python-keystoneclient v0.3.0 has been released to pypi [1].
Bug fixes [2] since v0.2.5 include two security vulnerabilities [3]
[4] related to keystoneclient.middleware.auth_token's handling of signing
encryption for memcache.
This release also includes support for Identity API v3 [5] auth and
On Tue, Jun 11, 2013 at 4:46 PM, Farhan Patwa farhan.pa...@utsa.edu wrote:
Hi all,
I am just trying to understand the motivation behind creations API
versions and how that ties in to a release content.
As per listed documentation (
at 12:33 PM, Dolph Mathews dolph.math...@gmail.comwrote:
python-keystoneclient 0.2.4 is primarily a security bug fix release [1]
and is now available on pypi [2].
A few highlights concerning the auth_token middleware:
- Expired PKI tokens are now rejected [3]
- PKI token revocations lists
python-keystoneclient 0.2.4 is primarily a security bug fix release [1]
and is now available on pypi [2].
A few highlights concerning the auth_token middleware:
- Expired PKI tokens are now rejected [3]
- PKI token revocations lists are now cached using a configurable
expiration
Apologies, none of these configuration settings were documented in
etc/keystone.conf.sample. The last one is the one that controls this
behavior.
[DEFAULT]
# enforced by sizelimit middleware
(keystone.middleware:RequestBodySizeLimiter)
max_request_body_size = 114688
# limit the sizes of
The SERVICE_TOKEN is not a password; it should either be a valid token
that you've generated using credentials + keystone token-get, or the value
of keystone.conf's static admin_token option. I'm not familiar with x.sh so
I don't know if you should remove SERVICE_* env vars or the OS_* ones, but
It looks like cinderclient is authenticating successfully with keystone,
and something unexpected is happening at the cinder endpoint.
I'd suggest trying to replay cinderclient's request using something like
curl to perhaps provide more insight into what's actually going on.
# curl
You can't bypass authentication with, say, keystone.conf admin_token and
get a catalog. A catalog is produced as the result of authentication. Run
the client with a set of credentials (user, password, tenant, auth URL) and
you'll be able to get a catalog, and glanceclient will probably work as
I imagine that you need to start quantum by running *quantum-server*
-Dolph
On Wed, May 1, 2013 at 10:18 AM, Molnár Mihály László lacik...@gmail.comwrote:
hi all!
I just installed Grizzly following this:
The JSON approach is rather arbitrary; keystone has an API to manage
publish policy blobs of any format (/v3/policies), and the policy engines
themselves are completely pluggable. I don't think there's anything
preventing a deployment from implementing an XACML based policy solution
(if there is
What happens when you run keystone-all directly?
-Dolph
On Wed, Apr 24, 2013 at 4:23 PM, Viktor Viking
viktor.viking...@gmail.comwrote:
Community,
I am trying to install Keystone Grizzly following these instructions:
Yes, we've had a few small conversations about it at the summit (don't have
an actual session scheduled on the issue, though, nor any registered
blueprints). It would be my preferred approach to resolve bugs like this
one, which is one of our longest standing and highest priority issues.
keystone.conf [TOKEN]
token_format (PKI is the default).
On Saturday, April 13, 2013, Daniel Ellison wrote:
On 2013-04-13, at 5:24 PM, Dolph Mathews
dolph.math...@gmail.comjavascript:;
wrote:
Hmm, well it looks like you already have debug enabled, which is
indicating that the username
It looks like you're doing everything correctly, except OS_PASSWORD is
*NOT* the same thing as the static admin_token in keystone.conf.
Passwords are user-specific attributes created using the --pass argument on
user-create for example. You may have set it to be the same as
keystone.conf's
There's a backslash in your endpoints and a stray closing paren at the end:
http://192.168.122.215:8776/v1/$(tenant_id)s)
Keystone supports two formats here so you don't have to try and escape
anything. Recreate your endpoints with whichever one of the following you
prefer:
An OS_SERVICE_ENDPOINT and/or OS_SERVICE_TOKEN are defined in your
environment, and are taking precedence over the credentials you're
providing on the command line -- I'm not a fan of this behavior myself :(
unset the endpoint token from env, and token-get should behave as
expected.
-Dolph
On
I'm attempting to reproduce this now (haven't been successful with PKI +
sqlite on disk), but in the meantime I opened a bug on this issue for
tracking:
https://bugs.launchpad.net/keystone/+bug/1162845
-Dolph
On Fri, Mar 29, 2013 at 1:35 PM, Miller, Mark M (EB SW Cloud - RD -
Corvallis)
I also opened bug 1162857, which produces a slightly different symptom with
a different configuration (sqlite), but may share the same underlying cause.
-Dolph
On Mon, Apr 1, 2013 at 10:26 AM, Dolph Mathews dolph.math...@gmail.comwrote:
I'm attempting to reproduce this now (haven't been
Mark,
Which token driver are you using?
-Dolph
On Mon, Apr 1, 2013 at 10:49 AM, Dolph Mathews dolph.math...@gmail.comwrote:
I also opened bug 1162857, which produces a slightly different symptom
with a different configuration (sqlite), but may share the same underlying
cause.
-Dolph
for either UUID or PKI tokens.
** **
Mark
** **
*From:* Dolph Mathews [mailto:dolph.math...@gmail.com]
*Sent:* Monday, April 01, 2013 11:56 AM
*To:* Miller, Mark M (EB SW Cloud - RD - Corvallis)
*Cc:* openstack@lists.launchpad.net
*Subject:* Re: [Openstack] Keystone Too Many
It wasn't proposed for backporting nor did jenkins link the bug to the
review:
Review: https://review.openstack.org/#/c/24965/
Bug: https://bugs.launchpad.net/keystone/+bug/1159987
Commit:
https://github.com/openstack/keystone/commit/2f0c46179ea2eb7872167941412bdbd5abca08f0
I tagged the bug as
Centralized quotas in keystone: http://summit.openstack.org/cfp/details/83
-Dolph
On Wed, Mar 27, 2013 at 6:46 AM, Tom Fifield fifie...@unimelb.edu.auwrote:
On 24/03/13 23:36, Tim Bell wrote:
The Boson project was looking at this sort of problem
What is the protocol of your sql connection string in keystone.conf?
mysql+mysqldb:// ? If so, try changing it to just mysql:// which I think
will match what python-mysql installs.
http://docs.sqlalchemy.org/en/rel_0_7/core/engines.html#database-urls
-Dolph
On Tue, Mar 19, 2013 at 6:17 PM,
Make sure that the certs created by pki_setup are readable by the user
running keystone-all
-Dolph
On Tue, Mar 19, 2013 at 12:19 PM, Abhishek Chanda
abhishek.li...@gmail.comwrote:
I actually did that and when I ran keystone-all again, I got the same
error. The console log in my first mail
Glad you got it resolved, but can you file a bug on pki_setup not
generating SSL certs? I don't believe I've seen that issue.
https://bugs.launchpad.net/keystone
Thanks!
-Dolph
On Thu, Mar 14, 2013 at 4:58 PM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.com wrote:
Looks
**Ideally** you would provide unversioned endpoints for all services, e.g.:
http://keystone:35357/ instead of http://keystone:35357/v2.0/
... and the client would work out what versions are supported and select a
preferred version automatically.
However, we're not quite there yet. I can't
That's exactly our goal, but I'm not sure that corresponding well-tested
policy.json changes will land in time for Grizzly (also not sure if there
would be any other supporting changes required).
Adding Brant as he specifically was investigating the same possibility in
Grizzly.
-Dolph
On Tue,
In designing the API, the goal was to simply store policy.json files (or
any future iterations of it) in any format as a blob in a centralized
location (keystone) that could be retrieved by remote services. While
discussing the design, it spawned a lot of great questions about how to map
policies
The v3 API is largely abstracted from other services (horizon being a major
exception) using keystoneclient.middleware.auth_token, which is being
revised here [1] and here [2].
Because the clients do not necessarily follow the same release schedule as
the services, we've obviously been focused on
answer. I really appreciate it.
** **
Are you saying then, that I configure nova (for example) to use v3
middleware, I should be able to call nova with a v3 token and this token
will get validated?
** **
Glaucimar Aguiar
** **
** **
*From:* Dolph Mathews [mailto:dolph.math
This appears to be a valid bug -- we were concerned with v2-v3
token interop when v3 auth merged, but I thought we had ironed out the
kinks (we have several related tests in tests/test_v3_auth.py for this
reason). I targeted the bug at RC1 as we need to have this fixed for v3 to
be useful in
Just opened a bug to track the public_port string vs integer issue, with a
fix in review:
https://bugs.launchpad.net/bugs/1147842
-Dolph
On Tue, Mar 5, 2013 at 3:28 PM, Brad Knowles bknow...@momentumsi.comwrote:
On Mar 5, 2013, at 3:21 PM, Miller, Mark M (EB SW Cloud - RD -
Corvallis)
On Tue, Mar 5, 2013 at 5:28 PM, Brad Knowles bknow...@momentumsi.comwrote:
On Mar 5, 2013, at 5:20 PM, Matt Joyce matt.jo...@cloudscaling.com
wrote:
check in horizon and see if you can follow inside of a stack trace
there. you can see if any of the context's from the wsgi queries is seeing
That's correct. Right now, all endpoints registered in keystone are
returned to all users, regardless of whether they actually have any sort of
authorization on those endpoints.
I suspect we'll be having a planning session at the design summit on this
topic -- I'd be helpful to better understand
search:
dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, *scope=1*,
query=(objectClass=inetOrgPerson)
Unless I'm reading that very wrong, my scope search request is being
ignored. Time to dive into the code, I suppose.
Steve
On 03/04/2013 10:15 AM, Dolph Mathews wrote:
I'd suggest enabling
bookmarked. In any case, maybe explicitly marking trunk docs as
newer-than-latest would help?
(
http://docs.openstack.org/trunk/openstack-compute/admin/content/reference-for-ldap-config-options.html)
On 03/04/2013 05:09 PM, Dolph Mathews wrote:
Yes, this feature just landed during grizzly
I believe they should certainly be treated as public API's -- just like any
other library. I'd also treat them as stable if they've ever been included
in a versioned release. That said, I'm sure it would be easy to find
examples of methods attributes within the library that are not intended
to be
+1; keystoneclient is not deprecated nor has openstackclient been abandoned.
The responsibility of implementing a CLI is simply being handed off to
openstackclient. Using 'keystone' on the CLI will therefore be deprecated
at some point in favor of using 'openstack'.
-Dolph
On Fri, Mar 1, 2013
I'm not aware that keystone is capable of raising a 503 Service
Unavailable... are you running through a proxy? If so, I assume there's an
issue with it's configuration.
-Dolph
On Wed, Feb 27, 2013 at 8:27 AM, Tomáš Šoltys tomas.sol...@gmail.comwrote:
Hi,
Yes, the service is running and
Meant to reply on-list.
-Dolph
On Tue, Feb 26, 2013 at 2:39 PM, Dolph Mathews dolph.math...@gmail.comwrote:
Thanks for the feedback; cc'ing Adam Young. I raised a bug to track the
issue: https://bugs.launchpad.net/keystone/+bug/1133608
-Dolph
On Tue, Feb 26, 2013 at 2:24 PM, Miller
As of Grizzly, the introduction of domains into OpenStack won't have any
impact on the rest of the deployment (AFAIK). Rather, the impact
is currently isolated to keystone and their use is effectively optional
(out of the box, keystone creates a single domain for you to work with --
the 'default'
+1
However, I'm curious as to what makes it too long, or what's not working.
Can you provide an example?
-Dolph
On Sat, Feb 23, 2013 at 12:33 PM, Anne Gentle a...@openstack.org wrote:
I believe this is due to a change in default for grizzly-- token_format
defaults to PKI instead of UUID in
Setting the admin_token config is overriding the admin_user,
admin_password, and admin_tenant_name values by specifying a static token.
I'd recommend removing it and using the auth credentials you've already
provided.
-Dolph
On Thu, Feb 21, 2013 at 3:10 AM, Kun Huang academicgar...@gmail.com
On Mon, Feb 18, 2013 at 9:59 AM, pat p...@xvalheru.org wrote:
Hello,
Sorry to disturb, but I have some questions regarding keystone middleware.
Some introduction to problem: I need to integrate OpenStack to our existing
infrastructure where all systems are integrated on REST and Web level
On Mon, Feb 11, 2013 at 8:02 AM, Mballo Cherif cherif.mba...@gemalto.comwrote:
Hi everybody !
I need help for keystone user/password authentication with horizon.
**1) **When I try to authenticate with my credential
(login/password) In horizon dashboard, I have this message
As for the client-side implementation, keystoneclient supports v3 as a
python library, whereas the CLI is being exposed in a different project (by
consuming keystoneclient):
https://github.com/openstack/python-openstackclient
-Dolph
On Mon, Feb 11, 2013 at 11:08 AM, Miller, Mark M (EB SW Cloud
use the client from Horizon.
** **
Regards,
** **
Mark Miller
** **
** **
*From:* Dolph Mathews [mailto:dolph.math...@gmail.com]
*Sent:* Monday, February 11, 2013 1:09 PM
*To:* Miller, Mark M (EB SW Cloud - RD - Corvallis)
*Subject:* Re: [Openstack] keystone question
Adam Young is working on introducing delegation in grizzly:
https://blueprints.launchpad.net/keystone/+spec/trusts
I'm sure he'd appreciate some help if you'd like to contribute!
-Dolph
On Wed, Feb 6, 2013 at 8:54 AM, Mballo Cherif cherif.mba...@gemalto.comwrote:
Hi everybody !
I am
If you hit keystone's root endpoint you should also get a list of versions
in the response -- today that only includes /v2.0/
# curl http://127.0.0.1:5000/ http://127.0.0.1:5000/v2.0/
-Dolph
On Mon, Jan 28, 2013 at 3:07 AM, Ajiva Fan aji.zq...@gmail.com wrote:
hello everyone,
i'm
I've seen this question come up a couple times now; this error handling
here needs to be improved with a decent error message.
I opened a bug on the issue:
https://bugs.launchpad.net/keystone/+bug/1103569
-Dolph
On Wed, Jan 23, 2013 at 11:04 AM, Adam Young ayo...@redhat.com wrote:
On
Grab a copy of the sample configuration file:
https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample
On Tuesday, January 15, 2013, Mballo Cherif wrote:
Hi everybody, I need help!
I was trying to install Openstack Keystone standalone on a Ubuntu 12.04
machine using
If memcache is being utilized by your keystone middleware, you should see
keystone attaching to it on the first incoming request, e.g.:
keystoneclient.middleware.auth_token [INFO]: Using Keystone memcache for
caching token
You may also want to use auth_token from keystoneclient = v0.2.0 if
The fix was made to keystoneclient, so it does not require backporting. You
can use the latest keystoneclient with either diablo, Essex or Folsom.
-Dolph
On Thursday, January 10, 2013, Matthias Runge wrote:
On 01/10/2013 01:33 PM, JuanFra Rodriguez Cardoso wrote:
Hi guys!
Do you know if
Are you still seeing EndpointNotFound's on the latest version of
keystoneclient? Even without a fix, it was simply a condition that didn't
need to be logged (especially as an error).
-Dolph
On Thu, Jan 10, 2013 at 8:07 PM, Sina Sadeghi s...@aptira.com wrote:
Guys this is a bug I have been
(raising to the mailing list)
Which DB2 driver are you using? I was referring to:
http://code.google.com/p/ibm-db/wiki/README
... which shows an example connection string for sqlalchemy as:
db2 = sqlalchemy.create_engine('ibm_db_sa://
db2inst1:sec...@host.name.com:5/pydev')
-Dolph
On
Make sure you're specifying a tenant (e.g. OS_TENANT_NAME) in order to
receive authorization (e.g. the admin role) to perform nova list. You can
debug the authn/authz process using keystone token-get (this doc is for
folsom, but should work for essex, although the arguments may have changed,
check
I'd first suggesting looking for an existing PHP binding (I'm not aware of
one).
You can also simply try keystone tenant-create and emulate it's request
if that's all you need. I's implementation is here:
+1; if it doesn't work, it's a bug.
-Dolph
On Tue, Dec 11, 2012 at 4:32 PM, Matt Joyce matt.jo...@cloudscaling.comwrote:
My guess would be that it would work. The keystone API hasn't changed
massively between essex and folsom.
I have not tested.
But I am fairly confident it would work
The arguments for the commands you need vary a bit by release, but for
interactive help, use:
$ keystone help role-create
$ keystone help tenant-create
$ keystone help user-create
$ keystone help user-role-add
In the latest release of keystoneclient, also try:
$ keystone help bootstrap
...
Neither have I.
-Dolph
On Mon, Dec 3, 2012 at 1:25 PM, heckj he...@mac.com wrote:
I haven't heard any demand for it -
- joe
On Dec 3, 2012, at 11:13 AM, Adam Young ayo...@redhat.com wrote:
Right now, only the Identity submodule has an LDAP backend. This is
user, tenants, and roles.
, Dolph Mathews wrote:
Without belongsTo, you can still validate the tenant scope client-side, so
it's a bit redundant.
Not sure what you mean. Can you be more specific?
However, if you're making a HEAD call to validate the token, you obviously
need the server to do that additional validation
Without belongsTo, you can still validate the tenant scope client-side, so
it's a bit redundant. However, if you're making a HEAD call to validate the
token, you obviously need the server to do that additional validation for
you.
-Dolph
On Thu, Nov 15, 2012 at 8:20 AM, Jorge Williams
We just fixed a similar issue in keystoneclient -- what release is this
running against?
https://bugs.launchpad.net/python-keystoneclient/+bug/1074784
https://review.openstack.org/#/c/15410/
-Dolph
On Thu, Nov 8, 2012 at 5:46 AM, Robert van Leeuwen
robert.vanleeu...@spilgames.com wrote:
The ID's generated by keystone are implemented using random UUID's for
exactly this use case.
-Dolph
On Sat, Nov 3, 2012 at 11:49 PM, Salman A Baset saba...@us.ibm.com wrote:
Hello folks,
Suppose there is a single BSS managing multiple data centers, each running
independent OpenStack OSS.
in the install document, setting up glance, nova, etc.?
Regards,
Ahmed.
From: Dolph Mathews dolph.math...@gmail.com
Date: Wednesday, October 31, 2012 9:44 AM
To: Ahmed Al-Mehdi ah...@coraid.com
Cc: openstack@lists.launchpad.net openstack@lists.launchpad.net
Subject: Re: [Openstack] Verification
With regard to keystone, the current policy implementation is entirely
binary in that a role may either have total control over keystone or none.
The implementation in Grizzly is much more granular.
-Dolph
On Wed, Oct 31, 2012 at 2:35 PM, Guillermo Alvarado
guillermoalvarad...@gmail.com wrote:
/962600
Right? Seems like that is still happening :-(
From: Ahmed Al-Mehdi ah...@coraid.com
Date: Wednesday, October 31, 2012 1:15 PM
To: Dolph Mathews dolph.math...@gmail.com
Cc: Joseph Heck joe.h...@nebula.com, openstack@lists.launchpad.net
openstack@lists.launchpad.net
Subject: Re
modify the permissions
related with nova/glance/swifth of the differents roles. I doubt is if
horizon know wich template can view each user...
2012/10/31 Dolph Mathews dolph.math...@gmail.com
With regard to keystone, the current policy implementation is entirely
binary in that a role may
.
On Oct 26, 2012, at 5:18 AM, Dolph Mathews dolph.math...@gmail.com
wrote:
I think this discussion would be great for both mailing lists.
-Dolph
On Fri, Oct 26, 2012 at 5:18 AM, Henry Nash henry.n...@mac.com wrote:***
*
Hi
It's hard to say without docs, as the openstack.identity.endpoint shown
there is just throwing errors for me, and the openstack.endpoint is raising
401.
However, the port used for the identity endpoint is typically used for the
administrative/management identity endpoint (keystone), and the
Thanks for the feedback! I opened a bug report to track this issue:
https://bugs.launchpad.net/openstack-manuals/+bug/1071921
-Dolph
On Fri, Oct 26, 2012 at 4:03 PM, ikke i...@iki.fi wrote:
Hi,
I just went through setting up keystone and glance to fedora 17 with
f18 folsom preview repos
In short, PKI tokens are able to be validated client-side, reducing network
chattiness with keystone, etc.
Although PKI was implemented in Folsom, it wasn't shipped as the default.
Our goal in changing the default now is to flush out any issues as early in
the Grizzly cycle as possible.
If
Sorry for the delayed response; I know I've seen this message before. I
believe it had something to do with endpoints configured in a manner
keystone did not expect. Can you paste the full backtrace from the logs,
and if it appears to be related, your keystone endpoint-list?
-Dolph
On Thu, Oct
I'd like to simplify the scope of sample_data.sh to the absolute bare
minimum (service tenant, admin role, admin user, identity
service/endpoints, etc), and integrate it into keystone-manage as a
'bootstrap' command:
$ keystone-manage bootstrap
-Dolph
On Wed, Oct 10, 2012 at 12:34 PM,
that
command take, a yaml file?
Something similar to
https://github.com/yahoo/Openstack-Anvil/blob/master/conf/templates/keystone/init_what.yaml
maybe,
idk.
From: Dolph Mathews dolph.math...@gmail.com
Date: Wednesday, October 10, 2012 11:13 AM
To: Joshua Harlow harlo...@yahoo-inc.com
Cc: Alan Pevec
|
+--+---+--+--+--+
x.x.x.x refers to my Host address :)
Le 08/10/2012 10:18, Dolph Mathews a écrit :
it seems like it is looking for an endpoint which
, Dolph Mathews dolph.math...@gmail.comwrote:
I find it odd that the document describes two approaches for configuring
keystone -- one being a relatively undocumented, scripted approach not
managed or distributed by OpenStack. Surely these two approaches will
continue to evolve seperately and we'll
endpoint?
-Dolph
On Wed, Oct 3, 2012 at 7:29 PM, Shake Chen shake.c...@gmail.com wrote:
Hi
I also have question about RBAC.
when we can setting the roles permission in Horizon?
On Thu, Oct 4, 2012 at 2:56 AM, Dolph Mathews dolph.math...@rackspace.com
wrote:
(replying on list)
RBAC
authentication.,
title: Not Authorized
}
}
Regards,
Ahmed.
--
*From:* Dolph Mathews [dolph.math...@gmail.com javascript:_e({},
'cvml', 'dolph.math...@gmail.com');]
*Sent:* Tuesday, October 02, 2012 12:12 PM
*To:* Ahmed Al-Mehdi
*Cc:* heckj
.
--
*From:* annegen...@justwriteclick.com [annegen...@justwriteclick.com] On
Behalf Of Anne Gentle [a...@openstack.org]
*Sent:* Tuesday, October 02, 2012 1:26 PM
*To:* Ahmed Al-Mehdi
*Cc:* Dolph Mathews; openstack@lists.launchpad.net
*Subject:* Re: [Openstack] Enabling logging
in Deploy and Install OpenStack -
Red Hat Ubuntu. I will look into the script.
Regards,
Ahmed.
--
*From:* Dolph Mathews [dolph.math...@gmail.com]
*Sent:* Tuesday, October 02, 2012 2:19 PM
*To:* Ahmed Al-Mehdi
*Cc:* heckj; openstack@lists.launchpad.net
*Subject
The environment variables that auth_token sets are documented in the
module's docstring:
https://github.com/openstack/keystone/blob/master/keystone/middleware/auth_token.py
As these variables are the defined interface for any projects consuming
authentication services from middleware, it's safe
The X-Auth-Token is what you get back from the authentication call you're
trying to make -- try removing the header completely. If you're still
getting a 401 error back, either your username or password is wrong, your
tenant name is wrong, or you haven't granted adminUser any role(s) on
It looks like at least one of your endpoints isn't being parsed correctly.
List your endpoints:
keystone --token mytoken --endpoint http://192.168.1.11:35357/v2.0
endpoint-list
... and make sure they all appear as expected (at least one public URL is
wrong, according to the stack trace). Feel
As you're definitely not the first person to run into this problem, I've
opened a bug so that we can improve the error feedback in this scenario:
https://bugs.launchpad.net/keystone/+bug/1058494
-Dolph
On Sat, Sep 29, 2012 at 1:51 AM, Dolph Mathews dolph.math...@gmail.comwrote:
It looks
By default, I believe it shows you your own roles. With a token/endpoint
specified (bypassing auth), it should work if you specify a user tenant:
$ keystone help user-role-list
usage: keystone user-role-list [--user-id user-id] [--tenant-id
tenant-id]
List roles granted to a user
Optional
I'm not sure what's wrong here, but I definitely want to make sure this is
fixed-- just assigned the bug to myself.
-Dolph
On Fri, Sep 21, 2012 at 8:43 AM, Anne Gentle a...@openstack.org wrote:
Hi Boden -
This is a known bug with the way those Keystone dev docs are output.
I'm tracking it
I'm not aware that this was ever implemented during essex (it was available
in diablo) -- definitely worth opening a bug!
-Dolph
On Fri, Sep 21, 2012 at 11:15 AM, boden bo...@linux.vnet.ibm.com wrote:
As per the Keystone v2.0 API docs, I've been trying to use the 'get user
by name' and 'get
-2012-4413
Date: September 12, 2012
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user
You thought correct: https://bugs.launchpad.net/keystone/+bug/983304
-Dolph
On Mon, Sep 10, 2012 at 11:32 AM, Adam Young ayo...@redhat.com wrote:
On 09/10/2012 11:29 AM, boden wrote:
I've been munking with the latest Keystone LDAP identity driver and
based on what I'm seeing the driver
pip-requires/test-requires is aimed at developers and is broken up into two
files more-so for documentation/organization purposes.
IMO, including LDAP as a dependency should be solved by real packaging
(e.g. $ apt-get install keystone keystone-ldap).
-Dolph
On Fri, Sep 7, 2012 at 8:30 AM, Adam
Those roles you see in keystone are merely examples, and don't have any
meaning by themselves. You create your own roles in keystone (e.g. $
keystone role-create) and define the associated actions specific to each
service via each service's own policy.json. For example, here's nova's
default
You're looking to provide data redundancy across keystone instances with
varying backend implementations... what's your use case? How would you
orchestrate the synchronization and failover, if any? What's the purpose of
each backend in such a deployment?
-Dolph
On Wed, Aug 29, 2012 at 3:50 AM,
Keystone doesn't return 301's (ever). However, your 301 response headers
show:
Server: BlueCoat-Security-Appliance
I'm guessing that wasn't installed by devstack :)
-Dolph
On Fri, Aug 24, 2012 at 3:03 AM, Lu, Lianhao lianhao...@intel.com wrote:
Hi gang,
I used the devstack to install a
What exactly happens when you try to start it directly?
cd /opt/stack/keystone /opt/stack/keystone/bin/keystone-all
--config-file /etc/keystone/keystone.conf --log-config
/etc/ke'stone/logging.conf -d --debug
What happens when you curl http://localhost:5000/v2.0/ on that machine? And
with
That potentially a different issue; likely a pypi mirror not responding?
You can download/install prettytable directly if you need to:
http://pypi.python.org/pypi/PrettyTable/
-Dolph
On Thu, Aug 23, 2012 at 3:39 AM, Trinath Somanchi
trinath.soman...@gmail.com wrote:
Hi-
Me too experiencing
I have the majority of the latest v3 draft implemented on both the client
and server, but it's neither complete nor polished... yet.
My goal is to have a solid implementation (perhaps in a branch?) for
everyone to poke at in plenty of time for the summit :)
-Dolph
On Mon, Aug 20, 2012 at 4:33
While there's no implementation of this in keystone today, I'm sure you
could write your own LDAP driver in keystone, heavily leveraging the
existing LDAP driver.
-Dolph
On Mon, Aug 20, 2012 at 4:19 PM, Ryan Lane rl...@wikimedia.org wrote:
On Mon, Aug 20, 2012 at 1:52 PM, pat p...@xvalheru.org
Replace AUTH_HOSTNAME with the IP/hostname port of your keystone
server (e.g. 127.0.0.1:35357).
-Dolph
On Mon, Aug 6, 2012 at 9:15 PM, 王鹏 breakwin...@gmail.com wrote:
Hi,every:
That is my first install swift,I according to
objectstorage-adminguide-essex.pdf from www.openstack.org.
when I
Try running the same command with the --debug option, and share the output
here.
Thanks,
-Dolph
On Sunday, July 22, 2012, MURAOKA Yusuke wrote:
Hi,
There is devstack all-in-one openstack builder. http://devstack.org/
Officially, its not supporting RHEL 6.1 on the site. But its only
1 - 100 of 194 matches
Mail list logo