Re: [Openstack] [Keystone] API Question
As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
curl -H X-Auth-Token:123456789001234 http://localhost:5000/v2.0/tenants that seems to do the trick for me for now. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 04:05 PM, Matt Joyce wrote: curl -H X-Auth-Token:123456789001234http://localhost:5000/v2.0/tenants that seems to do the trick for me for now. Ah, I see that is hooked up to: get_tenants_for_token, I was looking for the wrong API. That then calls: tenant_ids = self.identity_api.get_tenants_for_user(context, user_ref['id']) I'm not sure that this is the right semantics for it, but it looks like it does what you want. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Anyone by any chance know how to read out the auth_token or raw_token that is acquired in keystoneclient when it performs a client.Client() Authenticate? I'd love to be able to read that. And it's totally not documented anywhere if it exists. -Matt On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Works for me. =D On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Not sure if it's documented outside of tests, but: * client.Client().auth_token* from keystoneclient.v2_0 import client c = client.Client(auth_url='http://localhost:5000/v2.0/', username='joe', password='secrete', tenant_name='project-x') print c.auth_token ec04fe9e554a43d1a853e6c665f3e9b2 -Dolph On Tue, Jul 17, 2012 at 5:06 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Anyone by any chance know how to read out the auth_token or raw_token that is acquired in keystoneclient when it performs a client.Client() Authenticate? I'd love to be able to read that. And it's totally not documented anywhere if it exists. -Matt On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Works for me. =D On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.com wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 06:06 PM, Matt Joyce wrote: Anyone by any chance know how to read out the auth_token or raw_token that is acquired in keystoneclient when it performs a client.Client() Authenticate? The token is just a UUID, randomly generated. In the PKI proposal, it is a base64 encoding of a Signed document in CMS format. I'd love to be able to read that. And it's totally not documented anywhere if it exists. -Matt On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote: Works for me. =D On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote: Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Keystone API docs - Create User JSON
Hi. I think there is an error in the Keystone API docs [1]. The parameter password in the JSON request for create an user, should be password and not OS-KSADM:password. Regards, Antonio. [1] http://docs.openstack.org/api/openstack-identity-service/2.0/content/POST_addUser_v2.0_users_Admin_API_Service_Developer_Operations-d1e1356.html -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Keystone API
Hi, I'am working on enhancing keystone PublicAPI to support CORS. Everything seem to work well except that Keystone is formatting responses with Transfer-Encoding: chunked which isn't accepted for OPTIONS query by browsers (chrome, firefox). Does anyone knows how to force keystone API to use plain format ? My CorsController is as follows: class CorsController(wsgi.Application): def __init__(self): super(CorsController, self).__init__() def get_options(self, context): headers = [('Access-Control-Allow-Headers', 'origin,content-type,accept,x-auth-token')] headers.append(('Access-Control-Allow-Methods', 'POST')) headers.append(('Access-Control-Allow-Origin', 'https://178.239.138.10:8433')) headers.append(('Access-Control-Max-Age', '60')) headers.append(('Content-Length', '0')) return wsgi.render_response(status=(200, 'OK'), headers=headers) Sample request: echo -e 'OPTIONS /v2.0/tokens HTTP/1.1\r\n' | nc 10.76.0.119 5000 HTTP/1.1 200 OK Access-Control-Allow-Headers: origin,content-type,accept,x-auth-token Access-Control-Allow-Methods: POST Access-Control-Allow-Origin: https://10.76.0.119:8433 Access-Control-Max-Age: 60 Date: Thu, 21 Jun 2012 16:52:33 GMT Transfer-Encoding: chunked -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API
I have created bug report: https://bugs.launchpad.net/keystone/+bug/1016171 On Thu, Jun 21, 2012 at 6:57 PM, Tomasz Paszkowski ss7...@gmail.com wrote: Hi, I'am working on enhancing keystone PublicAPI to support CORS. Everything seem to work well except that Keystone is formatting responses with Transfer-Encoding: chunked which isn't accepted for OPTIONS query by browsers (chrome, firefox). Does anyone knows how to force keystone API to use plain format ? My CorsController is as follows: class CorsController(wsgi.Application): def __init__(self): super(CorsController, self).__init__() def get_options(self, context): headers = [('Access-Control-Allow-Headers', 'origin,content-type,accept,x-auth-token')] headers.append(('Access-Control-Allow-Methods', 'POST')) headers.append(('Access-Control-Allow-Origin', 'https://178.239.138.10:8433')) headers.append(('Access-Control-Max-Age', '60')) headers.append(('Content-Length', '0')) return wsgi.render_response(status=(200, 'OK'), headers=headers) Sample request: echo -e 'OPTIONS /v2.0/tokens HTTP/1.1\r\n' | nc 10.76.0.119 5000 HTTP/1.1 200 OK Access-Control-Allow-Headers: origin,content-type,accept,x-auth-token Access-Control-Allow-Methods: POST Access-Control-Allow-Origin: https://10.76.0.119:8433 Access-Control-Max-Age: 60 Date: Thu, 21 Jun 2012 16:52:33 GMT Transfer-Encoding: chunked -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API
If you let webob calculate the Content-Length by itself it won't resort to adding a Transfer-Encoding header: https://review.openstack.org/#/c/8818 On Thu, Jun 21, 2012 at 12:54 PM, Tomasz Paszkowski ss7...@gmail.comwrote: I have created bug report: https://bugs.launchpad.net/keystone/+bug/1016171 On Thu, Jun 21, 2012 at 6:57 PM, Tomasz Paszkowski ss7...@gmail.com wrote: Hi, I'am working on enhancing keystone PublicAPI to support CORS. Everything seem to work well except that Keystone is formatting responses with Transfer-Encoding: chunked which isn't accepted for OPTIONS query by browsers (chrome, firefox). Does anyone knows how to force keystone API to use plain format ? My CorsController is as follows: class CorsController(wsgi.Application): def __init__(self): super(CorsController, self).__init__() def get_options(self, context): headers = [('Access-Control-Allow-Headers', 'origin,content-type,accept,x-auth-token')] headers.append(('Access-Control-Allow-Methods', 'POST')) headers.append(('Access-Control-Allow-Origin', 'https://178.239.138.10:8433')) headers.append(('Access-Control-Max-Age', '60')) headers.append(('Content-Length', '0')) return wsgi.render_response(status=(200, 'OK'), headers=headers) Sample request: echo -e 'OPTIONS /v2.0/tokens HTTP/1.1\r\n' | nc 10.76.0.119 5000 HTTP/1.1 200 OK Access-Control-Allow-Headers: origin,content-type,accept,x-auth-token Access-Control-Allow-Methods: POST Access-Control-Allow-Origin: https://10.76.0.119:8433 Access-Control-Max-Age: 60 Date: Thu, 21 Jun 2012 16:52:33 GMT Transfer-Encoding: chunked -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API
bingo :-) You're great ! On Thu, Jun 21, 2012 at 8:34 PM, Dolph Mathews dolph.math...@gmail.com wrote: If you let webob calculate the Content-Length by itself it won't resort to adding a Transfer-Encoding header: https://review.openstack.org/#/c/8818 On Thu, Jun 21, 2012 at 12:54 PM, Tomasz Paszkowski ss7...@gmail.com wrote: I have created bug report: https://bugs.launchpad.net/keystone/+bug/1016171 On Thu, Jun 21, 2012 at 6:57 PM, Tomasz Paszkowski ss7...@gmail.com wrote: Hi, I'am working on enhancing keystone PublicAPI to support CORS. Everything seem to work well except that Keystone is formatting responses with Transfer-Encoding: chunked which isn't accepted for OPTIONS query by browsers (chrome, firefox). Does anyone knows how to force keystone API to use plain format ? My CorsController is as follows: class CorsController(wsgi.Application): def __init__(self): super(CorsController, self).__init__() def get_options(self, context): headers = [('Access-Control-Allow-Headers', 'origin,content-type,accept,x-auth-token')] headers.append(('Access-Control-Allow-Methods', 'POST')) headers.append(('Access-Control-Allow-Origin', 'https://178.239.138.10:8433')) headers.append(('Access-Control-Max-Age', '60')) headers.append(('Content-Length', '0')) return wsgi.render_response(status=(200, 'OK'), headers=headers) Sample request: echo -e 'OPTIONS /v2.0/tokens HTTP/1.1\r\n' | nc 10.76.0.119 5000 HTTP/1.1 200 OK Access-Control-Allow-Headers: origin,content-type,accept,x-auth-token Access-Control-Allow-Methods: POST Access-Control-Allow-Origin: https://10.76.0.119:8433 Access-Control-Max-Age: 60 Date: Thu, 21 Jun 2012 16:52:33 GMT Transfer-Encoding: chunked -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API V3 - draft 2 now available
Sorry for the delayed response - some bits inline. On Jun 18, 2012, at 5:16 PM, Gabriel Hurley wrote: I added lots of comments on the google doc. I think most of them reinforce the existing design decisions. That said, there are a few high-level issues I’d like to ask for discussion on: 1. This API features no differentiation between the “admin” API and the regular API as it exists currently; I assume this is due to the new policy engine. Am I correct, and does that mean that Keystone will no longer be using the admin port (35357)? Given that there's at least one person out there specifically asking for separated ports for concerns, I expect we will. I've got a request in to register a public port, and there will certainly be an option so that you can run everything on a single port (if you want), with the API's being protected by Keystone's RBAC. I've created a blueprint to cover making those implementations (https://blueprints.launchpad.net/keystone/+spec/rbac-keystone-api) to allow a single port if that's desired. 2. User roles on domains solves the issue of “who has the power to manage tenants”, but that then begs the question “who has the power to manage domains?” The same question applies to services and policies. Anything that is not scoped to the domain still falls into a grey area, and the previous answer of “anyone who’s got that permission anywhere has that permission everywhere” strikes me as massively broken. My expectation is that there is a still a keystone administrator role that has access to administratively manage keystone - setting up domains, etc. That doesn't mean this role is or needs to be equivalent to a global admin, and ideally that role would be *very* specific to Keystone and not propagate a global admin unless an implementation specifically wanted to do that. Back to my there's a blueprint for that... theme, we've set up a blueprint to gather and collate all the policy.json files and set up a recommended set of roles and policy files for deployment under https://blueprints.launchpad.net/keystone/+spec/document-deployment-suggestions-policy. I'm thinking of this as an operational/deployment suggestion that's a step up from the devstack verify this stuff, enough to get moving with some recommendations that make sense for medium and larger sized deployments with multiple services and roles. 3. On an API level, I’d like to see this API be the first to support a parameter on all GET requests that causes that request to not only return the serialization of that single object, but all the related objects as well. For example, the GET /tenant/tenant_id call by default would have a “domain_id” attribute, but with this flag it would have a “domain” attribute containing the entire serialized domain object. As for the name of this flag, I don’t feel strongly. Django calls this concept “select_related”, sqlalchemy calls it “eagerload”. We could pick whatever we like here, but I’ll be asking for this in Nova, et. al.’s APIs going forward too. My first reaction is Sure, if you code it... :-), but more seriously - how would you suggest passing that along through a REST API to ask for the various ID's to be fully fleshed out? Or would you simply want to make this something that client code could reasonably do as it reconstitutes the objects in the python library? In the case of requesting a token in the V3 API draft, this is called out specifically as the expected result, where almost everything else will return an ID, but not necessarily embed additional objects in a cascade. The /token request use case being common enough that including the extra data up front will clearly reduce multiple calls for common use cases. 4. In the “you probably don’t even want to touch it” category: have you given any thought to password reset functionality? Obviously it’s backend dependent, but having some general concept of “forgot password”/”forgot username” would be important to end users in many cases. There are three cases I can see depending on backend: directly provide a password reset mechanism where possible; provide instructions for password reset (configured by system admin) where there is an external process in place; return Not Implemented when neither previous case is satisfied. I’m not saying this *must* appear in this API spec, but it’s worth mentioning. Ha! Easiest one of all! For the back-ends that implement that functionality, password updates are doable using a PATCH request on the User resource, handing in a new password. Or at least that's the intention. If PATCH is not supported by the Auth backend, that will simply return a 501 Not Implemented. -joe ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API V3 - draft 2 now available
Hi Joe, I added lots of comments on the google doc. I think most of them reinforce the existing design decisions. That said, there are a few high-level issues I'd like to ask for discussion on: 1. This API features no differentiation between the admin API and the regular API as it exists currently; I assume this is due to the new policy engine. Am I correct, and does that mean that Keystone will no longer be using the admin port (35357)? 2. User roles on domains solves the issue of who has the power to manage tenants, but that then begs the question who has the power to manage domains? The same question applies to services and policies. Anything that is not scoped to the domain still falls into a grey area, and the previous answer of anyone who's got that permission anywhere has that permission everywhere strikes me as massively broken. 3. On an API level, I'd like to see this API be the first to support a parameter on all GET requests that causes that request to not only return the serialization of that single object, but all the related objects as well. For example, the GET /tenant/tenant_id call by default would have a domain_id attribute, but with this flag it would have a domain attribute containing the entire serialized domain object. As for the name of this flag, I don't feel strongly. Django calls this concept select_related, sqlalchemy calls it eagerload. We could pick whatever we like here, but I'll be asking for this in Nova, et. al.'s APIs going forward too. 4. In the you probably don't even want to touch it category: have you given any thought to password reset functionality? Obviously it's backend dependent, but having some general concept of forgot password/forgot username would be important to end users in many cases. There are three cases I can see depending on backend: directly provide a password reset mechanism where possible; provide instructions for password reset (configured by system admin) where there is an external process in place; return Not Implemented when neither previous case is satisfied. I'm not saying this *must* appear in this API spec, but it's worth mentioning. Thanks for all the work on this. It's really looking great! - Gabriel From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net [mailto:openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] On Behalf Of Joseph Heck Sent: Sunday, June 17, 2012 3:09 PM To: openstack@lists.launchpad.net (openstack@lists.launchpad.net) Subject: [Openstack] Keystone API V3 - draft 2 now available Draft 2 of the V3 Core Keystone API is now available for comment: https://docs.google.com/document/d/1_TkawQIa52eSBfS4pv_nx1SJeoBghIlGVZsRJJynKAM/edit In this revision, I've * updated the token structure a bit - to match the new resources * changed how the associations or user-tenant through a role are enabled (POST instead of PUT) * put in detailed examples of responses to every call The general format of this documentation roughly follows the developer documentation at developer.github.comhttp://developer.github.com, which I thought had a pretty good model of showing how to use the APIs and describing the relevant pieces. There's a lot of cut and paste in there, so if something seems obviously wrong, it probably is ... please make a comment on the google doc and let me know. This document is far more structured and complete, and contains sufficient detail for those excited about WADLs and XSDs and such to create relevant mappings. Feedback needed please, comment away! -joe ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Keystone API V3 - draft 2 now available
Draft 2 of the V3 Core Keystone API is now available for comment: https://docs.google.com/document/d/1_TkawQIa52eSBfS4pv_nx1SJeoBghIlGVZsRJJynKAM/edit In this revision, I've * updated the token structure a bit - to match the new resources * changed how the associations or user-tenant through a role are enabled (POST instead of PUT) * put in detailed examples of responses to every call The general format of this documentation roughly follows the developer documentation at developer.github.com, which I thought had a pretty good model of showing how to use the APIs and describing the relevant pieces. There's a lot of cut and paste in there, so if something seems obviously wrong, it probably is ... please make a comment on the google doc and let me know. This document is far more structured and complete, and contains sufficient detail for those excited about WADLs and XSDs and such to create relevant mappings. Feedback needed please, comment away! -joe ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Replied inline. On Thu, May 3, 2012 at 3:23 PM, Luis Gervaso l...@woorea.es wrote: Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) Correct. How can an administrator user list all the tenants a user belongs to? In the current API, I'm only aware of the opposite call: GET /tenants/{tenant_id}/users Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints We had a brief discussion on this topic at the summit in the v.NEXT API talk, and Joseph Heck followed up with an email on the list regarding use cases of the service catalog: http://www.mail-archive.com/openstack@lists.launchpad.net/msg10194.html I think the direction of that discussion should answer your question :) Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.cawrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Hi Luis, I'm digging around in the Keystone code right now and helping answer your questions is helping me learn the code base. Keep 'em coming! Anyway, from what I can tell, you're correct that there's no general way to get all of the tenants that a user belongs to in the current high level API. However, there is already support for exactly this feature in the lower level API. In [1] you'll see that the Driver object has the method get_tenants_for_user. This method is implemented in all of the backends in [2] so there's support for it everywhere, it just hasn't been exposed in the high level API. Looking closer at [1] we see the comment, # NOTE(termie): seven calls below should probably be exposed by the api # more clearly when the api redesign happens which includes the method get_tenants_for_user. Looks like it's just a matter of adding this method to one of the Routers to make it available in the REST API. My advice to you is to track down termie and find out what the story is with the API redesign he mentions. Of course, you could always propose a blueprint to [3] and make the method available yourself ;) Hope this helps, Everett [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py [2] https://github.com/openstack/keystone/tree/master/keystone/identity/backends [3] https://blueprints.launchpad.net/keystone On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso l...@woorea.es wrote: From admin port I want to list the tenants a user (different from the current user) belongs to. On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.comwrote: On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). ** ** **- **Gabriel ** ** *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On Behalf Of *Luis Gervaso *Sent:* Thursday, May 03, 2012 1:24 PM *To:* Everett Toews *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone API question ** ** Yes, this is the real issue. ** ** Since /tenants is only valid for the current user (that's X-Auth-Token dependant) ** ** How can an administrator user list all the tenants a user belongs to? ** ** Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: ** ** /service/{service_id}/endpoints ** ** is more appropiate than ** ** /endpoints ** ** Dolph, please correct me ** ** Luis ** ** ** ** On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an ** ** AttributeError: 'UserController' object has no attribute 'get_user_roles' ** ** message instead of a nice 501. ** ** GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at ** ** http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html ** ** Everett ** ** On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: ** ** GET /tenants/{tenant_id}/users/{user_id}/roles ** ** Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. ** ** GET /users/{user_id}/roles ** ** Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. ** ** -Dolph ** ** On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, ** ** In Diablo was: ** ** GET /users/{user_id}/roleRefs ** ** In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. ** ** I can find: ** ** PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} ** ** How can get all the roles having a user_id? ** ** GET /users/{user_id}/roles (i can't find this on stable/essex) ** ** Returning role list with tenant associated ** ** Another option that would work for me is: ** ** GET /users/{user_id}/tenants ** ** Returning tenant list with role list associated per tenant ** ** ** ** When i GET /user/{user_id} i obtain only this info ** ** {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} ** ** Regards
Re: [Openstack] Keystone API question
Hi Everett, I just uploaded a video showing all the issues i found: http://youtu.be/TXw7h9Kl-Ow As you can show, I can't drill down to roles related info from user if i haven't selected a tenant or the user does not have a default tenantId From administrative tasks should be useful list tenants from userId (not only from X-AuthToken), so I hope this to be included in the ws api sooner or later ;) Note : This is using OpenStack Java SDK On Fri, May 4, 2012 at 6:51 PM, Everett Toews everett.to...@cybera.cawrote: Hi Luis, I'm digging around in the Keystone code right now and helping answer your questions is helping me learn the code base. Keep 'em coming! Anyway, from what I can tell, you're correct that there's no general way to get all of the tenants that a user belongs to in the current high level API. However, there is already support for exactly this feature in the lower level API. In [1] you'll see that the Driver object has the method get_tenants_for_user. This method is implemented in all of the backends in [2] so there's support for it everywhere, it just hasn't been exposed in the high level API. Looking closer at [1] we see the comment, # NOTE(termie): seven calls below should probably be exposed by the api # more clearly when the api redesign happens which includes the method get_tenants_for_user. Looks like it's just a matter of adding this method to one of the Routers to make it available in the REST API. My advice to you is to track down termie and find out what the story is with the API redesign he mentions. Of course, you could always propose a blueprint to [3] and make the method available yourself ;) Hope this helps, Everett [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py [2] https://github.com/openstack/keystone/tree/master/keystone/identity/backends [3] https://blueprints.launchpad.net/keystone On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso l...@woorea.es wrote: From admin port I want to list the tenants a user (different from the current user) belongs to. On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.com wrote: On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). ** ** **- **Gabriel ** ** *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On Behalf Of *Luis Gervaso *Sent:* Thursday, May 03, 2012 1:24 PM *To:* Everett Toews *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone API question ** ** Yes, this is the real issue. ** ** Since /tenants is only valid for the current user (that's X-Auth-Token dependant) ** ** How can an administrator user list all the tenants a user belongs to?*** * ** ** Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: ** ** /service/{service_id}/endpoints ** ** is more appropiate than ** ** /endpoints ** ** Dolph, please correct me ** ** Luis ** ** ** ** On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an ** ** AttributeError: 'UserController' object has no attribute 'get_user_roles' ** ** message instead of a nice 501. ** ** GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at ** ** http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html ** ** Everett ** ** On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: ** ** GET /tenants/{tenant_id}/users/{user_id}/roles ** ** Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. ** ** GET /users/{user_id}/roles ** ** Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. ** ** -Dolph ** ** On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, ** ** In Diablo was: ** ** GET /users/{user_id}/roleRefs ** ** In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. ** ** I can find: ** ** PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} ** ** How can get all the roles having a user_id? ** ** GET /users
Re: [Openstack] Keystone API question
On 05/03/2012 12:06 AM, Luis Gervaso wrote: This is what i get. 1 GET http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles 1 X-Auth-Token: secret0 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10 2 500 2 Connection: close 2 Content-Length: 5500 2 Content-Type: text/plain 2 Date: Mon, 26 Mar 2012 06:39:34 GMT Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 322, in __call__ resp = req.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ,
Re: [Openstack] Keystone API question
The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) How can an administrator user list all the tenants a user belongs to? Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.cawrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). - Gabriel From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net [mailto:openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] On Behalf Of Luis Gervaso Sent: Thursday, May 03, 2012 1:24 PM To: Everett Toews Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone API question Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) How can an administrator user list all the tenants a user belongs to? Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.camailto:everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.commailto:dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.esmailto:l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.commailto:ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344tel:%28%2B34%29%20627983344 luis@mailto:luis.gerv...@gmail.comwoorea.eshttp://woorea.es/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@mailto:luis.gerv...@gmail.comwoorea.eshttp://woorea.es/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
From admin port I want to list the tenants a user (different from the current user) belongs to. On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.comwrote: On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). ** ** **- **Gabriel ** ** *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On Behalf Of *Luis Gervaso *Sent:* Thursday, May 03, 2012 1:24 PM *To:* Everett Toews *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone API question ** ** Yes, this is the real issue. ** ** Since /tenants is only valid for the current user (that's X-Auth-Token dependant) ** ** How can an administrator user list all the tenants a user belongs to? ** ** Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: ** ** /service/{service_id}/endpoints ** ** is more appropiate than ** ** /endpoints ** ** Dolph, please correct me ** ** Luis ** ** ** ** On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an ** ** AttributeError: 'UserController' object has no attribute 'get_user_roles'* *** ** ** message instead of a nice 501. ** ** GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at ** ** http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html ** ** Everett ** ** On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: ** ** GET /tenants/{tenant_id}/users/{user_id}/roles ** ** Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. ** ** GET /users/{user_id}/roles ** ** Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. ** ** -Dolph ** ** On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, ** ** In Diablo was: ** ** GET /users/{user_id}/roleRefs ** ** In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. ** ** I can find: ** ** PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} ** ** How can get all the roles having a user_id? ** ** GET /users/{user_id}/roles (i can't find this on stable/essex) ** ** Returning role list with tenant associated ** ** Another option that would work for me is: ** ** GET /users/{user_id}/tenants ** ** Returning tenant list with role list associated per tenant ** ** ** ** When i GET /user/{user_id} i obtain only this info ** ** {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} ** ** Regards ** ** -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ** ** ** ** ** ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ** ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ** ** ** ** -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ** ** -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Keystone API question
Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
This is what i get. 1 GET http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles 1 X-Auth-Token: secret0 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10 2 500 2 Connection: close 2 Content-Length: 5500 2 Content-Type: text/plain 2 Date: Mon, 26 Mar 2012 06:39:34 GMT Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 322, in __call__ resp = req.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ,
Re: [Openstack] Keystone API Design Issues
Hi Paul - thank you for the good feedback. I'm going to address your points individually below, but before I want to to set some context and address some of your broader concerns. The 2.0 API for Keystone is released and multiple implementers are already working on it (in fact, we at Rackspace have just released ours). There were many calls for comments on the API throughout the year, but we locked down the spec finally in September to try to deliver an implementation in time for Diablo. The focus for Essex, as voiced by the community in the summit in Boston, is on maturing the OpenStack implementation and adding some extensions like role based access control (RBAC). Therefore, there is not much of a discussion going right now about the next version of the API (although this could be it starting!). So the silence is not the symptom of a closed discussion, but the absence of one at this time. See below... On 11/23/11 4:21 PM, Paul Querna pque...@apache.org wrote: Hello Y'all, I'm writing the list with some of my thoughts as an user of the Keystone 2.0 API. Generally, I believe the API is too complicated, has too many 'hacks' for backwards compatibility put into the wrong places, and pushes too much logic into consumers and service implementers. My experience with Keystone comes from several separate projects using the API: 1) A new Rackspace Service, not yet publicly announced, which uses the Keystone API to validate tokens. (We wrote our own internal library in Node.js for interacting with Keystone) 2) In Apache Libcloud, I implemented support for the Keystone API, specifically to get tokens for a service like OpenStack Nova, Rackspace Cloud Servers, Load Balancers or Cloud Files. 3) I also work with the team implementing a new Rackspace Control Panel project. This project uses Libcloud for it's interaction with Keystone, but has several more use cases beyond simple Username and API Key validation. Part 1: Specific Issues A) The Token Validation API is fail deadly, because of support for Tokens without a Tenant ID scope: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_ validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations -d1e1356.html When you are implementing a service that needs to validates tokens, you pass in the tenant scope as the belongsTo parameter with the Tenant ID. However, this parameter is optional. If a malicious Tenant Id is passed in, for example if a service doesn't perform sufficient validation, like letting a user pass in a into the tenantId, a token is considered valid for _all_ contexts. Now, in theory, you should be looking at the roles provided under the user, and the examples given in the OpenStack documentation echo back the validated Tentant ID to you, however in practice, and as seen in production environments, this response body includes a default identity role, and does not echo back the validated Tenant ID. Tokens without scope are supported by the API - we had requests with use cases for it - but it is not required. In fact, the Rackspace implementation always returns a scoped token. This is one of those examples I think you refer to where we had to keep the spec loose enough to meet the needs of all parties in the discussion and hit the dates we were aiming for. But we are always working on improving things and if you have a suggestion for how to improve this one we're listening. We accept contributions voraciously and have been know to implement other peoples good ideas even when they don't come with code :-) In fact, I know at least one $BigCo that is working on a proposal to improve this. But as a user, your input will be weighted highly so feel free to email, blueprint, or submit a proposal. B) Requiring consumers to pass Tenant IDs around is not a common pattern in other cloud APIs. A consumer was already keeping track of their username, apikey, and temporal token, and now they essentially need to keep another piece of information around, the Tenant ID. This seems like it is an unneeded variable. For example, Amazon implements AWS Identity and Access Management by changing the API key secret that is used against the API depending on the role of the account -- this hides the abstraction away from both client libraries and validating services -- they still just care about the API key and secret, and do not need to pass around an extra Tenant ID. This sounds like a concern with the OpenStack implementation and not the API spec. The Keystone API spec doesn't require consumers to pass Tenant IDs around. It even allows for a full implementation without the consumer having to know or manage their tenant IDs. We've done that at Rackspace where you auth with your credentials, get URLs back for the services you have, and then you call those URLs using your token. Granted, the tenant ID (a.k.a account numbers) is embedded in the URL, but this comes from the Rackspace Cloud Servers and Swift API