'); *Subject:* Re: [Openstack] [heat] Grizzly-2 development milestone available for Heat ** ** Hi! ** ** I just install Keystone and Glance on my Raring Ringtail controller node... ** ** Should I install Heat now? Or is it better to install it between? ** ** BTW, I'm using this guide to help me: https://github.com/mseknibilel/OpenStack-Folsom-Install-guide/blob/stable/GRE/OpenStack_Folsom_Install_Guide_WebVersion.rst- since it works great for Ubuntu 12.10... ** ** Thanks for the info! ** ** Best, Thiago On 15 January 2013 07:28, Steven Hardy sha...@redhat.comjavascript:_e({}, 'cvml', 'sha...@redhat.com'); wrote: On Mon, Jan 14, 2013 at 01:20:09PM -0200, Martinx - ジェームズ wrote: Hi! Is Grizzly-2 available on Ubuntu Raring Ringtail (13.04) daily builds? Tks! Thiago Since your question is in response to the Heat Grizzly-2 announcement, I should point out that Heat is not packaged for Ubuntu (yet!), so you will have to download the tarball and install from source to evaluate this release. Tarball: https://launchpad.net/heat/grizzly/grizzly-2 Install procedure should be the similar to: http://wiki.openstack.org/Heat/GettingStartedUsingMasterOnUbuntu Assuming you already have a functional openstack installation, you can start at Install Heat from master and skip the git clone (just untar the tarball instead) This should be an interim solution as packaging for Ubuntu is in-progress: https://bugs.launchpad.net/heat/+bug/1083501 Steve ** ** -- -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [OpenStack][Swift] Fast way of uploading 200GB of 200KB files to Swift
If memcache is being utilized by your keystone middleware, you should see keystone attaching to it on the first incoming request, e.g.: keystoneclient.middleware.auth_token [INFO]: Using Keystone memcache for caching token You may also want to use auth_token from keystoneclient = v0.2.0 if you're not already (instead of from keystone itself). -Dolph On Mon, Jan 14, 2013 at 11:43 AM, Leander Bessa Beernaert leande...@gmail.com wrote: Are you by any chance referring to this topic https://lists.launchpad.net/openstack/msg08639.html regarding the keystone token cache? If so I've already added the configuration line and have not noticed any speedup :/ On Mon, Jan 14, 2013 at 5:19 PM, Leander Bessa Beernaert leande...@gmail.com wrote: I'm using the ubuntu 12.04 packages of the folsom repository by the way. On Mon, Jan 14, 2013 at 5:18 PM, Chuck Thier cth...@gmail.com wrote: On Mon, Jan 14, 2013 at 11:03 AM, Leander Bessa Beernaert leande...@gmail.com wrote: Also, I'm unable to run the swift-bench with keystone. Hrm... That was supposed to be fixed with this bug: https://bugs.launchpad.net/swift/+bug/1011727 My keystone dev instance isn't working at the moment, but I'll see if I can get one of the team to take a look at it. -- Chuck ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Error in Horizon or misconfiguration?
The fix was made to keystoneclient, so it does not require backporting. You can use the latest keystoneclient with either diablo, Essex or Folsom. -Dolph On Thursday, January 10, 2013, Matthias Runge wrote: On 01/10/2013 01:33 PM, JuanFra Rodriguez Cardoso wrote: Hi guys! Do you know if this Horizon's bug have been solved? In my fresh installation (2012.2.1 from EPEL), it keeps crashing. However, remaining operations in dashboard work fine! Its' a known error in keystone, which has been fixed IMHO. I'm currently not sure, if the fix has been backported to Folsom. Matthias ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net javascript:; Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Error in Horizon or misconfiguration?
Are you still seeing EndpointNotFound's on the latest version of keystoneclient? Even without a fix, it was simply a condition that didn't need to be logged (especially as an error). -Dolph On Thu, Jan 10, 2013 at 8:07 PM, Sina Sadeghi s...@aptira.com wrote: Guys this is a bug I have been trying to get resolved for _ages_ now and it seems nobody cares about it: https://bugs.launchpad.net/python-keystoneclient/+bug/1036342 -- *Sina Sadeghi* Lead Cloud Engineer *Aptira Pty Ltd* 1800 APTIRA aptira.com http://www.aptira.com Follow @aptira https://twitter.com/#/aptira On 11/01/13 01:33, Ray Sun wrote: Maybe this bugs is related with your Quota Summary. https://bugs.launchpad.net/horizon/+bug/1055929 Just replace 'usage.quota' with 'usage.quotas' in horizon/templates/horizon/common/_quota_summary.html. - Ray Yours faithfully, Kind regards. CIeNET Technologies (Beijing) Co., Ltd Email: qsun01...@cienet.com.cn Office Phone: +86-01081470088-7079 Mobile Phone: +86-13581988291 On Thu, Jan 10, 2013 at 9:09 PM, JuanFra Rodriguez Cardoso juanfra.rodriguez.card...@gmail.com wrote: Thanks for replying quickly! Yes, I knew about this property. By default is 'internalURL', but although it's modified and restarted httpd, errors related to EndpointNotFound continue logging with endpoint_type='adminURL'. On the other hand, in Horizon, the Quota Summary in Project tab, is shown empty. Any idea about that? Thanks a lot! JuanFra 2013/1/10 Diego Parrilla Santamaría diego.parrilla.santama...@gmail.com You can change the endpoint type in Horizon: Modify this file: /etc/openstack-dashboard/local_settings.py and add (or edit) this property: OPENSTACK_ENDPOINT_TYPE=endpoint_type and endpoint_type can be internalURL, publicURL and adminURL, as usual. Cheers Diego -- Diego Parrilla http://www.stackops.com/*CEO* *www.stackops.com | * diego.parri...@stackops.com** | +34 649 94 43 29%2B34%20649%2094%2043%2029| skype:diegoparrilla* * http://www.stackops.com/ * * On Thu, Jan 10, 2013 at 1:33 PM, JuanFra Rodriguez Cardoso juanfra.rodriguez.card...@gmail.com wrote: Hi guys! Do you know if this Horizon's bug have been solved? In my fresh installation (2012.2.1 from EPEL), it keeps crashing. However, remaining operations in dashboard work fine! [Thu Jan 10 13:20:19 2013] [error] Traceback (most recent call last): [Thu Jan 10 13:20:19 2013] [error] File /usr/lib/python2.6/site-packages/keystoneclient/v2_0/client.py, line 135, in _extract_service_catalog [Thu Jan 10 13:20:19 2013] [error] endpoint_type='adminURL') [Thu Jan 10 13:20:19 2013] [error] File /usr/lib/python2.6/site-packages/keystoneclient/service_catalog.py, line 73, in url_for [Thu Jan 10 13:20:19 2013] [error] raise exceptions.EndpointNotFound('Endpoint not found.') [Thu Jan 10 13:20:19 2013] [error] EndpointNotFound: Endpoint not found. [Thu Jan 10 13:20:21 2013] [error] unable to retrieve service catalog with token It could be a great chance for my first contribution to Horizon code? could I assign myself this bug? Thanks, JuanFra. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp logo.jpg___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [keystone] IBM DB2 configuration
(raising to the mailing list) Which DB2 driver are you using? I was referring to: http://code.google.com/p/ibm-db/wiki/README ... which shows an example connection string for sqlalchemy as: db2 = sqlalchemy.create_engine('ibm_db_sa:// db2inst1:sec...@host.name.com:5/pydev') -Dolph On Thu, Dec 20, 2012 at 4:05 AM, Kevin-Yang benbenzhufore...@gmail.comwrote: Dolph, Really appreciated for your response. My VM configuration is: OS - Red Hat Enterprise Linux Server release 6.3 (Santiago) DB2 - Informational tokens are DB2 v9.7.0.0, s090521, LINUXAMD6497, and Fix Pack 0 ibm_db - http://pypi.python.org/packages/source/i/ibm_db/ibm_db-2.0.0.tar.gz#md5=709c576c0ec2379ca15049f5c861beb1 ibm_db_sa - When i changed from ibmdb - ibm_db_sa, I came with a different error - Could not determine dialect for 'ibm_db_sa'. ## Traceback (most recent call last): File /usr/local/bin/keystone-manage, line 5, in module pkg_resources.run_script('keystone==2012.2', 'keystone-manage') File build/bdist.linux-x86_64/egg/pkg_resources.py, line 499, in run_script File build/bdist.linux-x86_64/egg/pkg_resources.py, line 1239, in run_script File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/EGG-INFO/scripts/keystone-manage, line 28, in module cli.main(argv=sys.argv, config_files=config_files) File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py, line 164, in main return run(cmd, (args[:1] + args[2:])) File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py, line 147, in run return CMDS[cmd](argv=args).run() File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py, line 35, in run return self.main() File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/cli.py, line 56, in main driver.db_sync() File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/identity/backends/sql.py, line 136, in db_sync migration.db_sync() File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/common/sql/migration.py, line 49, in db_sync current_version = db_version() File /usr/local/lib/python2.7/site-packages/keystone-2012.2-py2.7.egg/keystone/common/sql/migration.py, line 61, in db_version return versioning_api.db_version(CONF.sql.connection, repo_path) File string, line 2, in db_version File /usr/local/lib/python2.7/site-packages/migrate/versioning/util/__init__.py, line 155, in with_engine engine = construct_engine(url, **kw) File /usr/local/lib/python2.7/site-packages/migrate/versioning/util/__init__.py, line 140, in construct_engine return create_engine(engine, **kwargs) File build/bdist.linux-x86_64/egg/sqlalchemy/engine/__init__.py, line 338, in create_engine File build/bdist.linux-x86_64/egg/sqlalchemy/engine/strategies.py, line 50, in create File build/bdist.linux-x86_64/egg/sqlalchemy/engine/url.py, line 123, in get_dialect sqlalchemy.exc.ArgumentError: Could not determine dialect for 'ibm_db_sa'. ## -- You received this bug notification because you are a bug assignee. https://bugs.launchpad.net/bugs/987121 Title: strict constraint for database table creation Status in OpenStack Identity (Keystone): Fix Released Bug description: OpenStack claims that any type of database supporting SQLAlchemy can be taken as the database for OpenStack use. In some databases, if a column is defined as UNIQUE, it must be specified NOT NULL at the same time, e.g. IBM DB2, which is SQLAlchemy supporting. I am doing some tests with DB2 now. For the tables TENANT, USER and ROLE, they all have the column NAME, but they don't define this column NOT NULL. For database like MYSQL, it is permitted and keystone-manage db_sync works well. However, for database with strict constrains, like IBM DB2, this is not allowed. Running keystone-manage db_sync will prompt the error, which tells me UNIQUE and NOT NULL must be specified for the column NAME. Suggestion: In the code keystone/identity/backends/sql.py, we have name = sql.Column(sql.String(64), unique=True) If we change it into name = sql.Column(sql.String(64), unique=True, nullable=False), this issue will be solved. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/987121/+subscriptions ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Can somebody offer some help regarding Keystone interaction with LDAP in Essex?
Make sure you're specifying a tenant (e.g. OS_TENANT_NAME) in order to receive authorization (e.g. the admin role) to perform nova list. You can debug the authn/authz process using keystone token-get (this doc is for folsom, but should work for essex, although the arguments may have changed, check keystone --help): http://docs.openstack.org/trunk/openstack-compute/install/apt/content/verifying-identity-install.html If you're running into issues between your LDAP schema and what keystone Essex expects, it's worth pointing out that keystone became a lot more flexible in terms of LDAP configuration in Folsom. -Dolph On Tue, Dec 18, 2012 at 3:07 PM, Christopher Smith csm...@wolfram.comwrote: Hey everybody, We're trying very hard to build an Openstack cluster here, and I've been running into some trouble with the Keystone LDAP identity backend. I have every expectation that this is just something I have misconfigured, but honestly the documentation seems somewhat lacking for this, so I haven't been able to figure out what is going wrong. Here's the current situation: We have gotten an entire Openstack installation working, using the SQL backends to keystone. We're currently trying to move the identity into LDAP. This has caused a few problems, but the one I'm stuck on at the moment is that the admin user seems not to be associated with the admin role. Nor does keystone seem to be attempting at all to look up role information. The relevant section of keystone.conf looks like: [ldap] url = ldap://ldap.wolfram.com tree_dn = ou=OpenStack,dc=wolfram,dc=com user_tree_dn = ou=Users,ou=OpenStack,dc=wolfram,dc=com role_tree_dn = ou=Roles,ou=OpenStack,dc=example,dc=com tenant_tree_dn = ou=Groups,ou=OpenStack,dc=wolfram,dc=com user = cn=directory,ou=misc,ou=OpenStack,dc=wolfram,dc=com password = redacted (but the bind is successful) suffix = cn=wolfram,cn=com Now, I've captured the traffic between keystone and ldap for when I execute any nova operation, say, nova list. What I get is a set of successful binds as cn=directory, a search request against ou=Users, one against ou=Groups, one for admin's UID in ou=Users, then re-bind as the Admin object -- also successful, so I assume I'm authenticated. Next I have a search by ID for the admin group. This, depending on the operation, might be repeated along with additional lookups for the lists of users and groups against the corresponding OUs. Anyway, all of this looks reasonable to me, expect that it doesn't appear to ever be trying to assign roles, which I'd like for it to do. My LDAP structure looks like this: ou=OpenStack ou=Groups Contains a set of groupOfNames objects with cn=id,ou=name member=DN of member. Our tenants are stored here. ou=misc This is just a place to stick the keystone directory user for the initial bind. ou=Roles Contains a set of organizationalRole objects with ou=name, cn=id, roleOccupant=DN of member ou=Users Contains a set of inetOrgPerson objects with ou=username and cn=id Any ideas what I'm missing? Chris -- Christopher Smith Systems Engineer, Wolfram Research ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Create tenant with RESTful api
I'd first suggesting looking for an existing PHP binding (I'm not aware of one). You can also simply try keystone tenant-create and emulate it's request if that's all you need. I's implementation is here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/tenants.py Alternatively, that portion of the API is defined here: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/docbkx/extensions/OS-KSADM/OS-KSADM-admin.wadl#L135 You could also just make system calls from PHP, e.g. system(keystone tenant-create ...) or use popen() -Dolph On Fri, Dec 14, 2012 at 1:05 PM, Guillermo Alvarado guillermoalvarad...@gmail.com wrote: Because I am using PHP, so I am making the requests with REST. 2012/12/14 Matt Joyce matt.jo...@cloudscaling.com Is there a reason you are not using the keystone client api? On Fri, Dec 14, 2012 at 10:58 AM, Guillermo Alvarado guillermoalvarad...@gmail.com wrote: Hi Everyone, Please, someone can give me information about how to create a tenant with a REST request. I am trying to develop a module to use my legacy billing software, so I need to create tenants, create a vm, terminate it and suspend it. I can achieve the later with the vm but I can not find how to make the request to create a tenant... Thanks in advance, Best regards. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [SWIFT] Upgrade from 1.4.8 to 1.7.4 question
+1; if it doesn't work, it's a bug. -Dolph On Tue, Dec 11, 2012 at 4:32 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: My guess would be that it would work. The keystone API hasn't changed massively between essex and folsom. I have not tested. But I am fairly confident it would work just fine. -Matt On Tue, Dec 11, 2012 at 2:25 PM, Alejandro Comisario alejandro.comisa...@mercadolibre.com wrote: Hi guys, we are planning to upgrade our production cluster from 1.4.8 to 1.7.4 to have the several features of the new version. One of the main doubts before dive into this task is as follow : Is it possible to use SWIFT 1.7.4 with Keystone/ESSEX ? Or is MUST to have Keystone from Folsom release ? Thanks in advance ! * * *Alejandrito* ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Problem with keystone on Debian
The arguments for the commands you need vary a bit by release, but for interactive help, use: $ keystone help role-create $ keystone help tenant-create $ keystone help user-create $ keystone help user-role-add In the latest release of keystoneclient, also try: $ keystone help bootstrap ... which shortcuts the process of using the above 4 commands. -Dolph On Thu, Dec 6, 2012 at 12:21 PM, Guilherme Russi luisguilherme...@gmail.com wrote: Hello Guys, I'm trying to install OpenStack on Debian Wheezy, but i'm getting some problems with keystone, when i try to create a user in a tenant using the --tenant-id command, it returns the error: keystone: error: unrecognized arguments: --service-id service-id number. Does anybody knows if it is a version problem, I've tried on ubuntu 12.10 and it worked. Hope someone can help me. Thank you. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] LDAP Backend for Catalog
Neither have I. -Dolph On Mon, Dec 3, 2012 at 1:25 PM, heckj he...@mac.com wrote: I haven't heard any demand for it - - joe On Dec 3, 2012, at 11:13 AM, Adam Young ayo...@redhat.com wrote: Right now, only the Identity submodule has an LDAP backend. This is user, tenants, and roles. Is there any requirement for the Catalog to have an LDAP back end? Endpoints and Services do not necessarily map directly to the LDAP view of machines, but could probably be made to fit. I will start investigating the feasibility if there is any demand for it. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API
I'm just pointing out that the same data used for validating belongsTo on the server-side is included in the response body (assuming a GET and not HEAD). -Dolph On Thu, Nov 15, 2012 at 2:51 PM, Jorge Williams jorge.willi...@rackspace.com wrote: (inline) On Nov 15, 2012, at 2:06 PM, Dolph Mathews wrote: Without belongsTo, you can still validate the tenant scope client-side, so it's a bit redundant. Not sure what you mean. Can you be more specific? However, if you're making a HEAD call to validate the token, you obviously need the server to do that additional validation for you. Right. -Dolph On Thu, Nov 15, 2012 at 8:20 AM, Jorge Williams jorge.willi...@rackspace.com wrote: No, it's optional. Token validation returns what it normally does. The only thing belongs to does is that you fail token validation if the given tenant is not covered by the scope of the token. -jOrGe W. On Nov 14, 2012, at 11:18 PM, Yee, Guang wrote: Is belongsTo mandatory? If not, what will token validation API return? {access: [list of tokens]} ? Guang -Original Message- From: Jorge Williams [mailto:jorge.willi...@rackspace.com] Sent: Wednesday, November 14, 2012 2:47 PM To: OpenStack Development Mailing List Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net) Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API From an API perspective the changes required are the following: 1. The validate call returns a list of tenants instead of a single tenant. If the tenant id is in the URI of the API, then the validation middleware can assert that the tenant id is in the list of IDs. Not sure if there's any additional changes, but I don't think so. An alternative approach is to use the belongsTo query parameter in the validate call. So if you know the tenantId of the resource, you can issue a validate with ?belongsTo=tenatId and validation if the tenant is not in the list of tenatIds for the token. The belongsTo query parameter is in the validate token call in the API today http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1 356.html And we use it quite a bit in our implementation, when we validate tokens -- that is in the case where a token may have access to multiple tenants. Thoughts? -jOrGe W. On Nov 14, 2012, at 3:53 PM, heckj wrote: If we're going to assert it's supported, we're doing an incredible dis-service to writing a spec to not implement that aspect of the spec, as that kind of set up just leads to incompatibilities and confusion when asserting how the spec should be used to provide interoperability. If we accept this as a spec addition, then we MUST have an implementation that makes it clear how we expect to interoperate with that aspect of the specification, even if it's a configuration option that we don't normally enable. If we don't test and validate it to prove interoperability, then the spec is a worthless digital piece of paper. So under that pretext, I welcome suggestions on how to interpret the spec you're proposing to some concrete implementations that can be verified for interoperability, and that are compatible with the existing and/or upcoming implementations for V3 API. -joe On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote: Hi Joe, If I'm working across multiple tenants, I'd prefer one token that I can securely handle that proves access rights to the tenants I'm working with. Handling multiple tokens increases the complexity of clients needing to provide multi-tenancy access to an authenticated identity. It also adds more calls to keystone. Again, I think that having the keystone reference implementation restrict tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in the API contract though. It needs to be extensible and flexible to allow for the all sorts of use cases that are likely to occur. Thanks, joe -Original Message- From: heckj [mailto:he...@mac.com] Sent: Tuesday, November 13, 2012 3:59 PM To: Joe Savak Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net (openstack@lists.launchpad.net) Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API Hey Joe: Currently a user scoped token doesn't include a service catalog - mostly because I think the service catalog generally requires tenant_id's to interpolate into the values to provide it. That doesn't mean we can't put in/include service catalog endpoints where that value doesn't need to be determined. I'm also questioning the value
Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API
Without belongsTo, you can still validate the tenant scope client-side, so it's a bit redundant. However, if you're making a HEAD call to validate the token, you obviously need the server to do that additional validation for you. -Dolph On Thu, Nov 15, 2012 at 8:20 AM, Jorge Williams jorge.willi...@rackspace.com wrote: No, it's optional. Token validation returns what it normally does. The only thing belongs to does is that you fail token validation if the given tenant is not covered by the scope of the token. -jOrGe W. On Nov 14, 2012, at 11:18 PM, Yee, Guang wrote: Is belongsTo mandatory? If not, what will token validation API return? {access: [list of tokens]} ? Guang -Original Message- From: Jorge Williams [mailto:jorge.willi...@rackspace.com] Sent: Wednesday, November 14, 2012 2:47 PM To: OpenStack Development Mailing List Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net) Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API From an API perspective the changes required are the following: 1. The validate call returns a list of tenants instead of a single tenant. If the tenant id is in the URI of the API, then the validation middleware can assert that the tenant id is in the list of IDs. Not sure if there's any additional changes, but I don't think so. An alternative approach is to use the belongsTo query parameter in the validate call. So if you know the tenantId of the resource, you can issue a validate with ?belongsTo=tenatId and validation if the tenant is not in the list of tenatIds for the token. The belongsTo query parameter is in the validate token call in the API today http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1 356.html And we use it quite a bit in our implementation, when we validate tokens -- that is in the case where a token may have access to multiple tenants. Thoughts? -jOrGe W. On Nov 14, 2012, at 3:53 PM, heckj wrote: If we're going to assert it's supported, we're doing an incredible dis-service to writing a spec to not implement that aspect of the spec, as that kind of set up just leads to incompatibilities and confusion when asserting how the spec should be used to provide interoperability. If we accept this as a spec addition, then we MUST have an implementation that makes it clear how we expect to interoperate with that aspect of the specification, even if it's a configuration option that we don't normally enable. If we don't test and validate it to prove interoperability, then the spec is a worthless digital piece of paper. So under that pretext, I welcome suggestions on how to interpret the spec you're proposing to some concrete implementations that can be verified for interoperability, and that are compatible with the existing and/or upcoming implementations for V3 API. -joe On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote: Hi Joe, If I'm working across multiple tenants, I'd prefer one token that I can securely handle that proves access rights to the tenants I'm working with. Handling multiple tokens increases the complexity of clients needing to provide multi-tenancy access to an authenticated identity. It also adds more calls to keystone. Again, I think that having the keystone reference implementation restrict tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in the API contract though. It needs to be extensible and flexible to allow for the all sorts of use cases that are likely to occur. Thanks, joe -Original Message- From: heckj [mailto:he...@mac.com] Sent: Tuesday, November 13, 2012 3:59 PM To: Joe Savak Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net (openstack@lists.launchpad.net) Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API Hey Joe: Currently a user scoped token doesn't include a service catalog - mostly because I think the service catalog generally requires tenant_id's to interpolate into the values to provide it. That doesn't mean we can't put in/include service catalog endpoints where that value doesn't need to be determined. I'm also questioning the value of providing a token scoped to all tenants associated with a user - that seems to have the same value as just using a user token. In fact, even if we allow some arbitrary set of tenants to be scoped into a token along with a user, what on earth should be in the service catalog? Endpoints relevant to every possible tenant? This just seems to be a potential explosion of data that is
Re: [Openstack] [Folsom] Horizon not working
We just fixed a similar issue in keystoneclient -- what release is this running against? https://bugs.launchpad.net/python-keystoneclient/+bug/1074784 https://review.openstack.org/#/c/15410/ -Dolph On Thu, Nov 8, 2012 at 5:46 AM, Robert van Leeuwen robert.vanleeu...@spilgames.com wrote: [Fri Nov 02 14:25:28 2012] [error] unable to retrieve service catalog with token [Fri Nov 02 14:25:28 2012] [error] Traceback (most recent call last): [Fri Nov 02 14:25:28 2012] [error] File /usr/lib/python2.7/dist-packages/keystoneclient/v2_0/client.py, line 132, in _extract_service_catalog [Fri Nov 02 14:25:28 2012] [error] endpoint_type='adminURL') [Fri Nov 02 14:25:28 2012] [error] File /usr/lib/python2.7/dist-packages/keystoneclient/service_catalog.py, line 62, in url_for [Fri Nov 02 14:25:28 2012] [error] raise exceptions.EndpointNotFound('Endpoint not found.') [Fri Nov 02 14:25:28 2012] [error] EndpointNotFound: Endpoint not found. Sounds like keystone is not properly setup. Maybe one of the required endpoints is not setup? ( I think you will need at least 4 endpoints to make it work. They are for the following services: identity, image, compute, volume) For debugging you can take a look at the keystone log so you can see the contents of the created tokens. Regards, Robert van Leeuwen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Id collision across multiple data center deployments
The ID's generated by keystone are implemented using random UUID's for exactly this use case. -Dolph On Sat, Nov 3, 2012 at 11:49 PM, Salman A Baset saba...@us.ibm.com wrote: Hello folks, Suppose there is a single BSS managing multiple data centers, each running independent OpenStack OSS. Is there any possibility of OpenStack keystone or other ids to be similar with another deployment? (in particular tenant_id, user_id etc). I don't think this is the case (assuming uuids) but want to confirm with folks. Thanks. Best Regards, Salman A. Baset Research Staff Member, IBM T. J. Watson Research Center Tel: +1-914-784-6248 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Verification of Keystone Installation fails
I was able to reproduce by defining SERVICE_ENDPOINT and SERVICE_TOKEN in my own environment, which appear to be overriding the credentials provided on the CLI -- I don't think that's the intended behavior. If you unset them, you should be able to verify the install. If you skip verifying keystone and something is wrong with it, you'll likely find out pretty quick when another service calls keystone for the first time :) -Dolph On Wed, Oct 31, 2012 at 12:22 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Dolph, Thank you very much for helping me on this issue. Following is the environment variables related to openstack: root@bodega:~# env | egrep OS_|SERVICE_ SERVICE_ENDPOINT=http://10.176.20.158:35357/v2.0/ SERVICE_TOKEN=012345SECRET99TOKEN012345 root@bodega:~# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1e:67:06:1b:67 inet addr:10.176.20.158 Bcast:10.176.255.255 Mask:255.255.0.0 inet6 addr: fe80::21e:67ff:fe06:1b67/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12760203 errors:0 dropped:0 overruns:0 frame:0 TX packets:203944 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1044985224 (1.0 GB) TX bytes:22642912 (22.6 MB) Interrupt:16 Memory:b200-b202 root@bodega:~# I am attaching keystone.conf file. Would you happen to know if there is a high level document document on keystone (more than just a user guide, but a architectural/functional doc, but not a API doc). Something similar to http://docs.openstack.org/trunk/openstack-identity/admin/os-identity-starter-guide-trunk.pdf but updated. Does my current issue prohibit me from progressing forward with the next steps in the install document, setting up glance, nova, etc.? Regards, Ahmed. From: Dolph Mathews dolph.math...@gmail.com Date: Wednesday, October 31, 2012 9:44 AM To: Ahmed Al-Mehdi ah...@coraid.com Cc: openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: Re: [Openstack] Verification of Keystone Installation fails The error you're seeing is actually client-side, so there won't be anything in keystone's logs. It indicates that you're not actually authenticating with keystone (and instead bypassing authentication using --token and --endpoint, for example) ... however, that's obviously not the case, as you're explicitly providing --os-username, etc. Unfortunately, I'm not able to reproduce this issue. Can you share your OS_* environment variables? I suspect something there is unexpectedly overriding what you're providing on the CLI... which would be a legitimate bug. Thanks, -Dolph On Wed, Oct 31, 2012 at 2:08 AM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hello, I followed the steps in the OpenStack Install Deploy for Ubuntu manual to install Keystone. However, when I issue the commands in section Verifying the Identity Service Installation ( http://docs.openstack.org/trunk/openstack-compute/install/apt/content/verifying-identity-install.html ), I am getting the following error: # keystone --os-username=admin --os-password=admin --os-auth-url= http://10.176.20.158:35357/v2.0 token-get 'Client' object has no attribute 'service_catalog' I don't see any additional info in keystone.log. Can someone please help me. Thank you, Ahmed. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [OpenStack] Limiting new roles
With regard to keystone, the current policy implementation is entirely binary in that a role may either have total control over keystone or none. The implementation in Grizzly is much more granular. -Dolph On Wed, Oct 31, 2012 at 2:35 PM, Guillermo Alvarado guillermoalvarad...@gmail.com wrote: Hi everyboy, I want to create a new role, named another-admin, so this role only can create tentants and roles but cannnot change quotas or modify images and all other actions that admin role can do. I read about create rules in the policy.json of each service (nova, keystone, glance, swift) but my doubt is: How can I limit the views/templates/urls of Horizon, I mean, I want that the role another-admin can not see templates related to glance and can not see that menu. Thanks in advance, Best Regards. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Verification of Keystone Installation fails
There are basically two rules at work: 1) an existing token takes precedence over username+password credentials. 2) CLI options take precedence over configuration from the environment. In Folsom, these options look like: (existing token) --os-token / OS_SERVICE_TOKEN --os-endpoint / OS_SERVICE_ENDPOINT (credentials) --os-username / OS_USERNAME --os-password / OS_PASSWORD --os-tenant-name / OS_TENANT_NAME --os-auth-url / OS_AUTH_URL (there are also a few other options like region, api version, etc) Rule 1 is universally applied before rule 2, which means the token + endpoint from the environment is taking precedence over username + password from the CLI. IMO, it's a bug that rule 2 isn't applied before rule 1. -Dolph On Wed, Oct 31, 2012 at 3:32 PM, Joshua Harlow harlo...@yahoo-inc.comwrote: I think the overall issue is connected to https://bugs.launchpad.net/keystone/+bug/962600 Right? Seems like that is still happening :-( From: Ahmed Al-Mehdi ah...@coraid.com Date: Wednesday, October 31, 2012 1:15 PM To: Dolph Mathews dolph.math...@gmail.com Cc: Joseph Heck joe.h...@nebula.com, openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: Re: [Openstack] Verification of Keystone Installation fails Hi Dolph, Awesome, that worked. Thank you very much. Just out of curiosity, what was the exact conflict? Between which environment variable and option passed to the CLI? Regards, Ahmed. From: Dolph Mathews dolph.math...@gmail.com Date: Wednesday, October 31, 2012 10:46 AM To: Ahmed Al-Mehdi ah...@coraid.com Cc: openstack@lists.launchpad.net openstack@lists.launchpad.net, Joseph Heck joe.h...@nebula.com Subject: Re: [Openstack] Verification of Keystone Installation fails I was able to reproduce by defining SERVICE_ENDPOINT and SERVICE_TOKEN in my own environment, which appear to be overriding the credentials provided on the CLI -- I don't think that's the intended behavior. If you unset them, you should be able to verify the install. If you skip verifying keystone and something is wrong with it, you'll likely find out pretty quick when another service calls keystone for the first time :) -Dolph On Wed, Oct 31, 2012 at 12:22 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Dolph, Thank you very much for helping me on this issue. Following is the environment variables related to openstack: root@bodega:~# env | egrep OS_|SERVICE_ SERVICE_ENDPOINT=http://10.176.20.158:35357/v2.0/ SERVICE_TOKEN=012345SECRET99TOKEN012345 root@bodega:~# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1e:67:06:1b:67 inet addr:10.176.20.158 Bcast:10.176.255.255 Mask:255.255.0.0 inet6 addr: fe80::21e:67ff:fe06:1b67/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12760203 errors:0 dropped:0 overruns:0 frame:0 TX packets:203944 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1044985224 (1.0 GB) TX bytes:22642912 (22.6 MB) Interrupt:16 Memory:b200-b202 root@bodega:~# I am attaching keystone.conf file. Would you happen to know if there is a high level document document on keystone (more than just a user guide, but a architectural/functional doc, but not a API doc). Something similar to http://docs.openstack.org/trunk/openstack-identity/admin/os-identity-starter-guide-trunk.pdf but updated. Does my current issue prohibit me from progressing forward with the next steps in the install document, setting up glance, nova, etc.? Regards, Ahmed. From: Dolph Mathews dolph.math...@gmail.com Date: Wednesday, October 31, 2012 9:44 AM To: Ahmed Al-Mehdi ah...@coraid.com Cc: openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: Re: [Openstack] Verification of Keystone Installation fails The error you're seeing is actually client-side, so there won't be anything in keystone's logs. It indicates that you're not actually authenticating with keystone (and instead bypassing authentication using --token and --endpoint, for example) ... however, that's obviously not the case, as you're explicitly providing --os-username, etc. Unfortunately, I'm not able to reproduce this issue. Can you share your OS_* environment variables? I suspect something there is unexpectedly overriding what you're providing on the CLI... which would be a legitimate bug. Thanks, -Dolph On Wed, Oct 31, 2012 at 2:08 AM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hello, I followed the steps in the OpenStack Install Deploy for Ubuntu manual to install Keystone. However, when I issue the commands in section Verifying the Identity Service Installation ( http://docs.openstack.org/trunk/openstack-compute/install/apt/content/verifying-identity-install.html ), I am getting the following error: # keystone --os-username=admin --os-password=admin --os-auth-url= http://10.176.20.158:35357/v2.0 token
Re: [Openstack] [OpenStack] Limiting new roles
I'm specifically referring to keystone, because you mention ...this role only can create tentants and roles... If you can create tenants and roles in keystone, you also have the power to create new users and grant yourself additional roles in keystone, due to the binary nature of the policy implementation in keystone today (thereby -- and unfortunately -- defeating the rest of your statement: ... but cannnot change quotas or modify images). -Dolph On Wed, Oct 31, 2012 at 5:29 PM, Guillermo Alvarado guillermoalvarad...@gmail.com wrote: I know the implementation is not binay, you can modify the permissions related with nova/glance/swifth of the differents roles. I doubt is if horizon know wich template can view each user... 2012/10/31 Dolph Mathews dolph.math...@gmail.com With regard to keystone, the current policy implementation is entirely binary in that a role may either have total control over keystone or none. The implementation in Grizzly is much more granular. -Dolph On Wed, Oct 31, 2012 at 2:35 PM, Guillermo Alvarado guillermoalvarad...@gmail.com wrote: Hi everyboy, I want to create a new role, named another-admin, so this role only can create tentants and roles but cannnot change quotas or modify images and all other actions that admin role can do. I read about create rules in the policy.json of each service (nova, keystone, glance, swift) but my doubt is: How can I limit the views/templates/urls of Horizon, I mean, I want that the role another-admin can not see templates related to glance and can not see that menu. Thanks in advance, Best Regards. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [keystone] Domain Name Spaces
for Apache, and a simple config value for Eventlet. ** ** Very keen to hear other concerns you may have. ** ** Henry On 27 Oct 2012, at 21:22, Gabriel Hurley wrote: There are various options for how Horizon can handle the UX problems associated with adding additional domains. Making it a part of the URL is one which could be supported, but I’m not inclined to make that the only method. The implementation details can be hashed out when we get there.*** * I am more concerned about the experience for CLI/API users; adding more parameters they have to pass is quite unfriendly. And I have to say that Keystone’s track record for handling “default” options has been quite poor (see “default tenant”). The mixed support for lookups via ID vs. name is also a mess. There needs to be consistency around what is unique and in what scope (which is where this thread started). So far I haven’t heard a concrete answer on that. For example, if tenants uniqueness is scoped to a domain, and lookups via tenant name are possible, and there’s a default domain… well haven’t you just painted yourself into a corner where tenant names in the default domain must be unique while names in any other domain do not? It’s these kinds of issues that need to really be thought through. - Gabriel *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net [ mailto:openstack-bounces+gabriel.hurley=openstack-bounces+gabriel.hurley= nebula@lists.launchpad.net] *On Behalf Of *Adam Young *Sent:* Friday, October 26, 2012 4:19 PM *To:* Henry Nash *Cc:* OpenStack Development Mailing List; openstack@lists.launchpad.net ( openstack@lists.launchpad.net) *Subject:* Re: [Openstack] [keystone] Domain Name Spaces On 10/26/2012 07:17 PM, Henry Nash wrote: So to pick up on a couple of the areas of contention: a) Roles. I agree that role names must stay globally unique. One way of thinking about this is that it is not actually keystone that is creating the role name space it is the other services (Nova etc.) by specifying roles in their policy files. Until those services support domain specific segmentation, then role names stay global. b) Will multi-domains make it more complicated in terms of authorisation - e.g. will the users have to input a Domain Name into Horizon the whole time? The first thing I would say is that if the cloud administrator has create multiple domains, then the keystone API should indeed require the domain specification. However, that should not mean it should be laborious for a Horizon user. In the case where a Cloud Provider has created domains to encapsulate each of their customers - then if they want to let those customer use horizon as the UI, then I would think they want to be able to give each customer a unique URL which will point to a Horizon that knows which domain to go to. Yes, I think that this is the solution. It will involve HTTPD virtual hosts, and horizon can then get an additional config parameter keystone_domain as part of the wsgi config. Maybe the url contains the Domain Name or ID in the path, and Horizon pulls this out of its own url (assuming that's possible) and hence the user is never given an option to chose a domain. A Cloud Admin would use a non domain qualified url to get to Horizon (basically as it is now) and hence be able to see the different domains. Likewise, in the case of where the Cloud Provider has not chosen to create any individual domains (and is just running the cloud in the default domain), then the non domain qualified url would be used to a Horizon that only showed one, default domain and hence no choice is required. Henry On 26 Oct 2012, at 17:31, heckj wrote: Bringing conversation for domains in Keystone to the broader mailing lists. On Oct 26, 2012, at 5:18 AM, Dolph Mathews dolph.math...@gmail.com wrote: I think this discussion would be great for both mailing lists. -Dolph On Fri, Oct 26, 2012 at 5:18 AM, Henry Nash henry.n...@mac.com wrote:*** * Hi Not sure where best to have this discussion - here, as a comment to the v3api doc, or elsewhere - appreciate some guidance and will transfer this to the right place At the Summit we started a discussion on whether things like user name, tenant name etc. should be globally unique or unique within a domain. I'd like to widen that discussion to try and a) agree a direction, b) agree some changes to our current spec. Here's my view as an opening gambit: - When a Keystone instance is first started, there is only one, default, Domain. The Cloud Provider does not need to create any new domains, all projects can exist in this default domain, as will the users etc
Re: [Openstack] Retrieve Endpoints
It's hard to say without docs, as the openstack.identity.endpoint shown there is just throwing errors for me, and the openstack.endpoint is raising 401. However, the port used for the identity endpoint is typically used for the administrative/management identity endpoint (keystone), and the openstack.endpoint refers to specifically to compute in the hostname (nova). -Dolph On Sun, Oct 28, 2012 at 11:21 PM, Tummala Pradeep pradeep.tumm...@ericsson.com wrote: Hi Joe, I am actually trying to integrate cloudify with Openstack. To accomplish this, I have to configure openstack.groovy file in cloudify. There are two fields here - openstack.endpoint openstack.identity.endpoint. I have an example for cloudify integration with HP Openstack cloud. Hope, it will help you to understand what exactly these two fields (Last 4 lines) require. cloud { // Mandatory. The name of the cloud, as it will appear in the Cloudify UI. name = Openstack configuration { // Mandatory - openstack Diablo cloud driver. className org.cloudifysource.esc.driver.provisioning.openstack.OpenstackCloudDriver // Optional. The template name for the management machines. Defaults to the first template in the templates section below. managementMachineTemplate SMALL_LINUX **// Optional. Indicates whether internal cluster communications should use the machine private IP. Defaults to true. connectToPrivateIp true remoteUsername REPLACE_WITH_THE_SSH_USER_NAME remotePassword REPLACE_WITH_THE_SS_USER_PASSWORD } provider { // optional provider openstack localDirectory tools/cli/plugins/esc/hp/upload remoteDirectory /root/gs-files cloudifyUrl http://s3.amazonaws.com/gigaspaces-cloudify/cloudify/hp/gigaspaces-hp.zip; http://s3.amazonaws.com/gigaspaces-cloudify/cloudify/hp/gigaspaces-hp.zip machineNamePrefix agent dedicatedManagementMachines true managementOnlyFiles ([]) managementGroup management numberOfManagementMachines 1 zones ([agent]) reservedMemoryCapacityPerMachineInMB 1024 } user { user ENTER_USER apiKey ENTER_KEY keyFile ENTER_KEY_FILE } templates ([ SMALL_LINUX : template{ imageId 221 machineMemoryMB 1600 hardwareId 102 //locationId us-east-1 options ([ openstack.securityGroup : test, openstack.keyPair : hp-cloud-demo, // indicates if a floating IP should be assigned to this machine. Defaults to true. openstack.allocate-floating-ip : true ]) } ]) custom ([ *openstack.endpoint : https://az-2.region-a.geo-1.compute.hpcloudsvc.com/; https://az-2.region-a.geo-1.compute.hpcloudsvc.com/,* * openstack.identity.endpoint: https://region-a.geo-1.identity.hpcloudsvc.com:35357/; https://region-a.geo-1.identity.hpcloudsvc.com:35357/,* openstack.tenant : ENTER_TENANT, openstack.wireLog: false ]) } Now, I am trying the integration with OpenStack deployed on my server. Do let me know if you get any idea from the above example. Thanks Pradeep On 10/26/2012 01:36 AM, heckj wrote: Hi Pradeep, I'm not sure what the context is for these values, so it's a little hard to assert a clear answer. For most openstack projects, (all but keystone), there's generally a single API endpoints, and the keystone service catalog is configured on deployment to point to those. The service catalog supports exposing internal and public endpoints. Keystone (quirky thing that it is) has two endpoints - one for general public authorization with a very limited API - in the docs and on the CLI, this is referred to as the auth_url. In a devstack setup, this auth_url is http://localhost:5000/v2.0; http://localhost:5000/v2.0 - your deployment I'd expect to be different. There's also an administrative endpoint for Keystone where a Keystone admin (or associated scripts) can configure services, endpoints, users, etc depending on the keystone deployment configuration. The CLI refers to this as the management_url, and in a devstack setup, it would be http://localhost:35357/v2.0; http://localhost:35357/v2.0 This help? -joe
Re: [Openstack] documentation bug in openstack - redhat install guide (wrong admin_user)
Thanks for the feedback! I opened a bug report to track this issue: https://bugs.launchpad.net/openstack-manuals/+bug/1071921 -Dolph On Fri, Oct 26, 2012 at 4:03 PM, ikke i...@iki.fi wrote: Hi, I just went through setting up keystone and glance to fedora 17 with f18 folsom preview repos for openstack rpms. It seems the instructions have some error: it creates the users here: http://docs.openstack.org/trunk/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles-manually.html and uses them incorrectly here, causing keystone to block access to create-image: http://docs.openstack.org/trunk/openstack-compute/install/yum/content/configure-glance-files.html doc uses admin_user=admin, admin_tenant=service in two of the config files (api+registry), even though it never created admin user for the tenant service in the first doc link where the users get created. After changing the admin_user to glance and also admin_password to glance's password, it starts working. There used to be comment box in the docs, but it doesn't seem to be the case anymore. So I'll whine here instead ;) BR, ikke ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack-qa-team] [openstack-dev] Changes with ids/uuids?
In short, PKI tokens are able to be validated client-side, reducing network chattiness with keystone, etc. Although PKI was implemented in Folsom, it wasn't shipped as the default. Our goal in changing the default now is to flush out any issues as early in the Grizzly cycle as possible. If you're having any issues with PKI tokens, you can A) file bugs as appropriate (please!), and B) switch back to UUID tokens by changing [signing] token_format in keystone.conf from 'PKI' back to 'UUID'. -Dolph On Thu, Oct 25, 2012 at 7:52 AM, David Kranz david.kr...@qrclab.com wrote: On 10/25/2012 1:13 AM, Daryl Walleck wrote: While spinning up a new devstack tonight I noticed some very odd behavior. Keystone is suddenly giving me back a 3000+ character auth token, and the ids for flavors I'm creating are extremely large ints (uuids I could see, but not this). Does anyone have any insight into if either of these changes were intentional? Daryl I think that must be a result of https://review.openstack.org/#/c/14577/which changed the keystone default to use PKI tokens. Could some one from the keystone team explain any implication of this? -David ___ OpenStack-dev mailing list openstack-...@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Mailing list: https://launchpad.net/~openstack-qa-team Post to : openstack-qa-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack-qa-team More help : https://help.launchpad.net/ListHelp
Re: [Openstack] ERROR: string indices must be integers, not str
Sorry for the delayed response; I know I've seen this message before. I believe it had something to do with endpoints configured in a manner keystone did not expect. Can you paste the full backtrace from the logs, and if it appears to be related, your keystone endpoint-list? -Dolph On Thu, Oct 18, 2012 at 5:00 AM, Xu, HongnaX hongnax...@intel.com wrote: Hi I am installing openstack on ubuntu 12.10 beta2 with precise-updates/folsom repo , after sync keystone database, then these parameters in ~/.bashrc export SERVICE_TOKEN=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=openstack export OS_AUTH_URL=http://10.211.55.17:5000/v2.0/ export SERVICE_ENDPOINT=http://10.211.55.17:35357/v2.0/ when I add keystone users by keystone user-create --name admin --pass openstack --email ad...@foobar.com or keystone user-list, I got string indices must be integers, not str, is there any solution? My settings exactly the same as the wiki http://docs.openstack.org/trunk/openstack-compute/install/apt/content/ap_installingfolsomubuntuprecise.html Best Regards, Hongna ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] A simple guide to install OpenStack Folsom
I'd like to simplify the scope of sample_data.sh to the absolute bare minimum (service tenant, admin role, admin user, identity service/endpoints, etc), and integrate it into keystone-manage as a 'bootstrap' command: $ keystone-manage bootstrap -Dolph On Wed, Oct 10, 2012 at 12:34 PM, Joshua Harlow harlo...@yahoo-inc.comwrote: You guys should also consider the 'anvil' way of doing this (pure python baby, haha). Which is improved from lorin's and has been working for yahoo! for a while now. https://github.com/yahoo/Openstack-Anvil/blob/master/anvil/components/helpe rs/keystone.py#L25 Please feel free to take the code!! Its only 'real' dependency is the keystone client + yaml parsing... On 10/10/12 2:23 AM, Alan Pevec ape...@gmail.com wrote: On Wed, Oct 10, 2012 at 11:10 AM, Skible OpenStack skible.openst...@gmail.com wrote: I am counting on our your feedback to enhance my work and contribute it to the OpenStack Eco System. I wonder about https://github.com/mseknibilel/OpenStack-Folsom-Install-guide/tree/master/ Scripts which say: # Mainly inspired by https://github.com/openstack/keystone/blob/master/tools/sample_data.sh Why not submit that as an improvement to Keystone? I'd like to propose consolidation of all keystone initialization scripts around (Keyston's sample_data.sh, Devstack's keystone_data.sh, scripts like yours) and move to Lorin's YAML config (see https://lists.launchpad.net/openstack/msg17204.html) I'm just not sure yet if additional dependency on YAML is worth it. Cheers, Alan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] A simple guide to install OpenStack Folsom
I played around with the idea this afternoon, and settled on something as simple as this in keystoneclient rather than keystone-manage: $ keystone help bootstrap usage: keystone bootstrap [--user-name user-name] --pass password [--role-name role-name] [--tenant-name tenant-name] Grants a new role to a new user on a new tenant, after creating each. Optional arguments: --user-name user-name The name of the user to be created (default=admin). --pass password The password for the new user. --role-name role-name The name of the role to be created and granted to the user (default=admin). --tenant-name tenant-name The name of the tenant to be created (default=admin). Example usage: $ keystone-manage db_sync $ keystone-all $ keystone --token=ADMIN --endpoint=http://localhost:35357/v2.0/ *bootstrap* --pass=secrete $ keystone --os-username=admin --os-password=secrete --os-tenant-name=admin --os-auth-url=http://localhost:35357/v2.0/ token-get +---+--+ | Property | Value | +---+--+ | expires | 2012-10-11T22:25:02Z | | id| 4ae78bd2cd9049888060d07acddf88d1 | | tenant_id | 8fbba4f7f77e4acb80d746c65f20882b | | user_id | d8e31d9a341243a2bb8d575707a273ea | +---+--+ The same shortcut idea could apply to other extremely common usage patterns on the CLI (e.g. registering a service *and* all of it's endpoints in a single CLI command), thus eliminating most of the complexity of basic setup scripts like sample_data.sh and it's variants. I also put this up for review: https://review.openstack.org/#/c/14314 -Dolph On Wed, Oct 10, 2012 at 1:15 PM, Joshua Harlow harlo...@yahoo-inc.comwrote: That sounds great to me. I can help out in converting this code into that code. It seems like a trivial kind of thing to do, what format would that command take, a yaml file? Something similar to https://github.com/yahoo/Openstack-Anvil/blob/master/conf/templates/keystone/init_what.yaml maybe, idk. From: Dolph Mathews dolph.math...@gmail.com Date: Wednesday, October 10, 2012 11:13 AM To: Joshua Harlow harlo...@yahoo-inc.com Cc: Alan Pevec ape...@gmail.com, Skible OpenStack skible.openst...@gmail.com, openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: Re: [Openstack] A simple guide to install OpenStack Folsom I'd like to simplify the scope of sample_data.sh to the absolute bare minimum (service tenant, admin role, admin user, identity service/endpoints, etc), and integrate it into keystone-manage as a 'bootstrap' command: $ keystone-manage bootstrap -Dolph On Wed, Oct 10, 2012 at 12:34 PM, Joshua Harlow harlo...@yahoo-inc.comwrote: You guys should also consider the 'anvil' way of doing this (pure python baby, haha). Which is improved from lorin's and has been working for yahoo! for a while now. https://github.com/yahoo/Openstack-Anvil/blob/master/anvil/components/helpe rs/keystone.py#L25https://github.com/yahoo/Openstack-Anvil/blob/master/anvil/components/helpers/keystone.py#L25 Please feel free to take the code!! Its only 'real' dependency is the keystone client + yaml parsing... On 10/10/12 2:23 AM, Alan Pevec ape...@gmail.com wrote: On Wed, Oct 10, 2012 at 11:10 AM, Skible OpenStack skible.openst...@gmail.com wrote: I am counting on our your feedback to enhance my work and contribute it to the OpenStack Eco System. I wonder about https://github.com/mseknibilel/OpenStack-Folsom-Install-guide/tree/master/ Scripts which say: # Mainly inspired by https://github.com/openstack/keystone/blob/master/tools/sample_data.sh Why not submit that as an improvement to Keystone? I'd like to propose consolidation of all keystone initialization scripts around (Keyston's sample_data.sh, Devstack's keystone_data.sh, scripts like yours) and move to Lorin's YAML config (see https://lists.launchpad.net/openstack/msg17204.html) I'm just not sure yet if additional dependency on YAML is worth it. Cheers, Alan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] No proper displau with Horizon
Hmm... I don't see anything wrong there. Any chance you've overridden AVAILABLE_REGIONS in your horizon configuration? If so, what's the new value? Also, to make sure service_id references are configured correctly, can you paste the raw output of: curl http://x.x.x.x:35357/v2.0/endpoints -H 'x-auth-token: ADMIN' Substitute your own IP for keystone and a valid token. -Dolph On Mon, Oct 8, 2012 at 3:47 AM, Bilel Msekni ski...@hotmail.fr wrote: Thanks for replying Dolph: keystone service-list +--+--+--+--+ |id| name | type | description | +--+--+--+--+ | 020a5c2b03074e89972202f3822fa95f | quantum | network | OpenStack Networking service | | 2b3d91dd9110493a92ea5eb7909d41cf | ec2| ec2|OpenStack EC2 service | | 4ef30c360f4e4e0aaac9d1247dcaafe8 | cinder | volume | OpenStack Volume Service | | 776d3b71749f4711bf1c956ccfeb2728 | glance | image | OpenStack Image Service| | 9733c366161f4f7f8e8484fe702ee840 | keystone | identity | OpenStack Identity | | c6011214a82645fe97b4bbd64608ad9b | nova | compute | OpenStack Compute Service | +--+--+--+--+ keystone endpoint-list +--+---+--+--+--+ |id| region | publicurl | internalurl | adminurl | +--+---+--+--+--+ | 2febceec3f324755b0c9c7fe3ba2d29d | RegionOne | http://x.x.x.x:9696/ | http://x.x.x.x:9696/ | http://x.x.x.x:9696/ | | 649d5e5b5cd8467c89b218b2adc29009 | RegionOne | http://x.x.x.x:8774/v2/$(tenant_id)s | http://x.x.x.x:8774/v2/$(tenant_id)s | http://x.x.x.x:8774/v2/$(tenant_id)s | | 7b25b6283dd4408d8c8f7541b9b9d2f0 | RegionOne | http://x.x.x.x:5000/v2.0 | http://x.x.x.x:5000/v2.0 | http://x.x.x.x:35357/v2.0 | | 9ebfa2784d78425fa08a146aa27e786b | RegionOne | http://x.x.x.x:9292/v2|http://x.x.x.x:9292/v2 |http://x.x.x.x:9292/v2| | f321ae42d39d4d9a9d5e771be459f6ba | RegionOne | http://x.x.x.x:8776/v1/$(tenant_id)s | http://x.x.x.x:8776/v1/$(tenant_id)s | http://x.x.x.x:8776/v1/$(tenant_id)s | | f7ef924364614d91b49a589ca7719ce6 | RegionOne | http://x.x.x.x:8773/services/Cloud | http://x.x.x.x:8773/services/Cloud | http://x.x.x.x:8773/services/Admin | +--+---+--+--+--+ x.x.x.x refers to my Host address :) Le 08/10/2012 10:18, Dolph Mathews a écrit : it seems like it is looking for an endpoint which are all there are you sure? -- it looks like your service catalog is missing the 'identity' service entirely... can you paste the output of the following two commands?: $ keystone service-list $ keystone endpoint-list -Dolph On Mon, Oct 8, 2012 at 2:59 AM, Bilel Msekni ski...@hotmail.fr wrote: Good day everyone, I have installed OpenStack Folsom successfully but i am experiencing a wierd bug in the dashboard: It's not giving me any proper display. This is the error log i got from apache, http://pastebin.com/P44Edku5 it seems like it is looking for an endpoint which are all there and working fine. P.S: I used this script to populate my database === create_endpoint () { case $1 in compute) keystone endpoint-create --region $KEYSTONE_REGION --service-id $2 --publicurl 'http://'$MASTER':8774/v2/$(tenant_id)s' --adminurl 'http://'$MASTER':8774/v2/$(tenant_id)s' --internalurl 'http://'$MASTER':8774/v2/$(tenant_id)s' ;; volume) keystone endpoint-create --region $KEYSTONE_REGION --service-id $2 --publicurl 'http://'$MASTER':8776/v1/$(tenant_id)s' --adminurl 'http://'$MASTER':8776/v1/$(tenant_id)s' --internalurl 'http://'$MASTER':8776/v1/$(tenant_id)s' ;; image) keystone endpoint-create --region $KEYSTONE_REGION --service-id $2 --publicurl 'http://'$MASTER':9292/v2' --adminurl 'http://'$MASTER':9292/v2' --internalurl 'http://'$MASTER':9292/v2' ;; object-store) if [ $SWIFT_MASTER ]; then keystone endpoint-create --region $KEYSTONE_REGION --service-id $2 --publicurl 'http://'$SWIFT_MASTER':8080/v1/AUTH_
Re: [Openstack] Enabling logging in keystone.
The scripted configuration openstack-manuals currently refers to (written by Lorin, CC'd here): https://github.com/nimbis/keystone-init Bugs in openstack-manuals don't really apply there :-/ I can't argue with having a scripted solution -- that's great, no doubt. However, I assume that making the scripted solution first and foremost in the manual leads most users to blindly run the script, bypassing the educational portion of the manual. Beyond that, the docs use the CLI, and the linked script uses the Python API directly, which means it will be difficult for most users to follow them both, side by side. At the very least, I'd like to move this approach to the end of the page; and ideally, the script would be managed by openstack. -Dolph On Tue, Oct 2, 2012 at 7:19 PM, Anne Gentle a...@openstack.org wrote: Comments below. With an I object. :) On Tue, Oct 2, 2012 at 6:50 PM, Dolph Mathews dolph.math...@gmail.comwrote: I find it odd that the document describes two approaches for configuring keystone -- one being a relatively undocumented, scripted approach not managed or distributed by OpenStack. Surely these two approaches will continue to evolve seperately and we'll experience more issues such as this one. Anyone have any objections to removing this scripted configuration section in favor of focusing on the existing manual approach? Sorry, I have to object after watching this page and the scripts evolve over the last 9-12 months. There just has to be a scripted option and I agree it needs to be tested and maintained. I'm fine with having the keystone script be the documented one. For a while though the scripts were populating templated catalogs (files) not populating the database. I think the best fix is to: - ensure scripts have exactly the documented names of tenants, users, etc. - patch the doc to use only the names in the script and manual in the verification step. Doc bug logged here describing the work needing done: https://bugs.launchpad.net/openstack-manuals/+bug/1060536 http://docs.openstack.org/trunk/openstack-compute/install/apt/content/setting-up-tenants-users-and-roles.html -Dolph On Tue, Oct 2, 2012 at 6:42 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Dolph, I am now getting the same output as the curl command, basically Invalid Tenant. At this point root@ubuntu1:~# keystone --os-username=adminUser --os -password=secretword --os-tenant-name=service --os-auth-url=http://10.0. 2.15:35357/v2.0 token-get No handlers could be found for logger keystoneclient.client Invalid tenant (HTTP 401) Without the os-tenant-name parameter, I seem to get good' response. root@ubuntu1:~# keystone --os-username=adminUser --os -password=secretword --os-auth-url=http://10.0.2.15:35357/v2.0 token-get No handlers could be found for logger keystoneclient.v2_0.client +--+--+ | Property | Value | +--+--+ | expires | 2012-10-03T23:31:17Z | | id | 31078072aae94f5aab5c8e46ff5f6373 | | user_id | 3e674f7f64ba452cb20781b8d5e26b7f | +--+--+ At this point, I feel like I am running into issues with/in the python / PyYAML script (https://github.com/nimbis/keystone-init.git) which must not be populating info into keystone accurately and most probably not equivalent to manual steps mentioned in Deploy and Install OpenStack - Red Hat Ubuntu. I will look into the script. Regards, Ahmed. -- *From:* Dolph Mathews [dolph.math...@gmail.com] *Sent:* Tuesday, October 02, 2012 2:19 PM *To:* Ahmed Al-Mehdi *Cc:* heckj; openstack@lists.launchpad.net *Subject:* Re: [Openstack] Enabling logging in keystone. No worries, that's what a second set of eyes is for! By specifying a token and endpoint, you're bypassing the authentication process that your curl command is performing. You can test authentication with the keystone client using: $ keystone --os-username=adminUser --os-password=secretword --os-tenant-name=adminTenant --os-authurl=http://10.0.2.15:35357/v2.0http://10.0.2.15:35357/v2.0/tokens token-get But as Anne pointed out, you don't have a tenant named adminTenant. You'll also need to make sure you've granted a role to your user on the specified tenant for authorization to succeed. You can remove the tenant name argument from the token-get call to test authentication without authorization (therefore without requiring anything but a valid user in your keystone install). -Dolph On Tuesday, October 2, 2012, Ahmed Al-Mehdi wrote: Hi Dolph, Very sorry about that. With the correct token, calling keystone from the cli is working.However, the curl command is failing. Will this cause an issue down the line as I start to install glance and nova? # keystone --token 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0 tenant-list
Re: [Openstack] Question about Keystone RBAC
That will provided by Identity API v3, currently in draft: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md The when is first dependent on: 1) Identity API v3 support in keystone https://review.openstack.org/#/c/12106/ 2) Identity API v3 support in keystoneclient https://review.openstack.org/#/c/12806/ 3) services need to consume the centralized policy info, probably through common middleware 4) adding UI support in horizon An open question: are you looking to modify policy per service or do you need policy granularity per endpoint? -Dolph On Wed, Oct 3, 2012 at 7:29 PM, Shake Chen shake.c...@gmail.com wrote: Hi I also have question about RBAC. when we can setting the roles permission in Horizon? On Thu, Oct 4, 2012 at 2:56 AM, Dolph Mathews dolph.math...@rackspace.com wrote: (replying on list) RBAC policy enforce is already implemented on consuming services and default policies are provided by policy.json files (e.g. https://github.com/openstack/nova/blob/master/etc/nova/policy.json ). We haven't yet implemented a method for services to consume policy blobs from Identity API v3, /v3/policies (which itself is still in development), rather than loading policy.json files. For an example of scoping RBAC per project, see the admin_or_owner rule in nova's policy.json above. As for the efficiency of policy storage, I'm not clear on what your concerns are? -Dolph -- *From:* MS. Faraji [ms.far...@utoronto.ca] *Sent:* Wednesday, October 03, 2012 1:34 PM *To:* Dolph Mathews *Subject:* Question about Keystone RBAC Hi, I sent an email to inquire about RBAC implementation in Keystone before, and you generously shared your information. However, there are a couple of questions that I have in mind. I searched the Internet and documents; however, I did not find useful information about them. I hope you can help me to find it out. 1) Consider the enforce API is implemented, which side should use it? Service or Keystone itself. If Keystone uses this function, how does it know about the action that a user wants to perform on a resource. If service call it as an API, what is the endpoint? How services use authorization in Keystone? 2) Can roles and associated actions be defined in the scope of project or domain? For example demo can do release in project 1 but not in project 2. 3) Is the plain storage of capabilities ( no data structure) efficient? In terms of required storage space and later lookups. Thanks in advance for your help and assistance, I look forward to your response. Moh, ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Shake Chen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Enabling logging in keystone.
No worries, that's what a second set of eyes is for! By specifying a token and endpoint, you're bypassing the authentication process that your curl command is performing. You can test authentication with the keystone client using: $ keystone --os-username=adminUser --os-password=secretword --os-tenant-name=adminTenant --os-authurl=http://10.0.2.15:35357/v2.0http://10.0.2.15:35357/v2.0/tokens token-get But as Anne pointed out, you don't have a tenant named adminTenant. You'll also need to make sure you've granted a role to your user on the specified tenant for authorization to succeed. You can remove the tenant name argument from the token-get call to test authentication without authorization (therefore without requiring anything but a valid user in your keystone install). -Dolph On Tuesday, October 2, 2012, Ahmed Al-Mehdi wrote: Hi Dolph, Very sorry about that. With the correct token, calling keystone from the cli is working.However, the curl command is failing. Will this cause an issue down the line as I start to install glance and nova? # keystone --token 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0 tenant-list +--+---+-+ |id| name | enabled | +--+---+-+ | 07a44f9d55694d638f41bc160c14b42e | openstackDemo | True | | 0e4cc20586ae42329db51e0c6f807731 |service| True | +--+---+-+ # curl -d '{auth: {tenantName: adminTenant, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2310 116 100 115 2771 2747 --:--:-- --:--:-- --:--:-- 3052 { error: { code: 401, message: The request you have made requires authentication., title: Not Authorized } } Regards, Ahmed. -- *From:* Dolph Mathews [dolph.math...@gmail.com javascript:_e({}, 'cvml', 'dolph.math...@gmail.com');] *Sent:* Tuesday, October 02, 2012 12:12 PM *To:* Ahmed Al-Mehdi *Cc:* heckj; openstack@lists.launchpad.net javascript:_e({}, 'cvml', 'openstack@lists.launchpad.net'); *Subject:* Re: [Openstack] Enabling logging in keystone. You're missing a 5 on the admin_token you've specified on the command line. 012345SECRET99TOKEN01234 (your CLI arg) 012345SECRET99TOKEN012345 (keystone.conf) -Dolph On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Joe, I have put the conf file (renamed to ahmed_keystone.conf) into gist. git://gist.github.com/3821846.git Please let me know if you have any issues accessing the file. Thank you very much for helping me out. I have a feeling the issue might be in the python script to populate keystone. When I previously input the data manually, I got keystone configured properly. Regards, Ahmed. From: heckj [he...@mac.com] Sent: Tuesday, October 02, 2012 10:56 AM To: Ahmed Al-Mehdi Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Enabling logging in keystone. Ahmed - can you put your keystone.conf into a paste or gist and share it with me? I'd be happy to help you debug this. I'm assuming you're running keystone on the system with the IP address 10.0.2.15, correct? -joe On Oct 2, 2012, at 10:45 AM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Joe, I noticed I did not put the port number in the URL, now I am getting a more meaningful error: # keystone --token 012345SECRET99TOKEN01234 --endpoint http://10.0.2.15:35357/v2.0 tenant-list No handlers could be found for logger keystoneclient.client Unable to authorize user Regards, Ahmed. From: openstack-bounces+ahmed=coraid@lists.launchpad.net[openstack-bounces+ahmed =coraid@lists.launchpad.net] On Behalf Of Ahmed Al-Mehdi [ ah...@coraid.com] Sent: Tuesday, October 02, 2012 10:30 AM To: heckj Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Enabling logging in keystone. Hi Joe, Unfortunately before I read your response I re-installed my Ubuntuserver. I repeated the same steps mentioned in the OpenStackdocument Deploy and Install OpenStack- RedHatUbuntu and also used the script mentioned in it ( https://github.com/nimbis/keystone-init/blob/master/keystone-init.py) to populate keystone. I reboot the server prior to running your suggested command and now running into a different issue, which I feel maybe due to not starting some service. Btw, my host OS is Ubuntu 12.04 (32 bit) running inVirtualBox. Currently I am getting
Re: [Openstack] Enabling logging in keystone.
Feel free to file a bug -- I'm reviewing the document right now. http://docs.openstack.org/trunk/openstack-compute/install/apt/content/verifying-identity-install.html As for the invalid tenant message, I'm guessing you don't have any roles granted to adminUser on that tenant. Checkout the user-role-add command: $ keystone help user-role-add You might also try the other tenant returned by tenant-list. -Dolph On Tue, Oct 2, 2012 at 5:48 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Anne, Thank you for pointing that out. I noticed the adminTenant string in the curl command, and it did bother me a bit, but I did not pursue it due to lack of experience with curl / Rest API / OpenStack but looking, I should have known better. Can this be addressed in the Deploy and Install OpenStack - Red Hat Ubuntu document, as I am sure others might be running into the same issue. Do I need to file a bug against documentation or email someone specifically. After making the change in the curl command, I am now getting a different error message: # keystone --token 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0 tenant-list +--+---+-+ | id | name | enabled | +--+---+-+ | 07a44f9d55694d638f41bc160c14b42e | openstackDemo | True | | 0e4cc20586ae42329db51e0c6f807731 | service | True | +--+---+-+ # curl -d '{auth: {tenantName: service, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 191080 100 111346480 --:--:-- --:--:-- --:--:-- 497 { error: { code: 401, message: Invalid tenant, title: Not Authorized } } Thank you, Ahmed. -- *From:* annegen...@justwriteclick.com [annegen...@justwriteclick.com] On Behalf Of Anne Gentle [a...@openstack.org] *Sent:* Tuesday, October 02, 2012 1:26 PM *To:* Ahmed Al-Mehdi *Cc:* Dolph Mathews; openstack@lists.launchpad.net *Subject:* Re: [Openstack] Enabling logging in keystone. Hi Ahmed - I believe you don't have a tenant named adminTenant - possibly try this? curl -d '{auth: {tenantName: service, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool Also, you can run keystone with the --debug parameter to see the curl output like so: keystone --debug --token 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0tenant-list Generally, yes, you need to ensure keystone is working correctly before installing glance and nova (they require keystone), so you're correct to keep trying. Anne On Tue, Oct 2, 2012 at 3:09 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Dolph, Very sorry about that. With the correct token, calling keystone from the cli is working.However, the curl command is failing. Will this cause an issue down the line as I start to install glance and nova? # keystone --token 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0 tenant-list +--+---+-+ |id| name | enabled | +--+---+-+ | 07a44f9d55694d638f41bc160c14b42e | openstackDemo | True | | 0e4cc20586ae42329db51e0c6f807731 |service| True | +--+---+-+ # curl -d '{auth: {tenantName: adminTenant, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2310 116 100 115 2771 2747 --:--:-- --:--:-- --:--:-- 3052 { error: { code: 401, message: The request you have made requires authentication., title: Not Authorized } } Regards, Ahmed. -- *From:* Dolph Mathews [dolph.math...@gmail.com] *Sent:* Tuesday, October 02, 2012 12:12 PM *To:* Ahmed Al-Mehdi *Cc:* heckj; openstack@lists.launchpad.net *Subject:* Re: [Openstack] Enabling logging in keystone. You're missing a 5 on the admin_token you've specified on the command line. 012345SECRET99TOKEN01234 (your CLI arg) 012345SECRET99TOKEN012345 (keystone.conf) -Dolph On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Joe, I have put the conf file
Re: [Openstack] Enabling logging in keystone.
I find it odd that the document describes two approaches for configuring keystone -- one being a relatively undocumented, scripted approach not managed or distributed by OpenStack. Surely these two approaches will continue to evolve seperately and we'll experience more issues such as this one. Anyone have any objections to removing this scripted configuration section in favor of focusing on the existing manual approach? http://docs.openstack.org/trunk/openstack-compute/install/apt/content/setting-up-tenants-users-and-roles.html -Dolph On Tue, Oct 2, 2012 at 6:42 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Dolph, I am now getting the same output as the curl command, basically Invalid Tenant. At this point root@ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os-tenant-name=service --os-auth-url=http://10.0. 2.15:35357/v2.0 token-get No handlers could be found for logger keystoneclient.client Invalid tenant (HTTP 401) Without the os-tenant-name parameter, I seem to get good' response. root@ubuntu1:~# keystone --os-username=adminUser --os-password=secretword--os -auth-url=http://10.0.2.15:35357/v2.0 token-get No handlers could be found for logger keystoneclient.v2_0.client +--+--+ | Property | Value | +--+--+ | expires | 2012-10-03T23:31:17Z | | id | 31078072aae94f5aab5c8e46ff5f6373 | | user_id | 3e674f7f64ba452cb20781b8d5e26b7f | +--+--+ At this point, I feel like I am running into issues with/in the python / PyYAML script (https://github.com/nimbis/keystone-init.git) which must not be populating info into keystone accurately and most probably not equivalent to manual steps mentioned in Deploy and Install OpenStack - Red Hat Ubuntu. I will look into the script. Regards, Ahmed. -- *From:* Dolph Mathews [dolph.math...@gmail.com] *Sent:* Tuesday, October 02, 2012 2:19 PM *To:* Ahmed Al-Mehdi *Cc:* heckj; openstack@lists.launchpad.net *Subject:* Re: [Openstack] Enabling logging in keystone. No worries, that's what a second set of eyes is for! By specifying a token and endpoint, you're bypassing the authentication process that your curl command is performing. You can test authentication with the keystone client using: $ keystone --os-username=adminUser --os-password=secretword --os-tenant-name=adminTenant --os-authurl=http://10.0.2.15:35357/v2.0http://10.0.2.15:35357/v2.0/tokens token-get But as Anne pointed out, you don't have a tenant named adminTenant. You'll also need to make sure you've granted a role to your user on the specified tenant for authorization to succeed. You can remove the tenant name argument from the token-get call to test authentication without authorization (therefore without requiring anything but a valid user in your keystone install). -Dolph On Tuesday, October 2, 2012, Ahmed Al-Mehdi wrote: Hi Dolph, Very sorry about that. With the correct token, calling keystone from the cli is working.However, the curl command is failing. Will this cause an issue down the line as I start to install glance and nova? # keystone --token 012345SECRET99TOKEN012345 --endpoint http://10.0.2.15:35357/v2.0 tenant-list +--+---+-+ |id| name | enabled | +--+---+-+ | 07a44f9d55694d638f41bc160c14b42e | openstackDemo | True | | 0e4cc20586ae42329db51e0c6f807731 |service| True | +--+---+-+ # curl -d '{auth: {tenantName: adminTenant, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json http://10.0.2.15:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2310 116 100 115 2771 2747 --:--:-- --:--:-- --:--:-- 3052 { error: { code: 401, message: The request you have made requires authentication., title: Not Authorized } } Regards, Ahmed. -- *From:* Dolph Mathews [dolph.math...@gmail.comhttps://exg5.exghost.com/owa/UrlBlockedError.aspx ] *Sent:* Tuesday, October 02, 2012 12:12 PM *To:* Ahmed Al-Mehdi *Cc:* heckj; openstack@lists.launchpad.nethttps://exg5.exghost.com/owa/UrlBlockedError.aspx *Subject:* Re: [Openstack] Enabling logging in keystone. You're missing a 5 on the admin_token you've specified on the command line. 012345SECRET99TOKEN01234 (your CLI arg) 012345SECRET99TOKEN012345 (keystone.conf) -Dolph On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Joe, I have put the conf file (renamed
Re: [Openstack] HTTP_X_SERVICE_CATALOG endpoints_links
The environment variables that auth_token sets are documented in the module's docstring: https://github.com/openstack/keystone/blob/master/keystone/middleware/auth_token.py As these variables are the defined interface for any projects consuming authentication services from middleware, it's safe to say they'll be supported be supported by any variations of auth_token, and will either continue to be supported or carefully deprecated. Speaking of, there are currently three headers that were deprecated prior to the release of essex (i.e. they were documented as deprecated in both essex and folsom), and could be reviewed for removal in grizzly (HTTP_X_USER, HTTP_X_ROLE, HTTP_X_TENANT). -Dolph On Mon, Oct 1, 2012 at 2:56 PM, Tong Li liton...@us.ibm.com wrote: After a user gets authenticated, each following request will have a header named HTTP_X_SERVICE_CATALOG which contains service end point links, can any one tell me if it is safe to use the information contained in the header to get the various end points from a filter in the pipeline? Notice this header is set in the keystone, any other implementation of keystone may choose not to include the information in the header, can anyone tell me putting the endpoints in the headers is required by any implementation like keystone for authentication? Thanks. Tong Li Emerging Technologies Standards Building 501/B205 liton...@us.ibm.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Enabling logging in keystone.
The X-Auth-Token is what you get back from the authentication call you're trying to make -- try removing the header completely. If you're still getting a 401 error back, either your username or password is wrong, your tenant name is wrong, or you haven't granted adminUser any role(s) on adminTenant. -Dolph On Mon, Oct 1, 2012 at 7:30 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hi Joe, Actually, the curl command with the X_Auth_Token is my weak attempt to try to find a solution. I am actually issuing the following command (per recommendation from the OpenStack document - Install and Deploy Manual – Red Hat Ubuntu): root@bodega:~# curl -d '{auth: {tenantName: adminTenant, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json -H X_Auth_Token: ahmedadmintoken http://10.176.20.158:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2310 116 100 115 12927 12816 --:--:-- --:--:-- --:--:-- 14500 { error: { code: 401, message: The request you have made requires authentication., title: Not Authorized } } Regards, Ahmed. From: heckj he...@mac.com Date: Monday, October 1, 2012 5:23 PM To: Ahmed Al-Mehdi ah...@coraid.com Cc: openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: Re: [Openstack] Enabling logging in keystone. Ahmed - The header that's supposed to have the token within it is labelled X-Auth-Token', not X_Auth_Token. Unless you're really comfortable with the protocol, I'd recommend using the keystone CLI from the python-keystoneclient to do your verifying, using it's debugging (which is to show you the curl output that you did below). -joe On Oct 1, 2012, at 5:12 PM, Ahmed Al-Mehdi ah...@coraid.com wrote: Hello, I am trying to verify the installation of keystone. When I try to run some curl commands, I get the following error message: root@bodega:~/ahmed/keystone-init# curl -d '{auth: {tenantName: adminTenant, passwordCredentials: {username: adminUser, password: secretword}}}' -H Content-type: application/json -H X_Auth_Token: ahmedadmintoken http://10.176.20.158:35357/v2.0/tokens | python -mjson.tool % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2310 116 100 115 15205 15074 --:--:-- --:--:-- --:--:-- 16571 { error: { code: 401, message: The request you have made requires authentication., title: Not Authorized } } I don't see any message in the /var/log/keystone/logging.conf file. I can pass -debug option to keystone to enable debugging, but I am not sure how to do that from curl. Following is content of /etc/keystone/logging.conf file: root@bodega:~# cat /etc/keystone/logging.conf [loggers] keys=root [formatters] keys=normal,normal_with_name,debug [handlers] keys=production,file,devel [logger_root] level=WARNING handlers=file [handler_production] class=handlers.SysLogHandler level=ERROR formatter=normal_with_name args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER) [handler_file] class=FileHandler level=DEBUG formatter=normal_with_name args=('/var/log/keystone/keystone.log', 'a') [handler_devel] class=StreamHandler level=NOTSET formatter=debug args=(sys.stdout,) [formatter_normal] format=%(asctime)s %(levelname)s %(message)s [formatter_normal_with_name] format=(%(name)s): %(asctime)s %(levelname)s %(message)s [formatter_debug] format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s root@bodega:~# Any help would be greatly appreciated. Regards, Ahmed. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone install / user-role-list error
It looks like at least one of your endpoints isn't being parsed correctly. List your endpoints: keystone --token mytoken --endpoint http://192.168.1.11:35357/v2.0 endpoint-list ... and make sure they all appear as expected (at least one public URL is wrong, according to the stack trace). Feel free to paste your endpoint list back on the mailing list if you have any trouble. -Dolph On Sat, Sep 29, 2012 at 12:06 AM, Asher Newcomer asher...@gmail.com wrote: Hi, I'm sure I've made a simple error, but I'm momentarily stuck trying to work through a Folsom install on a fresh Ubuntu 12.04 box. I've stepped through the process for installing the identity service described here: dochttp://docs.openstack.org/trunk/openstack-compute/install/apt/content/ch_installing-openstack-identity-service.html . Everything seemed smooth until the end, when I tried to validate the install with the curl command provided: curl -d '{auth: {tenantName: myTenant, passwordCredentials:{username: adminUser, password: myPassword}}}' -H Content-type: application/json http://192.168.1.11:35357/v2.0/tokens | python -mjson.tool Which gave a error 500: tenant, and a corresponding entry in keystone.log of: (root): 2012-09-28 23:45:50,651 ERROR u'tenant' Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/keystone/common/wsgi.py, line 204, in __call__ result = method(context, **params) File /usr/lib/python2.7/dist-packages/keystone/service.py, line 336, in authenticate metadata=metadata_ref) File /usr/lib/python2.7/dist-packages/keystone/catalog/core.py, line 78, in get_catalog return self.driver.get_catalog(user_id, tenant_id, metadata) File /usr/lib/python2.7/dist-packages/keystone/catalog/backends/sql.py, line 162, in get_catalog catalog[region][srv_type]['publicURL'] = public_url % d KeyError: u'tenant' So I decided to poke around a bit and tried: keystone --token mytoken --endpoint http://192.168.1.11:35357/v2.0user-role-list and get 'Client' object has no attribute 'auth_tenant_id' Any idea what I've done wrong? Thanks in advance. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone install / user-role-list error
As you're definitely not the first person to run into this problem, I've opened a bug so that we can improve the error feedback in this scenario: https://bugs.launchpad.net/keystone/+bug/1058494 -Dolph On Sat, Sep 29, 2012 at 1:51 AM, Dolph Mathews dolph.math...@gmail.comwrote: It looks like at least one of your endpoints isn't being parsed correctly. List your endpoints: keystone --token mytoken --endpoint http://192.168.1.11:35357/v2.0 endpoint-list ... and make sure they all appear as expected (at least one public URL is wrong, according to the stack trace). Feel free to paste your endpoint list back on the mailing list if you have any trouble. -Dolph On Sat, Sep 29, 2012 at 12:06 AM, Asher Newcomer asher...@gmail.comwrote: Hi, I'm sure I've made a simple error, but I'm momentarily stuck trying to work through a Folsom install on a fresh Ubuntu 12.04 box. I've stepped through the process for installing the identity service described here: dochttp://docs.openstack.org/trunk/openstack-compute/install/apt/content/ch_installing-openstack-identity-service.html . Everything seemed smooth until the end, when I tried to validate the install with the curl command provided: curl -d '{auth: {tenantName: myTenant, passwordCredentials:{username: adminUser, password: myPassword}}}' -H Content-type: application/json http://192.168.1.11:35357/v2.0/tokens | python -mjson.tool Which gave a error 500: tenant, and a corresponding entry in keystone.log of: (root): 2012-09-28 23:45:50,651 ERROR u'tenant' Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/keystone/common/wsgi.py, line 204, in __call__ result = method(context, **params) File /usr/lib/python2.7/dist-packages/keystone/service.py, line 336, in authenticate metadata=metadata_ref) File /usr/lib/python2.7/dist-packages/keystone/catalog/core.py, line 78, in get_catalog return self.driver.get_catalog(user_id, tenant_id, metadata) File /usr/lib/python2.7/dist-packages/keystone/catalog/backends/sql.py, line 162, in get_catalog catalog[region][srv_type]['publicURL'] = public_url % d KeyError: u'tenant' So I decided to poke around a bit and tried: keystone --token mytoken --endpoint http://192.168.1.11:35357/v2.0user-role-list and get 'Client' object has no attribute 'auth_tenant_id' Any idea what I've done wrong? Thanks in advance. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone user-role-list error
By default, I believe it shows you your own roles. With a token/endpoint specified (bypassing auth), it should work if you specify a user tenant: $ keystone help user-role-list usage: keystone user-role-list [--user-id user-id] [--tenant-id tenant-id] List roles granted to a user Optional arguments: --user-id user-id List roles granted to a user --tenant-id tenant-id List roles granted on a tenant -Dolph On Sat, Sep 29, 2012 at 2:54 PM, heckj he...@mac.com wrote: Hey Asher, That's a bug in keystoneclient - the method for doing the role listing is making a bad assumption that you're authenticating with a username and password, not handing in a token, and is getting wrapped around the axle trying to figure out what tenant you are. If you create an admin account with the --token and --endpoint options, and then use those options for this same command, you should be OK. This should definitely be filed as a bug :-) https://bugs.launchpad.net/python-keystoneclient/+bug/1058750 Use that link to subscribe to the bug if you want to track it's progress. -joe On Sep 29, 2012, at 5:35 AM, Asher Newcomer asher...@gmail.com wrote: It looks like user-role-list is a recently added command in keystone ( launchpad https://answers.launchpad.net/keystone/+question/190656). When I run it on a new keystone install in Ubuntu 12.04 I get: keystone --token mytoken --endpoint http://192.168.1.11:35357/v2.0user-role-list 'Client' object has no attribute 'auth_tenant_id' It looks client side, and no corresponding entry in keystone.log. Bug? Thanks, Asher ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone v2.0 dev API doc confusion
I'm not sure what's wrong here, but I definitely want to make sure this is fixed-- just assigned the bug to myself. -Dolph On Fri, Sep 21, 2012 at 8:43 AM, Anne Gentle a...@openstack.org wrote: Hi Boden - This is a known bug with the way those Keystone dev docs are output. I'm tracking it here: https://bugs.launchpad.net/openstack-manuals/+bug/1015119 I can help someone fix this - thanks for pointing it out again. Please vote on that bug to raise its visibility to get it attention. Thanks, Anne On Fri, Sep 21, 2012 at 3:53 AM, boden bo...@linux.vnet.ibm.com wrote: I came across the following Keystone dev API docs: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html This set of keystone v2.0 docs includes documented APIs for operations such as 'List Roles for User on Tenant', 'Check Token', etc.. I tried a few of these APIs on some recent code from master -- works as documented. However if I follow the typical API doc links: www.openstack.org Documentation API Documentation OpenStack Identity Service Developer Guide API 2.0, I end up at the following location: http://docs.openstack.org/api/openstack-identity-service/2.0/content/ This page does not contain a number of the documented APIs from the 1st link I posted. For example no info on 'List Roles for User on Tenant', 'Check Token', etc.. Can someone help me understand which version of the documented APIs are current (supported) for Folsom? I'm thinking maybe the 1st doc link I posted is being created for folsom, but is not yet live. Thanks much ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone: Get user/tenant by name returning full list
I'm not aware that this was ever implemented during essex (it was available in diablo) -- definitely worth opening a bug! -Dolph On Fri, Sep 21, 2012 at 11:15 AM, boden bo...@linux.vnet.ibm.com wrote: As per the Keystone v2.0 API docs, I've been trying to use the 'get user by name' and 'get tenant by name' APIs to retrieve the respective resource by name. The URI signatures are: v2.0/users?name=string v2.0/tenants?name=string respectively. However, both of these APIs are returning the full list (collection) of users/tenants rather than the single resource specified in the 'name' parameter. EX: (request) GET http://localhost:35357/v2.0/tenants?name=DefaultTenant (response) {u'tenants': [{u'id': u'0e98e4ac9590428c997e3aabf18a49d4', u'enabled': True, u'description': u'Services Tenant', u'name': u'Services'}, {u'id': u'6f8945f2d47f4abea149b7a0176b12a8', u'enabled': True, u'description': u'Default Tenant', u'name': u'DefaultTenant'}], u'tenants_links': []} I did a bug search but didn't see anything existing. Hence I'm trying to confirm this issue is worthy of a defect? Thx ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)
Ryan Lane deserves recognition for originally identifying this as a potential vulnerability. Thanks, Ryan! -Dolph On Wed, Sep 12, 2012 at 11:36 AM, Thierry Carrez thie...@openstack.orgwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenStack Security Advisory: 2012-014 CVE: CVE-2012-4413 Date: September 12, 2012 Title: Revoking a role does not affect existing tokens Impact: High Reporter: Dolph Mathews (Rackspace) Products: Keystone Affects: Essex, Folsom Description: Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue. Folsom fix: http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2 Essex fix: http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e References: https://bugs.launchpad.net/keystone/+bug/1041396 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413 Notes: This fix will be included in the future Keystone 2012.1.3 stable update and the upcoming Folsom-RC1 development milestone. - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo +HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD 62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3 7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512 UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx 3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI bggBCxcI2PLQgjuWyF4M =+6UN -END PGP SIGNATURE- ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone: LDAP identity driver 'list resource' support
You thought correct: https://bugs.launchpad.net/keystone/+bug/983304 -Dolph On Mon, Sep 10, 2012 at 11:32 AM, Adam Young ayo...@redhat.com wrote: On 09/10/2012 11:29 AM, boden wrote: I've been munking with the latest Keystone LDAP identity driver and based on what I'm seeing the driver does not support the 'list' resource based methods. For example 'list users', 'list tenants'... For example, config your keystone.conf up to use an LDAP backend which contains the supported DIT structure for the driver and then fire up keystone. Hit keystone with a GET /users or GET /tenants request and 500/501 errors. Switch your identity driver back to the SQL identity driver and retry -- all is well and you can list users and tenants. Looking at the code it appears the ldap identity driver does not implement the list_*() methods (list_users(), list_roles()...) __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/~openstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp That is correct. I thought we already had a ticket for this one, but it does not appear to be so. Please go ahead and open one. __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/~openstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] LDAP integratiom
pip-requires/test-requires is aimed at developers and is broken up into two files more-so for documentation/organization purposes. IMO, including LDAP as a dependency should be solved by real packaging (e.g. $ apt-get install keystone keystone-ldap). -Dolph On Fri, Sep 7, 2012 at 8:30 AM, Adam Young ayo...@redhat.com wrote: On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote: Hi Everyone, Keystone uses python-ldap library to communicate with LDAP server. There are to points where Keystone communicates with LDAP server: keystone.common ldap and keystone.identity.backends.ldap packages. According to the current Keystone architecture it is solid application w/o extensions or plugins. So it will be useful to add python-ldap library to pip-requires file. This dependency is already resolved in the test-requires with comment: 'Optional backend: LDAP'. LDAP support is optional, which is why it is not currently in pip-requires, but I suspect that, as it grows in visibility, it will make sense to include it. It would be helpful to report things like this as a bug and to provide a patch. Best regards, Ivan Kolodyazhny ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] About the Role and User's rights
Those roles you see in keystone are merely examples, and don't have any meaning by themselves. You create your own roles in keystone (e.g. $ keystone role-create) and define the associated actions specific to each service via each service's own policy.json. For example, here's nova's default policy.json: https://github.com/openstack/nova/blob/master/etc/nova/policy.json -Dolph On Fri, Aug 31, 2012 at 2:21 AM, Jack 545997...@qq.com wrote: hi all, openstack uses a rights management system that employs a Role-Based Access Control , Roles control the actions that a user is allowed to perform .there are 5 roles in keystone ,there are admin,KeystoneAdmin,KeystoneServiceAdmin,Member,anotherrole ,but ,how openstack control every role's rights? how openstack lmits the actions of each role? Looking forward ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone questions
You're looking to provide data redundancy across keystone instances with varying backend implementations... what's your use case? How would you orchestrate the synchronization and failover, if any? What's the purpose of each backend in such a deployment? -Dolph On Wed, Aug 29, 2012 at 3:50 AM, pat p...@xvalheru.org wrote: Hi Joe, OK, this is clear to me, but I more think about this scenario: each keystone has its own storage and the keystones are interconnected and replicating the information on keystone layer - so for example one keystone can be connected to LDAP another to DB or KVS etc. Thanks a lot for your answers and patience :-) Your answers are helpful to me. Pat On Tue, 28 Aug 2012 08:55:16 -0700, Joseph Heck wrote On Aug 28, 2012, at 12:41 AM, pat p...@xvalheru.org wrote: Thanks for Q1. About Q2, I more think about keystone instances and each has its own storage and the keystones are interconnected and their data are replicated. The DB, in your suggestion, looks like single point of failure to me. Hi Pat, Yes - it definitely could be. If you're setting up keystone in an HA configuration, then I'd expect that you actually have a mysql cluster backing the database that could allow a single instance of mysql to fail and maintain services. Keystone, like Nova, Glance, etc is stashing it's state somewhere - the WSGI processes that run keystone have moved that to MySQL, so MySQL is the place where you need to watch and care for. Many implementations of OpenStack that I've seen have shared the MySQL instance between keystone, nova, and glance, and quite successfully. If you were using LDAP entirely for the backend instead of the SQL backed mechanisms, then you'd need a replicated/failover cluster for LDAP as well. -joe On Mon, 27 Aug 2012 09:46:41 -0700, Joseph Heck wrote Hi Pat, On Aug 27, 2012, at 8:09 AM, pat p...@xvalheru.org wrote: I have two questions regarding OpenStack Keystone: Q1) The Folsom release supports domains. The domain can contain more tenants and tenant cannot be shared between domains. Is this right? I think so, but want to be sure. I'm afraid it doesn't. We didn't make sufficient progress with the V3 API (which is what incorporates domains) to include that with the Folsom release. We expect this to be available with the grizzly release. Q2) Is it posible to have a “cluster” of the Keystones to avoid Keystone to be a bottleneck? If so, could you point me to a “tutorial”? Or did I missed something important? If by cluster you mean multiple instances to handle requests, then absolutely - yes. For this particular response, I'll assume you're using a SQL backend for Keystone. Generally you maintain a single database - wether that's an HA cluster or a single instance, and any number of Keystone service instances can point to and use that. Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Freehosting PIPNI - http://www.pipni.cz/ Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone installed by devstack redirect http request
Keystone doesn't return 301's (ever). However, your 301 response headers show: Server: BlueCoat-Security-Appliance I'm guessing that wasn't installed by devstack :) -Dolph On Fri, Aug 24, 2012 at 3:03 AM, Lu, Lianhao lianhao...@intel.com wrote: Hi gang, I used the devstack to install a all-one-one develop environment, but the keystone service seemed not working for me. The host OS is Ubuntu 12.04 with a statically assigned IP address 192.168.79.201. Since this host is in the internal network, I have to use a gateway(with 2 NICs of ip addresses 192.168.79.1 and 10.239.48.224) to login into the 192.168.79.201 host from the 10.239.48.0/24 network to run devstack. After running devstack successfully, I found that the keystone service was not usable. It mysteriously redirected http requests to the gateway 10.239.48.224(see below for the http response and keystone configurations). Does anyone know why I saw the redirect here? Thanks! Best Regards, -Lianhao $ keystone --debug tenant-list connect: (127.0.0.1, 5000) send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 127.0.0.1:5000\r\nContent-Length: 100\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent: python-keystoneclient\r\n\r\n{auth: {tenantName: demo, passwordCredentials: {username: admin, password: 123456}}}' reply: 'HTTP/1.1 301 Moved Permanently\r\n' header: Server: BlueCoat-Security-Appliance header: Location:http://10.239.48.224 header: Connection: Close connect: (10.239.48.224, 80) send: 'POST / HTTP/1.1\r\nHost: 10.239.48.224\r\nContent-Length: 100\r\ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent: python-keystoneclient\r\n\r\n{auth: {tenantName: demo, passwordCredentials: {username: admin, password: 123456}}}' $ cat /etc/keystone/keystone.conf [DEFAULT] admin_token = 123456 [sql] connection = mysql://root:123456@localhost/keystone?charset=utf8 [catalog] template_file = /etc/keystone/default_catalog.templates driver = keystone.catalog.backends.templated.TemplatedCatalog [ec2] driver = keystone.contrib.ec2.backends.sql.Ec2 [filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory [filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory [filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory [filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory [filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory [filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory [filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory [filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory [filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory [filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory [app:public_service] paste.app_factory = keystone.service:public_app_factory [app:admin_service] paste.app_factory = keystone.service:admin_app_factory [pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service [pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service [app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory [app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory [pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service [pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service [composite:main] use = egg:Paste#urlmap /v2.0 = public_api / = public_version_api [composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api / = admin_version_api $ cat /etc/keystone/default_catalog.templates catalog.RegionOne.identity.publicURL = http://192.168.79.201: $(public_port)s/v2.0 catalog.RegionOne.identity.adminURL = http://192.168.79.201: $(admin_port)s/v2.0 catalog.RegionOne.identity.internalURL = http://192.168.79.201: $(public_port)s/v2.0 catalog.RegionOne.identity.name = Identity Service catalog.RegionOne.compute.publicURL = http://192.168.79.201:8774/v2/$(tenant_id)s catalog.RegionOne.compute.adminURL = http://192.168.79.201:8774/v2/$(tenant_id)s catalog.RegionOne.compute.internalURL = http://192.168.79.201:8774/v2/$(tenant_id)s catalog.RegionOne.compute.name = Compute Service
Re: [Openstack] KeyStone service is not responding while installing thorough DevStack !!
What exactly happens when you try to start it directly? cd /opt/stack/keystone /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --log-config /etc/ke'stone/logging.conf -d --debug What happens when you curl http://localhost:5000/v2.0/ on that machine? And with port 35357? -Dolph On Thu, Aug 23, 2012 at 3:15 AM, hitesh wadekar hitesh.wade...@gmail.comwrote: Guys, I am installing DevStack script. I stucked here. + screen -S stack -p key -X stuff 'cd /opt/stack/keystone /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --log-config /etc/ke'stone/logging.conf -d --debug echo 'Waiting for keystone to start...' Waiting for keystone to start... + timeout 60 sh -c 'while ! http_proxy= curl -s http://192.168.1.100:5000/v2.0/ /dev/null; do sleep 1; done' + echo 'keystone did not start' keystone did not start By looking at message, it is sure that KeyStone service has not been responding. I installed it manually but no luck still seen the same issue. Any suggestion or pointers for this? Thanks, Hitesh Wadekar ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] KeyStone service is not responding while installing thorough DevStack !!
That potentially a different issue; likely a pypi mirror not responding? You can download/install prettytable directly if you need to: http://pypi.python.org/pypi/PrettyTable/ -Dolph On Thu, Aug 23, 2012 at 3:39 AM, Trinath Somanchi trinath.soman...@gmail.com wrote: Hi- Me too experiencing the same. I was struck at this point. Downloading/unpacking prettytable (from -r python_keystoneclient.egg.info/requires.txt (line 2)) It was just struck here... and not moving forward. Can any one guide me troubleshooting the issue. - Trinath On Thu, Aug 23, 2012 at 1:45 PM, hitesh wadekar hitesh.wade...@gmail.comwrote: Guys, I am installing DevStack script. I stucked here. + screen -S stack -p key -X stuff 'cd /opt/stack/keystone /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --log-config /etc/ke'stone/logging.conf -d --debug echo 'Waiting for keystone to start...' Waiting for keystone to start... + timeout 60 sh -c 'while ! http_proxy= curl -s http://192.168.1.100:5000/v2.0/ /dev/null; do sleep 1; done' + echo 'keystone did not start' keystone did not start By looking at message, it is sure that KeyStone service has not been responding. I installed it manually but no luck still seen the same issue. Any suggestion or pointers for this? Thanks, Hitesh Wadekar ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Regards, -- Trinath Somanchi, +91 9866 235 130 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- -Dolph ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] sort_key and sort_dir for collections based REST APIs
I have the majority of the latest v3 draft implemented on both the client and server, but it's neither complete nor polished... yet. My goal is to have a solid implementation (perhaps in a branch?) for everyone to poke at in plenty of time for the summit :) -Dolph On Mon, Aug 20, 2012 at 4:33 PM, Gabriel Hurley gabriel.hur...@nebula.comwrote: Given that the v3 API didn't get implemented in Folsom that gives us a perfect opportunity to talk about this stuff at the Grizzly summit! ;-) - Gabriel -Original Message- From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net [mailto:openstack- bounces+gabriel.hurley=nebula@lists.launchpad.net] On Behalf Of Joseph Heck Sent: Monday, August 20, 2012 1:45 PM To: Brian Waldon Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] sort_key and sort_dir for collections based REST APIs In the V3 Keystone API, we asserted that we wanted filter functions, but didn't go to the length of defining a sort_key and sort_direction in the API spec. ref: https://docs.google.com/document/d/1VP-bTBbwsn6q- rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit?pli=1 -joe On Aug 20, 2012, at 10:05 AM, Brian Waldon bcwal...@gmail.com wrote: As we can't just add things to our APIs, it's not straight-forward to support them across the board. I think it would make sense to bake these parameters into the next versions of our APIs for collection sorting, but my opinion is definitely biased. Maybe Joe Heck can comment, as he's working on the v2 Identity API. Brian On Aug 20, 2012, at 11:43 AM, boden wrote: All, Is anybody here familiar with the 'sort_key' and 'sort_dir' parameters for collection based APIs? Specifically I'm wondering if there are any plans to add support for these 2 params across the board (all collections based REST APIs including the 'primary compute extensions')? Based on my google-ability it appears they are only on the glance image APIs (http://docs.openstack.org/developer/glance/glanceapi.html ) at the present moment, so looking for more clarity on this topic intermediate to longer term. Thanks much ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] multiple LDAPs in OpenStack
While there's no implementation of this in keystone today, I'm sure you could write your own LDAP driver in keystone, heavily leveraging the existing LDAP driver. -Dolph On Mon, Aug 20, 2012 at 4:19 PM, Ryan Lane rl...@wikimedia.org wrote: On Mon, Aug 20, 2012 at 1:52 PM, pat p...@xvalheru.org wrote: Hello, I'm new to this list and OpenStack at all. I want to ask a question: I want to ask if it's possible to use one LDAP per tenant. I've searched the web, but didn't found the answer. In keystone this is not currently possible. - Ryan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] why [Errno 111] ECONNREFUSED ????please help me
Replace AUTH_HOSTNAME with the IP/hostname port of your keystone server (e.g. 127.0.0.1:35357). -Dolph On Mon, Aug 6, 2012 at 9:15 PM, 王鹏 breakwin...@gmail.com wrote: Hi,every: That is my first install swift,I according to objectstorage-adminguide-essex.pdf from www.openstack.org. when I after install ,Verify the Installation, use swift -V 2 -A http://AUTH_HOSTNAME:5000/v2.0 -U adminUser:admin -K 012345SECRET99TOKEN012345 stat [Errno 111] ECONNREFUSED why? before this error ,everything is ok. there are not erroe in syslog why ? what can i do for it what'mean -U option? system user?or keystone tenant admin ? please help me! ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client could not behave well, call for help
Try running the same command with the --debug option, and share the output here. Thanks, -Dolph On Sunday, July 22, 2012, MURAOKA Yusuke wrote: Hi, There is devstack all-in-one openstack builder. http://devstack.org/ Officially, its not supporting RHEL 6.1 on the site. But its only shell-script. So, you can get working stack to compare what's different from the stack you built. -- MURAOKA Yusuke Mail: yus...@jbking.org javascript:; 日付:2012年7月22日日曜日、�r刻:3:44、差出人:延生 付: Dear all, The background is I have already installed all the openstack components on RHEL 6.1. Nova and Glance configured well, and can boot up normally. Keystone server also configured and boot up normally, while when I type the cmd as below, weird things happened. [root@kapi-r11 keystone]# keystone --token 8a47fd17e8950d483ea7 --endpoint http://127.0.0.1:5001/v2.0 role-list string indices must be integers, not str Have you ever encountered the issue I met? Any keystone client cmd could not work well. I did some investigate on the keystone client code, but haven’t found suspected issue. Is it related with RHEL or python version? Best Regards, Will Fu ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net javascript:; (mailto: openstack@lists.launchpad.net javascript:;) Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net javascript:; Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp