Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Morgan, Awesome! when there's some momentum, we can move it to a public repo -- Dims On Wed, Aug 9, 2017 at 12:26 AM, Morgan Fainberg <morgan.fainb...@gmail.com> wrote: > I shall take a look at the webhooks and see if I can help on this front. > > --Morgan > > On Tue, Aug 8, 2017 at 6:34 PM, joehuang <joehu...@huawei.com> wrote: >> Dims, >> >> Integration of keystone and kubernetes is very cool and in high demand. >> Thank you very much. >> >> Best Regards >> Chaoyi Huang (joehuang) >> >> >> From: Davanum Srinivas [dava...@gmail.com] >> Sent: 01 August 2017 18:03 >> To: kubernetes-sig-openst...@googlegroups.com; OpenStack Development Mailing >> List (not for usage questions) >> Subject: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone >> based Authentication and Authorization for Kubernetes >> >> Team, >> >> Having waded through the last 4 attempts as seen in kubernetes PR(s) >> and Issues and talked to a few people on SIG-OpenStack slack channel, >> the consensus was that we should use the Webhook mechanism to >> integrate Keystone and Kubernetes. >> >> Here's the experiment : https://github.com/dims/k8s-keystone-auth >> >> Anyone interested in working on / helping with this? Do we want to >> create a repo somewhere official? >> >> Thanks, >> Dims >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- > You received this message because you are subscribed to the Google Groups > "kubernetes-sig-openstack" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-sig-openstack+unsubscr...@googlegroups.com. > To post to this group, send email to > kubernetes-sig-openst...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/kubernetes-sig-openstack/CAGnj6au7sxEssRVEf8d6Ha8ZKHk5sD5-Xayn%2BoV%2B5%3DcuHW4sDQ%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Joe, If you see the code in the git repo, you will see that we do use "Authorizer interface", so it is possible use the same code as a custom module. Guess you are thinking about a downstream kubernetes distro. Thanks, Dims On Wed, Aug 9, 2017 at 1:21 AM, joehuang <joehu...@huawei.com> wrote: > Except webhook, how about custom module(call keystone API directly from > custom module) for authorization? ( > https://kubernetes.io/docs/admin/authorization/#custom-modules ) > > Webhook: > Pros.: http calling, loose coupling, more flexible configuration. > Cons.: Degraded performance, one more hop > custom module: > Pros.: direct function call, better performance, less process to > maintain. > Cons.: coupling, built-in module. > > Best Regards > Chaoyi Huang (joehuang) > > > From: Morgan Fainberg [morgan.fainb...@gmail.com] > Sent: 09 August 2017 12:26 > To: OpenStack Development Mailing List (not for usage questions) > Cc: kubernetes-sig-openst...@googlegroups.com > Subject: Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone > based Authentication and Authorization for Kubernetes > > I shall take a look at the webhooks and see if I can help on this front. > > --Morgan > > On Tue, Aug 8, 2017 at 6:34 PM, joehuang <joehu...@huawei.com> wrote: >> Dims, >> >> Integration of keystone and kubernetes is very cool and in high demand. >> Thank you very much. >> >> Best Regards >> Chaoyi Huang (joehuang) >> >> >> From: Davanum Srinivas [dava...@gmail.com] >> Sent: 01 August 2017 18:03 >> To: kubernetes-sig-openst...@googlegroups.com; OpenStack Development Mailing >> List (not for usage questions) >> Subject: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone >> based Authentication and Authorization for Kubernetes >> >> Team, >> >> Having waded through the last 4 attempts as seen in kubernetes PR(s) >> and Issues and talked to a few people on SIG-OpenStack slack channel, >> the consensus was that we should use the Webhook mechanism to >> integrate Keystone and Kubernetes. >> >> Here's the experiment : https://github.com/dims/k8s-keystone-auth >> >> Anyone interested in working on / helping with this? Do we want to >> create a repo somewhere official? >> >> Thanks, >> Dims >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Down that path lies tears. :/ From: joehuang [joehu...@huawei.com] Sent: Tuesday, August 08, 2017 10:21 PM To: OpenStack Development Mailing List (not for usage questions) Cc: kubernetes-sig-openst...@googlegroups.com Subject: Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes Except webhook, how about custom module(call keystone API directly from custom module) for authorization? ( https://kubernetes.io/docs/admin/authorization/#custom-modules ) Webhook: Pros.: http calling, loose coupling, more flexible configuration. Cons.: Degraded performance, one more hop custom module: Pros.: direct function call, better performance, less process to maintain. Cons.: coupling, built-in module. Best Regards Chaoyi Huang (joehuang) From: Morgan Fainberg [morgan.fainb...@gmail.com] Sent: 09 August 2017 12:26 To: OpenStack Development Mailing List (not for usage questions) Cc: kubernetes-sig-openst...@googlegroups.com Subject: Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes I shall take a look at the webhooks and see if I can help on this front. --Morgan On Tue, Aug 8, 2017 at 6:34 PM, joehuang <joehu...@huawei.com> wrote: > Dims, > > Integration of keystone and kubernetes is very cool and in high demand. Thank > you very much. > > Best Regards > Chaoyi Huang (joehuang) > > > From: Davanum Srinivas [dava...@gmail.com] > Sent: 01 August 2017 18:03 > To: kubernetes-sig-openst...@googlegroups.com; OpenStack Development Mailing > List (not for usage questions) > Subject: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone > based Authentication and Authorization for Kubernetes > > Team, > > Having waded through the last 4 attempts as seen in kubernetes PR(s) > and Issues and talked to a few people on SIG-OpenStack slack channel, > the consensus was that we should use the Webhook mechanism to > integrate Keystone and Kubernetes. > > Here's the experiment : https://github.com/dims/k8s-keystone-auth > > Anyone interested in working on / helping with this? Do we want to > create a repo somewhere official? > > Thanks, > Dims > > -- > Davanum Srinivas :: https://twitter.com/dims > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Except webhook, how about custom module(call keystone API directly from custom module) for authorization? ( https://kubernetes.io/docs/admin/authorization/#custom-modules ) Webhook: Pros.: http calling, loose coupling, more flexible configuration. Cons.: Degraded performance, one more hop custom module: Pros.: direct function call, better performance, less process to maintain. Cons.: coupling, built-in module. Best Regards Chaoyi Huang (joehuang) From: Morgan Fainberg [morgan.fainb...@gmail.com] Sent: 09 August 2017 12:26 To: OpenStack Development Mailing List (not for usage questions) Cc: kubernetes-sig-openst...@googlegroups.com Subject: Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes I shall take a look at the webhooks and see if I can help on this front. --Morgan On Tue, Aug 8, 2017 at 6:34 PM, joehuang <joehu...@huawei.com> wrote: > Dims, > > Integration of keystone and kubernetes is very cool and in high demand. Thank > you very much. > > Best Regards > Chaoyi Huang (joehuang) > > > From: Davanum Srinivas [dava...@gmail.com] > Sent: 01 August 2017 18:03 > To: kubernetes-sig-openst...@googlegroups.com; OpenStack Development Mailing > List (not for usage questions) > Subject: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone > based Authentication and Authorization for Kubernetes > > Team, > > Having waded through the last 4 attempts as seen in kubernetes PR(s) > and Issues and talked to a few people on SIG-OpenStack slack channel, > the consensus was that we should use the Webhook mechanism to > integrate Keystone and Kubernetes. > > Here's the experiment : https://github.com/dims/k8s-keystone-auth > > Anyone interested in working on / helping with this? Do we want to > create a repo somewhere official? > > Thanks, > Dims > > -- > Davanum Srinivas :: https://twitter.com/dims > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
I shall take a look at the webhooks and see if I can help on this front. --Morgan On Tue, Aug 8, 2017 at 6:34 PM, joehuang <joehu...@huawei.com> wrote: > Dims, > > Integration of keystone and kubernetes is very cool and in high demand. Thank > you very much. > > Best Regards > Chaoyi Huang (joehuang) > > > From: Davanum Srinivas [dava...@gmail.com] > Sent: 01 August 2017 18:03 > To: kubernetes-sig-openst...@googlegroups.com; OpenStack Development Mailing > List (not for usage questions) > Subject: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone > based Authentication and Authorization for Kubernetes > > Team, > > Having waded through the last 4 attempts as seen in kubernetes PR(s) > and Issues and talked to a few people on SIG-OpenStack slack channel, > the consensus was that we should use the Webhook mechanism to > integrate Keystone and Kubernetes. > > Here's the experiment : https://github.com/dims/k8s-keystone-auth > > Anyone interested in working on / helping with this? Do we want to > create a repo somewhere official? > > Thanks, > Dims > > -- > Davanum Srinivas :: https://twitter.com/dims > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Dims, Integration of keystone and kubernetes is very cool and in high demand. Thank you very much. Best Regards Chaoyi Huang (joehuang) From: Davanum Srinivas [dava...@gmail.com] Sent: 01 August 2017 18:03 To: kubernetes-sig-openst...@googlegroups.com; OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes Team, Having waded through the last 4 attempts as seen in kubernetes PR(s) and Issues and talked to a few people on SIG-OpenStack slack channel, the consensus was that we should use the Webhook mechanism to integrate Keystone and Kubernetes. Here's the experiment : https://github.com/dims/k8s-keystone-auth Anyone interested in working on / helping with this? Do we want to create a repo somewhere official? Thanks, Dims -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Cool. Which keystone version is supported? v2.0 or v3? or both? 在 2017年8月1日星期二 UTC+8下午6:03:10,Davanum Srinivas写道: > > Team, > > Having waded through the last 4 attempts as seen in kubernetes PR(s) > and Issues and talked to a few people on SIG-OpenStack slack channel, > the consensus was that we should use the Webhook mechanism to > integrate Keystone and Kubernetes. > > Here's the experiment : https://github.com/dims/k8s-keystone-auth > > Anyone interested in working on / helping with this? Do we want to > create a repo somewhere official? > > Thanks, > Dims > > -- > Davanum Srinivas :: https://twitter.com/dims > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [keystone][kubernetes] Webhook PoC for Keystone based Authentication and Authorization for Kubernetes
Team, Having waded through the last 4 attempts as seen in kubernetes PR(s) and Issues and talked to a few people on SIG-OpenStack slack channel, the consensus was that we should use the Webhook mechanism to integrate Keystone and Kubernetes. Here's the experiment : https://github.com/dims/k8s-keystone-auth Anyone interested in working on / helping with this? Do we want to create a repo somewhere official? Thanks, Dims -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev