Adam, Thank you for the reply. The extension document is pretty good. The configuration instructions on the other hand need some help and I had to combine information from multiple sources to get OS-EP-FILTERing up and running. Following are the final steps that I used.
Mark --------------- To enable the endpoint filter extension: 1. Add the new filter driver to the catalog section to "keystone.conf". Example: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog 2. Add the new [endpoint_filter] section to ``keystone.conf``. Example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: uncomment and set ``return_all_endpoints_if_no_filter`` 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. Example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 4. Create the endpoint filter extension tables if using the provided sql backend. Example:: ./bin/keystone-manage db_sync --extension endpoint_filter 5. Once you have done the changes restart the keystone-server to apply the changes. > -----Original Message----- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: Wednesday, October 09, 2013 1:35 PM > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy > > We have imporved the extension enumeration in Keystone. If you got to > http://hostname:35357/v3 you should see a listing of the extensions that are > enabled for that Keystone server > > > On 10/08/2013 07:07 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) > wrote: > > Sorry to send this out again, but I wrote too soon. I was missing one driver > entry in keystone.conf. Here are my working settings: > > > > File keystone.conf: > > > > [catalog] > > # dynamic, sql-based backend (supports API/CLI-based management > > commands) #driver = keystone.catalog.backends.sql.Catalog > > driver = > > keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa > > talog > > > > # static, file-based backend (does *NOT* support any management > > commands) # driver = > > keystone.catalog.backends.templated.TemplatedCatalog > > > > template_file = default_catalog.templates > > > > [endpoint_filter] > > # extension for creating associations between project and endpoints in > > order to # provide a tailored catalog for project-scoped token requests. > > driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter > > return_all_endpoints_if_no_filter = False > > > > > > File keystone-paste.ini: > > > > [filter:endpoint_filter_extension] > > paste.filter_factory = > > keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.facto > > ry > > > > and > > > > [pipeline:api_v3] > > pipeline = access_log sizelimit url_normalize token_auth > > admin_token_auth xml_body json_body ec2_extension s3_extension > > oauth1_extension endpoint_filter_extension service_v3 > > > > > > > > Updated Installation instructions: > > > > To enable the endpoint filter extension: > > > > 1. Add the new filter driver to the catalog section to "keystone.conf". > > > > Example: > > [catalog] > > driver = > > keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa > > talog > > > > 2. Add the new [endpoint_filter] section to ``keystone.conf``. > > > > Example: > > > > [endpoint_filter] > > # extension for creating associations between project and endpoints in > > order to # provide a tailored catalog for project-scoped token requests. > > driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter > > # return_all_endpoints_if_no_filter = True > > > > optional: uncomment and set ``return_all_endpoints_if_no_filter`` > > > > 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline > > in > ``keystone-paste.ini``. > > > > Example: > > > > [filter:endpoint_filter_extension] > > paste.filter_factory = > > keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.facto > > ry > > > > [pipeline:api_v3] > > pipeline = access_log sizelimit url_normalize token_auth > > admin_token_auth xml_body json_body ec2_extension s3_extension > > endpoint_filter_extension service_v3 > > > > 4. Create the endpoint filter extension tables if using the provided > > sql backend. > > > > Example:: > > ./bin/keystone-manage db_sync --extension endpoint_filter > > > > 5. Once you have done the changes restart the keystone-server to > > apply the changes. > > > >> -----Original Message----- > >> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > >> Sent: Tuesday, October 08, 2013 1:51 PM > >> To: OpenStack Development Mailing List > >> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy > >> > >> Slightly adjusted instructions after testing: > >> > >> To enable the endpoint filter extension: > >> > >> 1. Add the new [endpoin_ filter] section ton ``keystone.conf``. > >> example: > >> > >> [endpoint_filter] > >> # extension for creating associations between project and endpoints > >> in order to # provide a tailored catalog for project-scoped token requests. > >> driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter > >> # return_all_endpoints_if_no_filter = True > >> > >> optional: change ``return_all_endpoints_if_no_filter`` the > >> ``[endpoint_filter]`` section > >> > >> 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` > >> pipeline in ``keystone-paste.ini``. > >> example: > >> > >> [filter:endpoint_filter_extension] > >> paste.filter_factory = > >> keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.fact > >> ory > >> > >> [pipeline:api_v3] > >> pipeline = access_log sizelimit url_normalize token_auth > >> admin_token_auth xml_body json_body ec2_extension s3_extension > >> endpoint_filter_extension service_v3 > >> > >> 3. Create the endpoint filter extension tables if using the provided > >> sql backend. example:: > >> ./bin/keystone-manage db_sync --extension endpoint_filter > >> > >> 4. Once you have done the changes restart the keystone-server to > >> apply the changes. > >> > >>> -----Original Message----- > >>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > >>> Sent: Tuesday, October 08, 2013 1:30 PM > >>> To: OpenStack Development Mailing List > >>> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy > >>> > >>> Here is the response from Fabio: > >>> > >>> Mark, > >>> Please have a look at the configuration.rst in the > >>> contrib/endpoint-filter folder. > >>> I pasted here for your convenience: > >>> > >>> ================================== > >>> Enabling Endpoint Filter Extension > >>> ==================================To enable the endpoint > filter > >>> extension: > >>> 1. add the endpoint filter extension catalog driver to the > >>> ``[catalog]`` > >> section > >>> in ``keystone.conf``. example:: > >>> > >>> [catalog] > >>> driver = > >>> keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilter > >>> Ca talog 2. add the ``endpoint_filter_extension`` filter to the > >>> ``api_v3`` pipeline in > >>> ``keystone-paste.ini``. example:: > >>> > >>> [pipeline:api_v3] > >>> pipeline = access_log sizelimit url_normalize token_auth > >>> admin_token_auth xml_body json_body ec2_extension s3_extension > >>> endpoint_filter_extension service_v3 3. create the endpoint filter > >>> extension tables if using the provided sql backend. example:: > >>> ./bin/keystone-manage db_sync --extension endpoint_filter 4. > optional: > >>> change ``return_all_endpoints_if_no_filter`` the > >>> ``[endpoint_filter]`` > >> section > >>> in ``keystone.conf`` to return an empty catalog if no > >>> associations are > >> made. > >>> example:: > >>> [endpoint_filter] > >>> return_all_endpoints_if_no_filter = False > >>> > >>> > >>> Steps 1-3 are mandatory. Once you have done the changes restart the > >>> keystone-server to apply the changes. > >>> > >>> The /v3/auth/tokens?nocatalog is to remove the catalog from the > >>> token creation. > >>> It is different from the filtering because it won't return any > >>> endpoint in the service catalog. The endpoint filter will return > >>> only the ones that you have associated with a particular project. > >>> Please bear in mind that this works only with scoped token (meaning > >>> where you pass a project id). > >>> > >>> > >>> > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > >>>> Sent: Tuesday, October 08, 2013 1:21 PM > >>>> To: OpenStack Development Mailing List > >>>> Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy > >>>> > >>>> Hello, > >>>> > >>>> I am attempting to test the Havana v3 OS-EP-FILTER extension with > >>>> the latest RC1 bits and I get a 404 error response. > >>>> > >>>> The documentation actually shows 2 different URIs for this API: > >>>> > >>>> - GET /OS-EP-FILTER/projects/{project_id}/endpoints and > >>>> http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints > >>>> > >>>> I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result. > >>>> Does anyone have information as to what I am missing? > >>>> > >>>> Regards, > >>>> > >>>> Mark Miller > >>>> > >>>> ------------- > >>>> > >>>> From the online documentation: > >>>> > >>>> List Associations for Project: GET /OS-EP- > >>>> FILTER/projects/{project_id}/endpoints > >>>> > >>>> Returns all the endpoints that are currently associated with a > >>>> specific > >>> project. > >>>> Response: > >>>> Status: 200 OK > >>>> { > >>>> "endpoints": > >>>> [ > >>>> { > >>>> "id": "--endpoint-id--", > >>>> "interface": "public", > >>>> "url": "http://identity:35357/", > >>>> "region": "north", > >>>> "links": { > >>>> "self": > >>>> "http://identity:35357/v3/endpoints/--endpoint-id--" > >>>> }, > >>>> "service_id": "--service-id--" > >>>> }, > >>>> { > >>>> "id": "--endpoint-id--", > >>>> "interface": "internal", > >>>> "region": "south", > >>>> "url": "http://identity:35357/", > >>>> "links": { > >>>> "self": > >>>> "http://identity:35357/v3/endpoints/--endpoint-id--" > >>>> }, > >>>> "service_id": "--service-id--" > >>>> } > >>>> ], > >>>> "links": { > >>>> "self": "http://identity:35357/v3/OS- > >>>> FILTER/projects/{project_id}/endpoints", > >>>> "previous": null, > >>>> "next": null > >>>> } > >>>> } > >>>> > >>>> > >>>> _______________________________________________ > >>>> OpenStack-dev mailing list > >>>> OpenStack-dev@lists.openstack.org > >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >>> _______________________________________________ > >>> OpenStack-dev mailing list > >>> OpenStack-dev@lists.openstack.org > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> _______________________________________________ > >> OpenStack-dev mailing list > >> OpenStack-dev@lists.openstack.org > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev