[Yahoo-eng-team] [Bug 968696] Re: "admin"-ness not properly scoped

If it is not fixed in Nova it is not fixed in Keystone, as the solution has to start there. ** Changed in: keystone Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity

[Yahoo-eng-team] [Bug 1936686] Re: Install and configure in keystone: after keystone installation, there is no /etc/keystone folder

THis is an installer specific issue and not with the Keystone upstream project. The .deb should be creating the /etc/keytstone directory on install. PLease open the bug with the packager. Note that the page linked is specific to Ubuntu. ** Changed in: keystone Status: New => Invalid

[Yahoo-eng-team] [Bug 1939879] Re: Failed to discover available identity versions when contacting http://controller1:35357/v3. Attempting to parse version from URL.

The Keystone server was down and the message was reported by the client. ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).

[Yahoo-eng-team] [Bug 968696] Re: "admin"-ness not properly scoped

** Changed in: neutron Status: Triaged => Fix Committed ** Changed in: nova Status: In Progress => Fix Committed ** Changed in: puppet-keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[Yahoo-eng-team] [Bug 1842397] Re: Possibility for project level roles ?

For these kinds of operations, you use role assignment inheritance. Do not attempt to enforce policy on parent project ID. I wrote up an article about this about a year back. CloudForms is just the consumer, but the rules are the same.

[Yahoo-eng-team] [Bug 1832848] [NEW] Set Project ID for synchronization across servers

Public bug reported: Identifiers Each resource in Keystone has a unique identifier. For the majority of resources, the identifiers are currently generated as UUIDs. In addition, the identifiers are assigned by the system, and are not something an end user can specify when creating the resource.

[Yahoo-eng-team] [Bug 1827420] [NEW] Document issues with deep nesting of Quota/limits

Public bug reported: I wrote up the issues with gaming the system that can happen with deep quotas. This has driven what happened with 2 level quota in unified limites. https://adam.younglogic.com/2018/05/tracking-quota/ This should merge in with the documentation to explain why we limit

[Yahoo-eng-team] [Bug 1824239] [NEW] predictable role ids

Public bug reported: Make it possible to know what the ID of a role will be prior to creating it. This allows synchronization between multiple keystone servers ** Affects: keystone Importance: Undecided Assignee: Adam Young (ayoung) Status: In Progress -- You received

[Yahoo-eng-team] [Bug 1808059] Re: admin user should have admin role in the Default domain

UNtil recently, this should be in bootstrap. This is the minimal amount of configuration a Keystone server needs: to be able to create a new domain, or create projects on the domain, etc. Now it should be one admin user with a service scoped admin role. From that, all other configuration can

[Yahoo-eng-team] [Bug 1804073] Re: Keystone fails to log policy target data

Added Oslo.policy to the bug report, as this is going to be an issue across all of the projects. Barbican, especially, needs target info, but the same is true for anything that enforces the scope check. ** Also affects: oslo.policy Importance: Undecided Status: New -- You received

[Freeipa-devel] DNS in the WebUI

I wanted to float the idea of bumping DNS to a top level Menu Item in IdM. Here is how it looks right now: https://admiyo.fedorapeople.org/ipa/IPA-Netsvc-screenshot.png Note that I had to know to click "Network services" in order to find DNS. DNS is a much more important Use case than

[Yahoo-eng-team] [Bug 1794552] [NEW] Flaskification broke ECP

Public bug reported: THe Federation itegration (not voting) tests for Python35 are failing. == 2018-09-26 06:26:21.371093 | primary | Failed 1 tests - output below: 2018-09-26 06:26:21.371172 | primary | == 2018-09-26 06:26:21.371200 |

[Yahoo-eng-team] [Bug 1794527] [NEW] Allow domain creation with a specific ID

Public bug reported: When keeping two Keystone servers in sync, but avoiding Database replication, it is often necessary to hack the database to update the Domain ID so that entries match. Domain ID is then used for LDAP mapped IDs, and if they don't match, the user IDs are different. It should

[Yahoo-eng-team] [Bug 1794530] [NEW] Federation IDs hardcode UUIDs instead of configured id_generator

the user in LDAP). THus, the LDAP code can be changed at config time, but the Federated code can't. It also means that Federated IDs cannot be kept in sync between two keystone servers. ** Affects: keystone Importance: Low Assignee: Adam Young (ayoung) Status: In Progress

[Yahoo-eng-team] [Bug 1793756] [NEW] remote user tests disabled

Public bug reported: in keystone/tests/unit/test_v3_auth.py there are two tests that have been commented out because they are unrunnable: test_remote_user_with_realm and test_remote_user_with_default_domain These support the External auth mechanism which should be avaialable to people with

[Yahoo-eng-team] [Bug 1790428] Re: Keystone policy.json not matching domain_id

Just to be clear, this has always been the case. THe documentation for the cloud sample stated it needed to be edited. Of course, I tripped over this exact problem. A few times. I once proposed reading policy values from the config file as a work around. But this is not a bug. As Lance put,

[Yahoo-eng-team] [Bug 1782197] [NEW] Mapping Engine Tester is untested

Public bug reported: Looking at a coverage report for the Keystone CLI shows that the entirety of class MappingEngineTester(BaseApp): Is untested. Since this is production and supported code, this is a risk. ** Affects: keystone Importance: Undecided Status: New -- You

[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects

** Changed in: keystone Status: Invalid => New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780159 Title: Some inherited projects missing when listing

[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects

** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780159 Title: Some inherited projects missing when listing

[Yahoo-eng-team] [Bug 1643301] Re: bootstrapping keystone failed when LDAP backend is in use

I'm closing this Won't fix because running with the LDAP backend is a bad approach. Use SQL, with LDAP in a domain specific back end. ** Changed in: keystone Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[openstack-dev] Replacing Keystone Admin Accounts

As we attempt to close the gap on Bug 968696, we have to make sure we are headed forward in a path that won't get us stuck. It seems that many people use Admin-every accounts for many things that they are not really meant for. Such as performing Operations that should be scoped to a project,

Re: [openstack-dev] [Keystone] Weirdness around domain/project scope in role assignments

On Fri, Mar 9, 2018 at 2:42 AM, Adrian Turjak wrote: > Sooo to follow up from the discussion last night partly with Lance and > Adam, I'm still not exactly sure what difference, if any, there is > between a domain scoped role assignment, and a project scoped role >

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

Bug 968696 and System Roles. Needs to be addressed across the Service catalog. On Mon, Jan 29, 2018 at 7:38 AM, Luke Hinds wrote: > Just a reminder as we have not had many uptakes yet.. > > Are there any projects (new and old) that would like to make use of the > security

[Yahoo-eng-team] [Bug 1602081] Re: Use oslo.context's policy dict

Fixed in Keystone by f71a78db86632dccb391782e62da69a4627c7cad https://review.openstack.org/#/c/523650/ ** Changed in: keystone Assignee: (unassigned) => Adam Young (ayoung) ** Changed in: keystone Status: Triaged => Fix Released ** Changed in: keystone Status: Fix Re

[Yahoo-eng-team] [Bug 1724645] [NEW] remote_id_attribute config options prevents multiple protocol variations for Federation

Public bug reported: In order to activate a protocol for Federation, you need SOME value for remote_id_attribute. However , this is set once per protocol in the config file, not in the federated data. Thus, if two different SAML implementations both wanted to use different values for

[Yahoo-eng-team] [Bug 1719141] [NEW] Kick off Ansible Playbook from Keystone Actions

Public bug reported: When a Federated User logs in for the first time, many organizations want to be able to provision resources. This is a specific instance of the general idea that a Keystone token operation should be able to kick off a playbook. PLaybooks can perform both Openstack specific

Re: [cas-user] CAS 5.0.5: Mixing default and custom attribute resolvers (PersonAttributeDao)

t; > > *From:* cas-...@apereo.org [mailto:cas-...@apereo.org > ] *On Behalf Of *Adam Young > *Sent:* Monday, June 26, 2017 12:24 PM > *To:* CAS Community <cas-...@apereo.org > > *Subject:* [cas-user] CAS 5.0.5: Mixing default and custom attribute > resolvers (PersonAttrib

[cas-user] CAS 5.0.5: Mixing default and custom attribute resolvers (PersonAttributeDao)

We are currently using the default attribute resolvers for LDAP and jdbc with no issues. We configure them via the properties file and everything works as expected. We have now been given new requirements that will involve us having to write a custom implementation of IPersonAttributeDao to

Re: [Openstack] Cinder policy.json

On 05/09/2017 06:39 AM, ch...@foxmail.com wrote: Hello: I want every one can access a volume I created in cinder as admin, so I changed /etc/cinder/policy.json as bellow, but it won't work. Why? And how to do it? Thanks! policy.json So, debugging policy is a pain. What operation

[Yahoo-eng-team] [Bug 1689644] [NEW] Keystone does not report microversion headers

Public bug reported: Keystone is now behind the other projects in reporting the microversions in the microversion header ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

[Yahoo-eng-team] [Bug 1648542] Re: keystone does not retry on deadlock Transactions [500 Error]

CLosing as a duplicate. ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1648542 Title: keystone does not

[Yahoo-eng-team] [Bug 1648542] [NEW] keystone does not retry on deadlock Transactions [500 Error]

Public bug reported: Description of problem: DBDeadlock: (pymysql.err.InternalError) (1213, u'Deadlock found when trying to get lock; try restarting transaction') The above error is retry-able error, but no evidence for keystone would really did a retry before throwing a 500. 2016-11-12

[Yahoo-eng-team] [Bug 1647486] [NEW] sample-data makes incorrect credentials call

Public bug reported: ADMIN_PASSWORD=keystone tools/sample_data.sh ... lots of stuff working fine ... usage: openstack ec2 credentials create [-h] [-f {json,shell,table,value,yaml}] [-c COLUMN] [--max-width ]

[Yahoo-eng-team] [Bug 1646305] [NEW] Federation URL is public, but AUTH_URL is private

Public bug reported: Web SSO will be broken in places where the ssumption that the AUTH_URL that Horizon uses is publically accessible. Conversation with deployer: "keystone is open in haproxy to the public world, but the problem is that horizon forming the SSO url based on the region URL,

[Yahoo-eng-team] [Bug 1643112] [NEW] Auth plugins should be linked to Federation Protocol

Public bug reported: When setting up Federation, if the protocol needs an new auth plugin, the current mechanism is to add it to the methods list for the [auth] section. However, this has the effect of linking them all together, when the real method should be to link the auth plugin with the

[openstack-dev] [Keystone] Token Verify Role Check

There has been a lot of talk about Policy this past summit and release. Based on feedback, we've come up with the following spec to address it. https://review.openstack.org/#/c/391624/ The idea is that we are going to split the role check off from the existing policy checks. The role check

[Yahoo-eng-team] [Bug 1638603] [NEW] Identity LDAP does not support AD nested groups

Public bug reported: Active Directory has a very specific mechanism to handle nested groups. LDAP queries need to look like this: "(&(objectClass=group)(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))" If a deployment is using nested groups, three queries need to

Re: [openstack-dev] [Magnum][Kuryr][Keystone] Securing services in container orchestration

On 10/09/2016 10:57 PM, Ton Ngo wrote: Hi Keystone team, We have a scenario that involves securing services for container and this has turned out to be rather difficult to solve, so we would like to bring to the larger team for ideas. Examples of this scenario: 1. Kubernetes cluster: To

Re: [openstack-dev] [Keystone] Project name DB length

On 09/28/2016 11:06 PM, Adrian Turjak wrote: Hello Keystone Devs, Just curious as to the choice to have the project name be only 64 characters: https://github.com/openstack/keystone/blob/master/keystone/resource/backends/sql.py#L241 Seems short, and an odd choice when the user.name field is

Re: [Openstack] [OpenStack] [Keystone] How to use two keystone servers?

On 09/23/2016 11:03 AM, Alexandr Porunov wrote: Hello, I have next nodes: swift_proxy1 - 192.168.0.11 swift_proxy2 - 192.168.0.12 keystone1 - 192.168.0.21 keystone2 - 192.168.0.22 I wonder to know if it is possible to use two keystone servers if we use "uuid" or "fernet" tokens. Yes, you

Re: [openstack-dev] [all] indoor climbing break at summit?

On 10/17/2016 09:53 AM, Chris Dent wrote: It turns out that summit this year will be just down the road from Chris Sharma's relatively new indoor climbing gym in Barcelona: http://www.sharmaclimbingbcn.com/ If the fun, frisson and frustration of summit sessions leaves you with the energy

[Yahoo-eng-team] [Bug 968696] Re: "admin"-ness not properly scoped

Reopening the Keystone one as the fix does not work for default policy, which is what most people use. ** Changed in: keystone Status: Fix Released => In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron.

[Yahoo-eng-team] [Bug 1410029] Re: Unnecessary conflict wrapper on assignment driver delete_project() method

Not a bugf, leave the wrapper in for SQL message reporting. ** Changed in: keystone Status: Triaged => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/11/2016 06:25 AM, Steven Hardy wrote: On Wed, Aug 10, 2016 at 11:31:29AM -0400, Zane Bitter wrote: On 09/08/16 21:21, Adam Young wrote: On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e

[Yahoo-eng-team] [Bug 1627094] Re: Keystone overwhelms Ceilometer with Identity Events

** Project changed: keystone => ceilometer -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1627094 Title: Keystone overwhelms Ceilometer with Identity Events

[Yahoo-eng-team] [Bug 1627094] [NEW] Keystone overwhelms Ceilometer with Identity Events

st setting notification_driver to either log or noop in /etc/keystone/keystone.conf ** Affects: keystone Importance: Undecided Assignee: Adam Young (ayoung) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to

[openstack-dev] [keystone][oslo][release][requirements][FFE] global-requirements update for requests-kerberos

https://review.openstack.org/#/c/368530/ This change is for Python >2.7 only, as python2.7 already supports the latest version of these libraraies. Back in the "just get pythoin3 to work" days we cut our losses on Kerberos support, but now it is working. Getting this restriction removed

[Yahoo-eng-team] [Bug 1381961] Re: Keystone API GET 5000/v3 returns wrong endpoint URL in response body

** Also affects: tripleo Importance: Undecided Status: New ** Changed in: tripleo Status: New => Confirmed ** Changed in: keystone Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 09/01/2016 08:48 PM, Michael Still wrote: On Thu, Sep 1, 2016 at 11:58 AM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 08/31/2016 07:56 AM, Michael Still wrote: There is a quick sketch of what a service account might look like

[Yahoo-eng-team] [Bug 1619758] [NEW] Credential Encryption breaks deployments without Fernet

Public bug reported: A recent change to encrypt credetials broke RDO/Tripleo deployments: 2016-09-02 17:16:55.074 17619 ERROR keystone.common.fernet_utils [req-31d60075-7e0e-401e-a93f-58297cd5439b f2caffbaf10d4e3da294c6366fe19a36 fd71b607cfa84539bf0440915ea2d94b - default default] Either

[Yahoo-eng-team] [Bug 1381961] Re: Keystone API GET 5000/v3 returns wrong endpoint URL in response body

Reported in a downstream distribution that should have synced from this code as still a bug. please reconfirm. ** Changed in: keystone Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to

Re: [openstack-dev] [keystone] new core reviewer (rderose)

On 09/01/2016 10:44 AM, Steve Martinelli wrote: I want to welcome Ron De Rose (rderose) to the Keystone core team. In a short time Ron has shown a very positive impact. Ron has contributed feature work for shadowing LDAP and federated users, as well as enhancing password support for SQL users.

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

:46 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com> <mailto:ayo...@redhat.com <mailto:ayo...@redhat.com>>> wrote: On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

. Michael On Fri, Aug 26, 2016 at 12:46 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.o

[Yahoo-eng-team] [Bug 1321378] Re: keystone user-role-* operations fails when user no longer exists in backend

Closing the Keystone server component again, as I just confirmed the user-list error does not happen in this code base, and thus it is a new bug and a regression. Will open a separate ticket for that. ** Changed in: keystone Status: Confirmed => Fix Released -- You received this bug

[Yahoo-eng-team] [Bug 1321378] Re: keystone user-role-delete operation fails when user no longer exists in backend

Reopening the issue against the Keystone server. The fix was not sufficient, as it was just a workaround, and one that we can't apply via the CLI. The real fix requires avoiding the exception from the identity backend when performing any assignment-backend calls. ** Changed in: keystone

[Yahoo-eng-team] [Bug 1321378] Re: keystone user-role-delete operation fails when user no longer exists in backend

So...this is a continuing Saga. The fix that went in for Keystone only allows the V3 AP call to continue. However, there is currently no way to call that API except for CURL. Something like: curl -X DELETE -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json"

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.openstack.org/#/c/317739/ added a new dynamic metadata handler to nova. The basic jist is that rather than serving metadata statically, it can be done dyamically

[openstack-dev] [Cross-Project] [Cinder][Neutron][Cue]

These changes are necessary so policy files can in include the check "is_admin_project:True" which allows us to Scope what is meant by "Admin" Use from_environ to load context Use to_policy_values for enforcing policy Use context from_environ to load contexts Use from_dict to load context

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.openstack.org/#/c/317739/ added a new dynamic metadata handler to nova. The basic jist is that rather than serving metadata statically, it can be done dyamically, so that certain values aren't provided until they are needed,

[openstack-dev] [Tripleo] Tripleo HA Federation Proof-of-Concept

http://adam.younglogic.com/2016/08/ooo-ha-fed-poc/ It is painful, sloppy, Mitaka based. Have at it, and lets make Federation a reality for Newton based deployments. Feedback eagerly sought. Thanks for all the people that helped get me through this. Won't list you all, as it would start

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 05:11 PM, Adam Young wrote: The Fernet token format uses a symmetric key to sign tokens. In order to check the signature, these keys need to be synchronized across all of the Keystone servers. I don't want to pass around nake symmetric keys. The right way to do

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 09:21 PM, Adam Young wrote: On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e. not as part of a stack) to push changes to the servers. (I say 'push' but it's more a case

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e. not as part of a stack) to push changes to the servers. (I say 'push' but it's more a case of making the data available for os-collect-config

[openstack-dev] [tripleo] Fernet Key rotation

The Fernet token format uses a symmetric key to sign tokens. In order to check the signature, these keys need to be synchronized across all of the Keystone servers. I don't want to pass around nake symmetric keys. The right way to do this is to put them into a PKCS 11 Envelope. Roughly,

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml

Re: [openstack-dev] [tripleo] HA with only one node.

On 08/06/2016 03:20 PM, Dan Prince wrote: On Sat, 2016-08-06 at 13:21 -0400, Adam Young wrote: As I try to debug Federaion problems, I am often finding I have to check three nodes to see where the actual requrest was processed. However, If I close down to of the controller nodes in Nova

[openstack-dev] [tripleo] HA with only one node.

As I try to debug Federaion problems, I am often finding I have to check three nodes to see where the actual requrest was processed. However, If I close down to of the controller nodes in Nova, the whole thing just fails. So, while that in it self is a problem, what I would like to be able to

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 06:40 PM, Fox, Kevin M wrote: *From:* Adam Young [ayo...@redhat.com] *Sent:* Friday, August 05, 2016 3:06 PM *To:* openstack-dev@lists.openstack.org *Subject:* Re: [openstack-dev] [keystone][tripleo

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:54 PM, Adam Young wrote: On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines

[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone

[Yahoo-eng-team] [Bug 1588190] Re: policy.v3cloudsample.json broken in mitaka

I think this is a Horizon bug, not Keystone. The stack trace is all Horizon code. I suspect it is a conflict between domain and project scoped token code in Horizon ** Also affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

On 07/28/2016 10:05 PM, Tim Hinrichs wrote: I've never worked on the authentication details, so this may be off track, but that error message indicates the failure is happening inside Congress's oslo_policy. Error message shows up here as a Python exception class.

Re: [Openstack] -[keystone] help configure keystone for token ssl x509 authorization

On 07/04/2016 11:14 AM, schmitt wrote: Hi, I am learning to configure keystone for tokenless ssl x509 authorization, according to the document: http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html. when making self-signed certificate with command openssl, I don't

Re: [openstack-dev] [tripleo] Modifying just a few values on overcloud redeploy

On 07/27/2016 06:04 AM, Steven Hardy wrote: On Tue, Jul 26, 2016 at 05:23:21PM -0400, Adam Young wrote: I worked through how to do a complete clone of the templates to do a deploy and change a couple values here: http://adam.younglogic.com/2016/06/custom-overcloud-deploys

[openstack-dev] [tripleo] Modifying just a few values on overcloud redeploy

I worked through how to do a complete clone of the templates to do a deploy and change a couple values here: http://adam.younglogic.com/2016/06/custom-overcloud-deploys/ However, all I want to do is to set two config options in Keystone. Is there a simple way to just modify the two values

Re: [openstack-dev] Troubleshooting and ask.openstack.org

lt;mailto:sigmaviru...@gmail.com>> wrote: -----Original Message- From: Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> Reply: OpenStack Development Mailing List (not for usage questions) <openst

Re: [openstack-dev] Troubleshooting and ask.openstack.org

On 06/28/2016 11:13 PM, Tom Fifield wrote: Quick answers in-line On 29/06/16 05:44, Adam Young wrote: It seems to me that keystone Core should be able to moderate Keystone questions on the site. That means that they should be able to remove old dead ones, remove things tagged as Keystone

Re: [Openstack] [Keystone] Why not OAuth 2.0 provider?

On 06/28/2016 03:18 AM, 林自均 wrote: Hi Steve, Thanks for your explanation! I have some further questions: You said that OS-OAUTH doesn't make Keystone a proper OAuth provider, so what is missing? Can name some of the missing parts? Another thing, a backlog started by you proposed to unify

Re: [openstack-dev] [Heat][tripleo] Tripleo holding on to old, bad data

o it again, I'll double check all these. Thanks Cheers, Dr. Pavlo Shchelokovskyy Senior Software Engineer Mirantis Inc www.mirantis.com <http://www.mirantis.com> On Tue, Jun 28, 2016 at 1:29 AM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 06/2

[openstack-dev] Troubleshooting and ask.openstack.org

Recently, the Keystone team started brainstormin a troubleshooting document. While we could, eventually put this into the Keystone repo, it makes sense to also be gathering troubleshooting ideas from the community at large. How do we do this? I think we've had a long enough run with the

Re: [Openstack] how to change the admin password

On 06/27/2016 10:37 AM, Venkatesh Kotipalli wrote: Hi All, i want to change the admin password for openstack mitaka by using CLI. i installed on centos7 when i am tried to change the password in admin-openrc, after changing the password i am unable to login with the password i changed, as

Re: [Openstack] python-keystoneclient (2.3.1-2) make wrong URI call for keystone api V3

On 06/24/2016 03:16 AM, Soputhi Sea wrote: Hi, I'm using Mitaka release (the very latest public release one from Jun-02), and i'm having issue with List Project in Horizon. In my case i have multiple projects created and when i login to Horizon the drop down list of project (on the top

Re: [openstack-dev] [Heat][tripleo] Tripleo holding on to old, bad data

have that. First thing we checked. I assume "available" is the most important part of that? On 25/06/16 09:27, Adam Young wrote: A coworker and I have both had trouble recovering from failed overcloud deploys. I've wiped out whatever data I can, but, even with nothing i

[openstack-dev] [Heat] Tripleo holding on to old, bad data

A coworker and I have both had trouble recovering from failed overcloud deploys. I've wiped out whatever data I can, but, even with nothing in the Heat Database, doing an openstack overcloud deploy seems to be looking for a specific Nova server by UUID: heat resource-show

Re: [openstack-dev] [Tripleo] X509 Management

of the service's profiles (the puppet manifests) I'm setting up the tracking of the certificates with the certmonger's puppet manifest. BR On Tue, Jun 21, 2016 at 5:39 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: When deploying the overcloud with TLS,

Re: [Openstack-operators] [Glance] Default policy in policy.json

On 06/20/2016 10:09 PM, Michael Richardson wrote: On Fri, 17 Jun 2016 16:27:54 + Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves.

Re: [Openstack] Devstack Auth Error in Neutron

On 06/17/2016 08:03 AM, Mohan Kumar wrote: Karun, Please check q-svc (neutron) service is running or not ! Error complaining that keystone url is not reachable to authenticate , IP 192.168.202.130 should be reachable and keystone service should be active . Maybe you can rerun devstack if

Re: [openstack-dev] [nova] I'm going to expire open bug reports older than 18 months.

On 06/21/2016 08:43 AM, Markus Zoeller wrote: A reminder that this will happen in ~2 weeks. Please note that you can spare bug reports if you leave a comment there which says one of these (case-sensitive flags): * CONFIRMED FOR: NEWTON * CONFIRMED FOR: MITAKA * CONFIRMED FOR: LIBERTY On

Re: [openstack-dev] [Tripleo] X509 Management

On 06/21/2016 11:26 AM, John Dennis wrote: On 06/21/2016 10:55 AM, Ian Cordasco wrote: -Original Message- From: Adam Young <ayo...@redhat.com> Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Date: June 21, 2016

[openstack-dev] [Tripleo] X509 Management

When deploying the overcloud with TLS, the current "no additional technology" approach is to use opensssl and self signed. While this works for a Proof of concept, it does not make sense if the users need to access the resources from remote systems. It seems to me that the undercloud, as the

Re: [openstack-dev] [keystone][security] Service User Permissions

ec as there will be a lot of details to figure out if we go forward. It is also fairly rough but it should convey the point. Thanks Jamie On 3 June 2016 at 03:06, Shawn McKinney <smckin...@symas.com <mailto:smckin...@symas.com>> wrote: > On Jun 2, 2016, at 10:58 AM, Adam

Re: [Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json

On 06/13/2016 07:08 PM, Marc Heckmann wrote: Hi, I currently have a lab setup using SAML2 federation with Microsoft ADFS. The federation part itself works wonderfully. However, I'm also trying to use the new project as domains feature along with the Keystone v3 sample policy.json file for

Re: [openstack-dev] [keystone]trusts with federated users

On 06/07/2016 10:28 AM, Gyorgy Szombathelyi wrote: Hi! As an OIDC user, tried to play with Heat and Murano recently. They usually fail with a trust creation error, noticing that keystone cannot find the _member_ role while creating the trust. Hmmm...that should not be the case. The user in

Re: [openstack-dev] [keystone] Changing the project name uniqueness constraint

On 06/02/2016 07:22 PM, Henry Nash wrote: Hi As you know, I have been working on specs that change the way we handle the uniqueness of project names in Newton. The goal of this is to better support project hierarchies, which as they stand today are restrictive in that all project names

Re: [openstack-dev] [keystone][security] Service User Permissions

On 06/02/2016 11:36 AM, Shawn McKinney wrote: On Jun 2, 2016, at 10:03 AM, Adam Young <ayo...@redhat.com> wrote: To do all of this right, however, requires a degree of introspection that we do not have in OpenStack. Trove needs to ask Nova "I want to do X, what rol

Re: [openstack-dev] [keystone][security] Service User Permissions

On 06/02/2016 01:23 AM, Jamie Lennox wrote: Hi All, I'd like to bring to the attention of the wider security groups and OpenStack users the Service Users Permissions [1] spec currently proposed against keystonemiddleware. To summarize quickly OpenStack has long had the problem of token

Re: [openstack-dev] [keystone] Who is going to fix the broken non-voting tests?

6 at 5:48 PM, Steve Martinelli <s.martine...@gmail.com <mailto:s.martine...@gmail.com>> wrote: On Thu, May 26, 2016 at 12:59 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 05/26/2016 11:36 AM, Morgan Fainberg wrote:

Re: [openstack-dev] [keystone] Who is going to fix the broken non-voting tests?

On 05/26/2016 11:36 AM, Morgan Fainberg wrote: On Thu, May 26, 2016 at 7:55 AM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: Some mix of these three tests is almost always failing: gate-keystone-dsvm-functional-nv FAILURE in 20m 04s (non-voti

  1   2   3   4   5   6   7   8   9   10   >