Re: [Openstack-operators] How to allow users to list services by modifying the policy.json file of Keystone

2015-01-26 Thread Christian Berendt 
On 01/26/2015 04:02 PM, Fischer, Matt wrote:
 Is there any reason that the user can¹t just run keystone catalog which
 does not require admin permissions?

Matt, this is just an example. We tried it with different list methods
and it is also not working.

We read your blog post about the topic
(http://www.mattfischer.com/blog/?p=524) and it is working for us for
services like Neutron or Nova. But not for Keystone.

Christian.

-- 
Christian Berendt
Cloud Solution Architect
Mail: bere...@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] :document an OpenStack production environment

2015-01-26 Thread George Shuklin 
In my earlier days I had tried many formal schemes, but it always cause 
problems.


For now I settle to following scheme:

machine-used database (dns, chef, etc) for explit details like mac 
addresses, hardware, rack location, network communication. That database 
should be constantly used, not 'write only', otherwise everyone will 
starts to forget to update, and suddenly it will loose it authority over 
'I wrote you about it in hipchat and than send you update via sms, and 
final version is in your other skype account'. Usually it some kind of 
'work', or 'control panel', or chef data bags.


All topological schemes should be hand written. Whiteboards is just 
perfect for that. Why? Because all tools, except pen/pencil/marker are 
restrain you, forcing to use terminology and linking type of that tool. 
Even inkscape is restricting, because you can not just 'undersubscribe' 
link, or draw funny spiral (here it goes somewhere...).


And text in corporate wiki in free form. Yes, updates will change 
everything, but even after updates original picture and text will be 
precious, because they will say history  and will help to debug strange 
issues with historical reasons. Corporate blogs are perfect place for 
updates and ideas for future update.


Yes, it is a mess, but it is better than 'not enough information because 
of the format restrictions'.



On 01/26/2015 03:45 PM, matt wrote:
I really liked using sphinx for documentation back in the day, it has 
the benefit of being community compatible.  I also enjoyed graphviz 
integration in sphinx for diagrams... and then there was templating 
gnuplots


but i think I was probably considered a masochist on this front.  at 
the very least management types did not like that they couldn't really 
edit our documentation.


-matt

On Mon, Jan 26, 2015 at 5:10 AM, George Shuklin 
george.shuk...@gmail.com mailto:george.shuk...@gmail.com wrote:


We using chef to manage hosts. Data bags contains all data of all
hosts. We keep hardware configuration and DC-wide-name in databags
too.

For the flowcharts we mostly use markers and whiteboard, sometime
I sketch stuff in dia [1] or with wacom tablet in mypaint.

[1] http://sourceforge.net/projects/dia-installer/



On 01/25/2015 04:15 PM, Daniel Comnea wrote:

Hi all,

Can anyone who runs Openstack in a production environment/ data
center share how you document the whole infrastructure, what
tools are used for drawing diagrams(i guess you need some
pictures otherwise is hard to understand it :)), maybe even an
inventory etc?



Thanks,
Dani



P.S in the past - 10+ - i used to have maintain a red book but i
suspect situation is different in 2015


___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org  
mailto:OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
mailto:OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators




___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] How to allow users to list services by modifying the policy.json file of Keystone

2015-01-26 Thread Fischer, Matt 
Is there any reason that the user can¹t just run keystone catalog which
does not require admin permissions?

On 1/26/15, 4:58 AM, Christian Berendt bere...@b1-systems.de wrote:

Hello.

We have an user 'user1' in the tenant 'tenant1' with the assigned role
'_member_'.

We want to be able to list services with this user. In the default
policy.json files we can find the following rules:

admin_required: role:admin or is_admin:1,
identity:list_services: rule:admin_required,

As expected 'keystone service-list' will fail with a HTTP error 403
('admin_required').

Now we change the rule admin_required to

admin_required: role:_member_ or role:admin or is_admin:1.

As expected 'keystone service-list' is now working. But we want to be
able to only list services, with this modification of the admin_required
rule it is possible to list e.g. roles, too.

We undo the change to admin_required and change identity:list_services to

identity:list_services: rule:admin_required or role:_member_,

'keystone service-list' will fail with an HTTP error 403
('admin_required').

We change identity:list_services to

identity:list_services: role:_member_,

'keystone service-list' will fail with an HTTP error 403
('admin_required').

We change identity:list_services to

identity:list_services: @,

'keystone service-list' will fail with an HTTP error 403
('admin_required').

It looks like the modifications of identity:list_services are ignored.

Any idea what we are doing wrong?

Christian.

--
Christian Berendt
Cloud Solution Architect
Mail: bere...@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


This E-mail and any of its attachments may contain Time Warner Cable 
proprietary information, which is privileged, confidential, or subject to 
copyright belonging to Time Warner Cable. This E-mail is intended solely for 
the use of the individual or entity to which it is addressed. If you are not 
the intended recipient of this E-mail, you are hereby notified that any 
dissemination, distribution, copying, or action taken in relation to the 
contents of and attachments to this E-mail is strictly prohibited and may be 
unlawful. If you have received this E-mail in error, please notify the sender 
immediately and permanently delete the original and any copy of this E-mail and 
any printout.

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] :document an OpenStack production environment

2015-01-26 Thread matt 
i wish hp would open source their cmdb code... that stuff was pretty neat.

On Mon, Jan 26, 2015 at 10:03 AM, George Shuklin george.shuk...@gmail.com
wrote:

  In my earlier days I had tried many formal schemes, but it always cause
 problems.

 For now I settle to following scheme:

 machine-used database (dns, chef, etc) for explit details like mac
 addresses, hardware, rack location, network communication. That database
 should be constantly used, not 'write only', otherwise everyone will starts
 to forget to update, and suddenly it will loose it authority over 'I wrote
 you about it in hipchat and than send you update via sms, and final version
 is in your other skype account'. Usually it some kind of 'work', or
 'control panel', or chef data bags.

 All topological schemes should be hand written. Whiteboards is just
 perfect for that. Why? Because all tools, except pen/pencil/marker are
 restrain you, forcing to use terminology and linking type of that tool.
 Even inkscape is restricting, because you can not just 'undersubscribe'
 link, or draw funny spiral (here it goes somewhere...).

 And text in corporate wiki in free form. Yes, updates will change
 everything, but even after updates original picture and text will be
 precious, because they will say history  and will help to debug strange
 issues with historical reasons. Corporate blogs are perfect place for
 updates and ideas for future update.

 Yes, it is a mess, but it is better than 'not enough information because
 of the format restrictions'.



 On 01/26/2015 03:45 PM, matt wrote:

  I really liked using sphinx for documentation back in the day, it has
 the benefit of being community compatible.  I also enjoyed graphviz
 integration in sphinx for diagrams... and then there was templating
 gnuplots

  but i think I was probably considered a masochist on this front.  at the
 very least management types did not like that they couldn't really edit our
 documentation.

  -matt

 On Mon, Jan 26, 2015 at 5:10 AM, George Shuklin george.shuk...@gmail.com
 wrote:

  We using chef to manage hosts. Data bags contains all data of all
 hosts. We keep hardware configuration and DC-wide-name in databags too.

 For the flowcharts we mostly use markers and whiteboard, sometime I
 sketch stuff in dia [1] or with wacom tablet in mypaint.

 [1] http://sourceforge.net/projects/dia-installer/



 On 01/25/2015 04:15 PM, Daniel Comnea wrote:

Hi all,

  Can anyone who runs Openstack in a production environment/ data center
 share how you document the whole infrastructure, what tools are used for
 drawing diagrams(i guess you need some pictures otherwise is hard to
 understand it :)), maybe even an inventory etc?



  Thanks,
 Dani



  P.S in the past - 10+ - i used to have maintain a red book but i suspect
 situation is different in 2015


  ___
 OpenStack-operators mailing 
 listOpenStack-operators@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



 ___
 OpenStack-operators mailing list
 OpenStack-operators@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators




___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] :document an OpenStack production environment

2015-01-26 Thread j 
 

I use LibreOffice Draw for architecture diagrams. VRT Network Equipment
[2] pretty much blows everything out of the water. 

For text documentation that I manually create (chef for example does
this automatically) I'll put in plaintext files per environment that
includes basic stuff such as hostname, IP, and server function. 

On 2015-01-25 09:15, Daniel Comnea wrote: 

 Hi all,
 
 Can anyone who runs Openstack in a production environment/ data center share 
 how you document the whole infrastructure, what tools are used for drawing 
 diagrams(i guess you need some pictures otherwise is hard to understand it 
 :)), maybe even an inventory etc?
 
 Thanks,
 Dani
 
 P.S in the past - 10+ - i used to have maintain a red book but i suspect 
 situation is different in 2015 
 
 ___
 OpenStack-operators mailing list
 OpenStack-operators@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators [1]
 

Links:
--
[1]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[2]
http://extensions.libreoffice.org/extension-center/vrt-network-equipment
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Mar 9-10, 2015, Philadelphia, USA - Next Ops Meetup

2015-01-26 Thread Jesse Keating 

On 1/23/15 4:55 AM, Tom Fifield wrote:

On 22/01/15 14:36, Mathieu Gagné wrote:

On 2015-01-12 12:11 AM, Tom Fifield wrote:

Yup - standby for registration. Most likely some time this week.



Any update?

I would like to know the schedule to plan my return flight accordingly.


http://www.eventbrite.com/e/openstack-ops-mid-cycle-meetup-tickets-15319934336

better announcement soon :)



Thanks Tom! Are there any details regarding hotel accommodations?


--
-jlk

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] :document an OpenStack production environment

2015-01-26 Thread Daniel Comnea 
Excellent input, please keep it going.

Maybe someone from HP will shed more light on their cmdb?


Dani

On Mon, Jan 26, 2015 at 4:28 PM, j j...@no-io.net wrote:

  I use LibreOffice Draw for architecture diagrams. VRT Network Equipment
 http://extensions.libreoffice.org/extension-center/vrt-network-equipment
 pretty much blows everything out of the water.

 For text documentation that I manually create (chef for example does this
 automatically) I'll put in plaintext files per environment that includes
 basic stuff such as hostname, IP, and server function.


 On 2015-01-25 09:15, Daniel Comnea wrote:

   Hi all,

 Can anyone who runs Openstack in a production environment/ data center
 share how you document the whole infrastructure, what tools are used for
 drawing diagrams(i guess you need some pictures otherwise is hard to
 understand it :)), maybe even an inventory etc?



 Thanks,
 Dani



 P.S in the past - 10+ - i used to have maintain a red book but i suspect
 situation is different in 2015

 ___
 OpenStack-operators mailing 
 listOpenStack-operators@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Instance creation boot from image (creates a new volume) is Slow

2015-01-26 Thread Abel Lopez 
You might get faster performance if the image was in raw format in glance.

On Friday, January 23, 2015, Pedro Sousa pgso...@gmail.com wrote:

 Hi all,

 I have a swift backend to store my glance images and a EMC storage to
 store my volumes.

 When I try to boot the instance directly from the volume, the process is
 slow. I understand that glance has to convert the image from swift and copy
 it to the volume but is there a way to speedup this?

 Also If I try to more than 4 instances at one using this process it will
 eventually timeout and I will have instances in ERROR state.

 Thanks,
 Pedro Sousa

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] :document an OpenStack production environment

2015-01-26 Thread George Shuklin 
We using chef to manage hosts. Data bags contains all data of all hosts. 
We keep hardware configuration and DC-wide-name in databags too.


For the flowcharts we mostly use markers and whiteboard, sometime I 
sketch stuff in dia [1] or with wacom tablet in mypaint.


[1] http://sourceforge.net/projects/dia-installer/


On 01/25/2015 04:15 PM, Daniel Comnea wrote:

Hi all,

Can anyone who runs Openstack in a production environment/ data center 
share how you document the whole infrastructure, what tools are used 
for drawing diagrams(i guess you need some pictures otherwise is hard 
to understand it :)), maybe even an inventory etc?




Thanks,
Dani



P.S in the past - 10+ - i used to have maintain a red book but i 
suspect situation is different in 2015



___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

[Openstack-operators] How to allow users to list services by modifying the policy.json file of Keystone

2015-01-26 Thread Christian Berendt 
Hello.

We have an user 'user1' in the tenant 'tenant1' with the assigned role
'_member_'.

We want to be able to list services with this user. In the default
policy.json files we can find the following rules:

admin_required: role:admin or is_admin:1,
identity:list_services: rule:admin_required,

As expected 'keystone service-list' will fail with a HTTP error 403
('admin_required').

Now we change the rule admin_required to

admin_required: role:_member_ or role:admin or is_admin:1.

As expected 'keystone service-list' is now working. But we want to be
able to only list services, with this modification of the admin_required
rule it is possible to list e.g. roles, too.

We undo the change to admin_required and change identity:list_services to

identity:list_services: rule:admin_required or role:_member_,

'keystone service-list' will fail with an HTTP error 403 ('admin_required').

We change identity:list_services to

identity:list_services: role:_member_,

'keystone service-list' will fail with an HTTP error 403 ('admin_required').

We change identity:list_services to

identity:list_services: @,

'keystone service-list' will fail with an HTTP error 403 ('admin_required').

It looks like the modifications of identity:list_services are ignored.

Any idea what we are doing wrong?

Christian.

-- 
Christian Berendt
Cloud Solution Architect
Mail: bere...@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Mar 9-10, 2015, Philadelphia, USA - Next Ops Meetup

2015-01-26 Thread Tom Fifield 
On 27/01/15 05:38, Jesse Keating wrote:
 On 1/23/15 4:55 AM, Tom Fifield wrote:
 On 22/01/15 14:36, Mathieu Gagné wrote:
 On 2015-01-12 12:11 AM, Tom Fifield wrote:
 Yup - standby for registration. Most likely some time this week.


 Any update?

 I would like to know the schedule to plan my return flight accordingly.

 http://www.eventbrite.com/e/openstack-ops-mid-cycle-meetup-tickets-15319934336


 better announcement soon :)

 
 Thanks Tom! Are there any details regarding hotel accommodations?
 

I believe our friends at Comcast have secured a room block at the Four
Seasons with a preferred rate. The current plan is to email people who
register details of that, but I guess a prod to eve...@openstack.org
can't hurt if anyone needs it sooner :)


___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] Mar 9-10, 2015, Philadelphia, USA - Next Ops Meetup

2015-01-26 Thread Clayton O'Neill 
 Thanks Tom! Are there any details regarding hotel accommodations?


It's not official, but several us from Time Warner Cable are staying at
http://www.thewindsorsuites.com/ which appears to be fairly close and
reasonably priced for the area.
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators