[Openstack] [Mistral] : Rest API POST v2/execution body

[Sameer Kulkarni]

Hi All,

I have a VM running mistral api server at port 8989 on it. I was trying out
the API's. I was able to do

Request :
[GET] 192.168.56.103:8989/v2/executions

Response :
{
  "executions": [
{
  "state_info": null,
  "created_at": "2017-04-17 08:34:39",
  "description": "",
  "state": "SUCCESS",
  "workflow_name": "my_workflow",
  "task_execution_id": null,
  "updated_at": "2017-04-17 08:34:40",
  "workflow_id": "8104b38b-a493-4b75-b6c5-02f7d7cbe3ba",
  "params": "{}",
  "input": "{\"names\": [\"John\", \"Mistral\", \"Ivan\",
\"Crystal\"]}",
  "id": "ecec10fe-3b7c-4d45-b83d-3f5d9f25fe93"
},
{
  "state_info": null,
  "created_at": "2017-04-17 08:40:12",
  "description": "",
  "state": "SUCCESS",
  "workflow_name": "my_workflow",
  "task_execution_id": null,
  "updated_at": "2017-04-17 08:40:14",
  "workflow_id": "8104b38b-a493-4b75-b6c5-02f7d7cbe3ba",
  "params": "{}",
  "input": "{\"names\": [\"John\", \"Mistral\", \"Ivan\",
\"Crystal\"]}",
  "id": "d01db85d-d627-4a84-b006-a138ec29f207"
},
{
  "state_info": null,
  "created_at": "2017-05-29 08:35:04",
  "description": "",
  "state": "SUCCESS",
  "workflow_name": "my_workflow",
  "task_execution_id": null,
  "updated_at": "2017-05-29 08:35:07",
  "workflow_id": "8104b38b-a493-4b75-b6c5-02f7d7cbe3ba",
  "params": "{}",
  "input": "{\"names\": [\"John\", \"Mistral\", \"Ivan\",
\"Crystal\"]}",
  "id": "389247d6-c9be-40b7-a19b-0c47adaffbc6"
}
  ]
}

Now, I wanted to do [POST] 192.168.56.103:8989/v2/executions.


I don't know what wf_ex parameter is. Can someone suggest me with the
sample POST body for the above API?​


Cheers,
Sameer
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] restrict access for users between domains

[Remo Mattei]

You have to make changes to the policy.json. I had to debug and create new 
roles etc on my env since the admin for the project x can only manage domain x 
and not been able to see anything else. 

Remo

Inviato da iPhone

> Il giorno 29 mag 2017, alle ore 08:09, Volodymyr Litovka  ha 
> scritto:
> 
> Hi friends,
> 
> is there way to define domain's admin and restrict this person to access only 
> his domain?
> 
> At the moment (Ocata release), if I :
> - create domain by 'openstack domain create devtest
> - create user in the domain by 'openstack user create udevtest --domain 
> devtest --password xx
> - create project in the domain by 'openstack project create devmin --domain 
> devtest
> - assign role 'admin' to the user on both the domain and the project:
> * openstack role add admin --user udevtest --domain devtest
> * openstack role add admin --project-domain devtest --project devmin --user 
> udevtest
> 
> then, using user's 'udevtest' credentials:
> 
> OS_REGION_NAME=RegionOne
> OS_DEFAULT_DOMAIN=devtest
> OS_USER_DOMAIN_NAME=devtest
> OS_PROJECT_DOMAIN_NAME=devtest
> OS_PROJECT_NAME=devmin
> OS_USERNAME=udevtest
> OS_PASSWORD=x
> 
> OS_AUTH_STRATEGY=keystone
> OS_IDENTITY_API_VERSION=3
> OS_AUTH_URL=http://controller:5000/v3
> OS_INTERFACE=internal
> 
> I'm able to get a list of all users and projects in 'default' domain and even 
> more - add / delete users and projects in 'default' domain.
> 
> In fact, user 'udevtest' has nothing to domain 'default', but assigned global 
> role 'admin' - probably, that is the problem, because policy.json's rule 
> 'admin_required' is just check for 'role:admin', which is true. On the other 
> hand, if I create role 'admin' specific to domain 'devtest' and assign it to 
> user on both domain and project in the domain, then I get error "User 
> f1c1cd3438c24255a2baa85f326dfc40 (which is udevtest) has no access to project 
> 1dbbaf2fb0bc4d5da270e48d4a92bc62 (which is devmin)", so seems local roles 
> doesn't matter.
> 
> Is the only way (I hope it's legacy way :-) ) to change policy.json (as some 
> pages on Internet were suggesting) or I'm doing something wrong?
> 
> Thank you!
> 
> -- 
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
> !DSPAM:1,592c3c0850931589493451!
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> !DSPAM:1,592c3c0850931589493451!
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] restrict access for users between domains

[Volodymyr Litovka]

Hi friends,

is there way to define domain's admin and restrict this person to access 
only his domain?


At the moment (Ocata release), if I :
- create domain by '_openstack domain create devtest_
- create user in the domain by '_openstack user create udevtest --domain 
devtest --password xx_
- create project in the domain by '_openstack project create devmin 
--domain devtest_

- assign role 'admin' to the user on both the domain and the project:
* _openstack role add admin --user udevtest --domain devtest_
* _openstack role add admin --project-domain devtest --project devmin 
--user udevtest_


then, using user's 'udevtest' credentials:

OS_REGION_NAME=RegionOne
OS_DEFAULT_DOMAIN=devtest
OS_USER_DOMAIN_NAME=devtest
OS_PROJECT_DOMAIN_NAME=devtest
OS_PROJECT_NAME=devmin
OS_USERNAME=udevtest
OS_PASSWORD=x

OS_AUTH_STRATEGY=keystone
OS_IDENTITY_API_VERSION=3
OS_AUTH_URL=http://controller:5000/v3
OS_INTERFACE=internal

I'm able to get a list of all users and projects in 'default' domain and 
even more - add / delete users and projects in 'default' domain.


In fact, user 'udevtest' has nothing to domain 'default', but assigned 
global role 'admin' - probably, that is the problem, because 
policy.json's rule 'admin_required' is just check for 'role:admin', 
which is true. On the other hand, if I create role 'admin' specific to 
domain 'devtest' and assign it to user on both domain and project in the 
domain, then I get error "*User f1c1cd3438c24255a2baa85f326dfc40 *(which 
is udevtest)*has no access to project 1dbbaf2fb0bc4d5da270e48d4a92bc62* 
(which is devmin)", so seems local roles doesn't matter.


Is the only way (I hope it's legacy way :-) ) to change policy.json (as 
some pages on Internet were suggesting) or I'm doing something wrong?


Thank you!

--
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] [Keystone][PublicCloud] Introducing Adjutant, an OpenStack service for signups, user invites, password reset and more!

[Adrian Turjak]

Hello OpenStack Community,

I'd like to introduce to you all a service we have developed at Catalyst
and are now ready to release to the OpenStack community in hopes that
others may find it useful. As a public cloud provider we quickly ran
into a bunch of little issues around user management, sign-ups, and
other pieces of business logic that needed to fit into how we administer
the cloud but didn't entirely make sense as additions to existing
services. There were also a lot of actions we wanted to delegate to our
customers but couldn't do without giving them too much power in
Keystone, or wanted those actions to send emails, or extend to external
non-OpenStack services.

Enter Adjutant. Adjutant (previously called StackTask) was built as a
service to allow us to create business workflows that can be exposed in
some fashion over an API. A way for us to build reusable snippets of
code that we can tie together, and a flexible and pluggable API layer we
can expose those on. We needed these to be able to talk to our external
systems, as well as our OpenStack services, and provide us some basic
steps and in some cases the ability to require approval before an action
completes. In many ways Adjutant also works as a layer around Keystone
for us to build business logic around certain things we'd like our
customers to be able to do in very limited ways.

The service itself is built on Django with Django-Rest-Framework and is
an API service with the gui component built as a ui plugin for Horizon
that allows easy integration into an OpenStack dashboard.

Adjutant, as the name implies, is a helper, not a major service, but one
that smooths some situations and an easy place to offload some admin
tasks that a customer or non-admin should be able to trigger in a more
limited way. Not only that, but it stores the history of all these
tasks, who asked for them, and when they were completed. Anything a user
does through Adjutant is stored and able to be audited, with in future
the ability for project admins to be able to audit their own tasks and
see who of their users did something.

Out of the box it provides the following functionality:

  * User invitation by users with the 'project_admin' or 'project_mod' role.
  o This will send out an email to the person you've invited with a
submission token and let them setup their password and then
grants them roles on your project. If their user exists already,
will only require confirmation and then grant roles.
  * As a 'project_admin' or 'project_mod' you can list the users with
roles on your project and edit their roles or revoke them from your
project.
  * Let non-admin users request a password reset.
  o User will be emailed a token which will let them reset their
password.
  * Basic signup
  o Let a user request a new project. Requires admin approval and
will create a new project and user, granting default roles on
the new project. Will reuse existing user if present, or send an
email to the user to setup their password.
  * Let a user update their email address.
  o Will notify old email, and send a confirmation token to the new.

Features coming in the future (most either almost done, or in prototype
stages):

  * Forced password reset
  o users with 'project_admin' or 'project_mod'**can force a
password reset for a given user in their projects
  o cloud admins can force password resets for users on their cloud.
  o changes user password to a randomly generated value and sends
user a password reset token to their email.
  o user must reset before they can log in again.
  * Quota management for your project
  o As a 'project_admin' or 'project_mod' you can request a change
in quota to a set of predefined sizes (as set in the Adjutant
conf). Sizes allows you to increase multiple related quotas at
the same time. You can move to adjacent sizes without approval a
number of times in a configurable window (days), or an admin can
approve your quota change as well.
  * Hierarchical Multi-Tenancy in a single domain environment
  o 'project_admin' to be able to create sub-projects off the
current scoped project.
  o This uses HMT properly in Keystone but does not require an admin
role and enforces a naming convention to ensure unique
namespaces per sub-projects and somewhat avoids the project name
uniqueness issues per domain. It's basically some wrapper logic
for HMT in Keystone.
  o This also adds inherited role support to the already existing
user invite and user role editing features.
  o some VERY basic sub-project quota (number of sub-projects
allowed) via metadata stored on a project in Keystone, with
quota calculations in Adjutant checking against number of
sub-projects created in your WHOLE tree within given shifting
window. T