[Openstack] Jenkins Job Configuration
Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
That something will likely be a drop of a bunch of xml files That would be perfect. Thanks Monty. Adrian -Original Message- From: openstack-bounces+adrian_f_smith=dell@lists.launchpad.net [mailto:openstack-bounces+adrian_f_smith=dell@lists.launchpad.net] On Behalf Of Monty Taylor Sent: Thursday, July 14, 2011 4:01 PM To: openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files ... but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files ... but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
That being said - I'm also more than happy to: a) have people help admin the jenkins and/or b) work with people to get jobs they want added to the jenkins so that replicating it elsewhere isn't needed. Of course, getting the config published is still important... but we can also work on getting you access if that makes sense. Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
Hi, there is a plugin for Jenkins that extends standart permission matrix. http://wiki.hudson-ci.org/display/HUDSON/Extended+Read+Permission+Plugin Maybe this would help. On Thu, Jul 14, 2011 at 7:27 PM, adrian_f_sm...@dell.com wrote: That something will likely be a drop of a bunch of xml files That would be perfect. Thanks Monty. Adrian -Original Message- From: openstack-bounces+adrian_f_smith=dell@lists.launchpad.net[mailto: openstack-bounces+adrian_f_smith=dell@lists.launchpad.net] On Behalf Of Monty Taylor Sent: Thursday, July 14, 2011 4:01 PM To: openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files ... but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Best regards, Alexander Sakhnov ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] VNC consoles for all
The way the code stands right now is that only the cloudadmin user can view VNC consoles from the Dashboard ( http://nova.openstack.org/runnova/vncconsole.html) Is that the intention? Do we want to allow non-cloudadmin users to be able to view VNC consoles from the Dashboard? If so we need to add one line to https://github.com/openstack/nova/blob/master/nova/api/ec2/__init__.py in Authorizer.__init__. Add to self.action_roles 'GetVncConsole': ['projectmanager', 'sysadmin'], under CloudController. Otherwise regular users immediately get a 401 when trying to use VNC. Everett ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone tenants vs. Nova projects
A user can specify a tenantID at the time of authentication. If no tenantID is specified during authentication, then I would expect the 'default' tenant for the user would apply. The capabilities of User1 on TenantA (in this case the default tenant for the user) would be determined by their role and group assignments within the context of TenantA. Jason From: Ziad Sawalha [mailto:ziad.sawa...@rackspace.com] Sent: Wednesday, July 13, 2011 10:35 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects What if: - User1 has TenantA as her default tenant Should the service authenticate the user against TenantA? And if so, why? What does the 'default tenant' grant User1 on TenantA? It's some nebulous, implied role. From: Rouault, Jason (Cloud Services) jason.roua...@hp.com Date: Wed, 13 Jul 2011 13:18:44 + To: Ziad Sawalha ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.com, openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects If a user is bound to their default tenant, why wouldn't any role assignments for that user in their default tenant apply? User1 authenticates specifying TenantB, this binds User1 into the context of TenantB. In subsequent web service requests using the token received after authentication, the Auth component filter would decorate the headers with RoleY. If User1 authenticates specifying TenantA, or specifying no Tenant, this binds User1 into the context of TenantA. The headers would then be decorated with RoleX. Jason From: openstack-bounces+jason.rouault=hp@lists.launchpad.net [mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: Tuesday, July 12, 2011 10:09 PM To: Yuriy Taraday; openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects Our goal is to support Nova use cases right now. You can provide access to multiple tenants using a role assignment (assigning a user a role on a specific tenant effectively binds them to that tenant). However, this raises the issue of what the 'implied' role of a user is when they are bound to their default tenant. So we're considering how to alter the model to clean that up. No great solution yet. Any suggestions are welcome.. Ziad From: Yuriy Taraday yorik@gmail.com Date: Tue, 28 Jun 2011 16:59:08 +0400 To: openstack@lists.launchpad.net Subject: [Openstack] Keystone tenants vs. Nova projects Currently Keystone model assumes that user is bound to exactly one tenant. It conflicts with the fact that in Nova user can have access to several projects. Which way will it be? Kind regards, Yuriy. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. smime.p7s Description: S/MIME cryptographic signature ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
YOU ARE MY PERSONAL HERO! On 07/14/2011 11:50 AM, Alexander Sakhnov wrote: Hi, there is a plugin for Jenkins that extends standart permission matrix. http://wiki.hudson-ci.org/display/HUDSON/Extended+Read+Permission+Plugin Maybe this would help. On Thu, Jul 14, 2011 at 7:27 PM, adrian_f_sm...@dell.com mailto:adrian_f_sm...@dell.com wrote: That something will likely be a drop of a bunch of xml files That would be perfect. Thanks Monty. Adrian -Original Message- From: openstack-bounces+adrian_f_smith=dell.com http://dell.com@lists.launchpad.net http://lists.launchpad.net [mailto:openstack-bounces+adrian_f_smith mailto:openstack-bounces%2Badrian_f_smith=dell.com http://dell.com@lists.launchpad.net http://lists.launchpad.net] On Behalf Of Monty Taylor Sent: Thursday, July 14, 2011 4:01 PM To: openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Best regards, Alexander Sakhnov ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
This has now been installed and activated. Anonymous users should be able to read the config of any job now. I've got admin access, so it's kinda of hard to test - would someone mind verifying that they can, in fact, see the job configs? Thanks! Monty On 07/14/2011 11:50 AM, Alexander Sakhnov wrote: Hi, there is a plugin for Jenkins that extends standart permission matrix. http://wiki.hudson-ci.org/display/HUDSON/Extended+Read+Permission+Plugin Maybe this would help. On Thu, Jul 14, 2011 at 7:27 PM, adrian_f_sm...@dell.com mailto:adrian_f_sm...@dell.com wrote: That something will likely be a drop of a bunch of xml files That would be perfect. Thanks Monty. Adrian -Original Message- From: openstack-bounces+adrian_f_smith=dell.com http://dell.com@lists.launchpad.net http://lists.launchpad.net [mailto:openstack-bounces+adrian_f_smith mailto:openstack-bounces%2Badrian_f_smith=dell.com http://dell.com@lists.launchpad.net http://lists.launchpad.net] On Behalf Of Monty Taylor Sent: Thursday, July 14, 2011 4:01 PM To: openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Best regards, Alexander Sakhnov ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] VNC consoles for all
The main issue was that maintaining ec2 extensions was becoming too hairy, which is why the original doc talks about using the direct api client to get a console url. Dashboard support for vnc was subsequently added through the community using dashboard's ec2 extensions. Proper support for vnc consoles and other features that diverge from the ec2 is coming as we transition away from ec2 to the openstack api and extensions. The very latest trunk version of dashboard supports vnc consoles for all users through os extensions, and actually doesn't use ec2 at all. That said, UX-wise, I'd expect that any user should be able to access the console of an instance that was launched by their tenant. So it probably still makes sense to make the change you suggest to support older ec2-based dashboards. Anthony On Thu, Jul 14, 2011 at 8:51 AM, Everett Toews everett.to...@cybera.cawrote: The way the code stands right now is that only the cloudadmin user can view VNC consoles from the Dashboard ( http://nova.openstack.org/runnova/vncconsole.html) Is that the intention? Do we want to allow non-cloudadmin users to be able to view VNC consoles from the Dashboard? If so we need to add one line to https://github.com/openstack/nova/blob/master/nova/api/ec2/__init__.py in Authorizer.__init__. Add to self.action_roles 'GetVncConsole': ['projectmanager', 'sysadmin'], under CloudController. Otherwise regular users immediately get a 401 when trying to use VNC. Everett ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Jenkins Job Configuration
Works great! On Thu, Jul 14, 2011 at 12:35 PM, Monty Taylor mord...@inaugust.com wrote: This has now been installed and activated. Anonymous users should be able to read the config of any job now. I've got admin access, so it's kinda of hard to test - would someone mind verifying that they can, in fact, see the job configs? Thanks! Monty On 07/14/2011 11:50 AM, Alexander Sakhnov wrote: Hi, there is a plugin for Jenkins that extends standart permission matrix. http://wiki.hudson-ci.org/**display/HUDSON/Extended+Read+** Permission+Pluginhttp://wiki.hudson-ci.org/display/HUDSON/Extended+Read+Permission+Plugin Maybe this would help. On Thu, Jul 14, 2011 at 7:27 PM, adrian_f_sm...@dell.com mailto:Adrian_F_Smith@dell.**com adrian_f_sm...@dell.com wrote: That something will likely be a drop of a bunch of xml files That would be perfect. Thanks Monty. Adrian -Original Message- From: openstack-bounces+adrian_f_**smith=dell.com http://dell.com@lists.**launchpad.net http://lists.launchpad.net http://lists.launchpad.net [mailto:openstack-bounces+**adrian_f_smithopenstack-bounces%2Badrian_f_smith mailto:openstack-bounces%**2Badrian_f_smithopenstack-bounces%252Badrian_f_smith =dell.com http://dell.com@lists.**launchpad.net http://lists.launchpad.net http://lists.launchpad.net] On Behalf Of Monty Taylor Sent: Thursday, July 14, 2011 4:01 PM To: openstack@lists.launchpad.net mailto:openstack@lists.** launchpad.net openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.**launchpad.netopenstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.**launchpad.netopenstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.**launchpad.netopenstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp -- Best regards, Alexander Sakhnov __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone tenants vs. Nova projects
In the example I gave below they are not members of any group and have no roles assigned to them. Should they still be authenticated? From: Rouault, Jason (Cloud Services) jason.roua...@hp.commailto:jason.roua...@hp.com Date: Thu, 14 Jul 2011 16:25:22 + To: Ziad Sawalha ziad.sawa...@rackspace.commailto:ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.commailto:yorik@gmail.com, openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects A user can specify a tenantID at the time of authentication. If no tenantID is specified during authentication, then I would expect the ‘default’ tenant for the user would apply. The capabilities of User1 on TenantA (in this case the default tenant for the user) would be determined by their role and group assignments within the context of TenantA. Jason From: Ziad Sawalha [mailto:ziad.sawa...@rackspace.com] Sent: Wednesday, July 13, 2011 10:35 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects What if: - User1 has TenantA as her default tenant Should the service authenticate the user against TenantA? And if so, why? What does the 'default tenant' grant User1 on TenantA? It's some nebulous, implied role… From: Rouault, Jason (Cloud Services) jason.roua...@hp.commailto:jason.roua...@hp.com Date: Wed, 13 Jul 2011 13:18:44 + To: Ziad Sawalha ziad.sawa...@rackspace.commailto:ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.commailto:yorik@gmail.com, openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects If a user is bound to their default tenant, why wouldn’t any role assignments for that user in their default tenant apply? User1 authenticates specifying TenantB, this binds User1 into the context of TenantB. In subsequent web service requests using the token received after authentication, the Auth component filter would decorate the headers with RoleY. If User1 authenticates specifying TenantA, or specifying no Tenant, this binds User1 into the context of TenantA. The headers would then be decorated with RoleX. Jason From: openstack-bounces+jason.rouault=hp@lists.launchpad.netmailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net [mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: Tuesday, July 12, 2011 10:09 PM To: Yuriy Taraday; openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects Our goal is to support Nova use cases right now. You can provide access to multiple tenants using a role assignment (assigning a user a role on a specific tenant effectively binds them to that tenant). However, this raises the issue of what the 'implied' role of a user is when they are bound to their default tenant. So we're considering how to alter the model to clean that up. No great solution yet. Any suggestions are welcome…. Ziad From: Yuriy Taraday yorik@gmail.commailto:yorik@gmail.com Date: Tue, 28 Jun 2011 16:59:08 +0400 To: openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: [Openstack] Keystone tenants vs. Nova projects Currently Keystone model assumes that user is bound to exactly one tenant. It conflicts with the fact that in Nova user can have access to several projects. Which way will it be? Kind regards, Yuriy. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone tenants vs. Nova projects
Yes, you always authenticate. If the user has no roles or group then would have no access rights to do anything. However, this would be an unusual case, as I would expect users to be automatically added a user group or developer role when their account was created. Jason From: Ziad Sawalha [mailto:ziad.sawa...@rackspace.com] Sent: Thursday, July 14, 2011 1:22 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects In the example I gave below they are not members of any group and have no roles assigned to them. Should they still be authenticated? From: Rouault, Jason (Cloud Services) jason.roua...@hp.com Date: Thu, 14 Jul 2011 16:25:22 + To: Ziad Sawalha ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.com, openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects A user can specify a tenantID at the time of authentication. If no tenantID is specified during authentication, then I would expect the 'default' tenant for the user would apply. The capabilities of User1 on TenantA (in this case the default tenant for the user) would be determined by their role and group assignments within the context of TenantA. Jason From: Ziad Sawalha [mailto:ziad.sawa...@rackspace.com] Sent: Wednesday, July 13, 2011 10:35 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects What if: - User1 has TenantA as her default tenant Should the service authenticate the user against TenantA? And if so, why? What does the 'default tenant' grant User1 on TenantA? It's some nebulous, implied role. From: Rouault, Jason (Cloud Services) jason.roua...@hp.com Date: Wed, 13 Jul 2011 13:18:44 + To: Ziad Sawalha ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.com, openstack@lists.launchpad.net openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects If a user is bound to their default tenant, why wouldn't any role assignments for that user in their default tenant apply? User1 authenticates specifying TenantB, this binds User1 into the context of TenantB. In subsequent web service requests using the token received after authentication, the Auth component filter would decorate the headers with RoleY. If User1 authenticates specifying TenantA, or specifying no Tenant, this binds User1 into the context of TenantA. The headers would then be decorated with RoleX. Jason From: openstack-bounces+jason.rouault=hp@lists.launchpad.net [mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: Tuesday, July 12, 2011 10:09 PM To: Yuriy Taraday; openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects Our goal is to support Nova use cases right now. You can provide access to multiple tenants using a role assignment (assigning a user a role on a specific tenant effectively binds them to that tenant). However, this raises the issue of what the 'implied' role of a user is when they are bound to their default tenant. So we're considering how to alter the model to clean that up. No great solution yet. Any suggestions are welcome.. Ziad From: Yuriy Taraday yorik@gmail.com Date: Tue, 28 Jun 2011 16:59:08 +0400 To: openstack@lists.launchpad.net Subject: [Openstack] Keystone tenants vs. Nova projects Currently Keystone model assumes that user is bound to exactly one tenant. It conflicts with the fact that in Nova user can have access to several projects. Which way will it be? Kind regards, Yuriy. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. smime.p7s Description: S/MIME cryptographic signature ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone tenants vs. Nova projects
When one creates a user, should a user always have a tenant associated with her? If that's the case, then the default tenant is the tenant that the user is associated with at creation time? Sorry for responding to the question with another question, but it is unclear for me from looking at the model (there is no non-null constraint on the tenant_id fk on the user table). Thanks, Liem From: openstack-bounces+liem_m_nguyen=hp@lists.launchpad.net [mailto:openstack-bounces+liem_m_nguyen=hp@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: Thursday, July 14, 2011 12:22 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects In the example I gave below they are not members of any group and have no roles assigned to them. Should they still be authenticated? From: Rouault, Jason (Cloud Services) jason.roua...@hp.commailto:jason.roua...@hp.com Date: Thu, 14 Jul 2011 16:25:22 + To: Ziad Sawalha ziad.sawa...@rackspace.commailto:ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.commailto:yorik@gmail.com, openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects A user can specify a tenantID at the time of authentication. If no tenantID is specified during authentication, then I would expect the 'default' tenant for the user would apply. The capabilities of User1 on TenantA (in this case the default tenant for the user) would be determined by their role and group assignments within the context of TenantA. Jason From: Ziad Sawalha [mailto:ziad.sawa...@rackspace.com] Sent: Wednesday, July 13, 2011 10:35 PM To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects What if: - User1 has TenantA as her default tenant Should the service authenticate the user against TenantA? And if so, why? What does the 'default tenant' grant User1 on TenantA? It's some nebulous, implied role... From: Rouault, Jason (Cloud Services) jason.roua...@hp.commailto:jason.roua...@hp.com Date: Wed, 13 Jul 2011 13:18:44 + To: Ziad Sawalha ziad.sawa...@rackspace.commailto:ziad.sawa...@rackspace.com, Yuriy Taraday yorik@gmail.commailto:yorik@gmail.com, openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: RE: [Openstack] Keystone tenants vs. Nova projects If a user is bound to their default tenant, why wouldn't any role assignments for that user in their default tenant apply? User1 authenticates specifying TenantB, this binds User1 into the context of TenantB. In subsequent web service requests using the token received after authentication, the Auth component filter would decorate the headers with RoleY. If User1 authenticates specifying TenantA, or specifying no Tenant, this binds User1 into the context of TenantA. The headers would then be decorated with RoleX. Jason From: openstack-bounces+jason.rouault=hp@lists.launchpad.netmailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net [mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: Tuesday, July 12, 2011 10:09 PM To: Yuriy Taraday; openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone tenants vs. Nova projects Our goal is to support Nova use cases right now. You can provide access to multiple tenants using a role assignment (assigning a user a role on a specific tenant effectively binds them to that tenant). However, this raises the issue of what the 'implied' role of a user is when they are bound to their default tenant. So we're considering how to alter the model to clean that up. No great solution yet. Any suggestions are welcome Ziad From: Yuriy Taraday yorik@gmail.commailto:yorik@gmail.com Date: Tue, 28 Jun 2011 16:59:08 +0400 To: openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: [Openstack] Keystone tenants vs. Nova projects Currently Keystone model assumes that user is bound to exactly one tenant. It conflicts with the fact that in Nova user can have access to several projects. Which way will it be? Kind regards, Yuriy. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it. This email may include confidential information. If you received it in error, please delete it. This email may include confidential
Re: [Openstack] Jenkins Job Configuration
Configs are visible to me too. Regards, Rohit From: openstack-bounces+rohit.karajgi=vertex.co...@lists.launchpad.net [mailto:openstack-bounces+rohit.karajgi=vertex.co...@lists.launchpad.net] On Behalf Of Josh Kearney Sent: Thursday, July 14, 2011 11:40 PM To: Monty Taylor Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Works great! On Thu, Jul 14, 2011 at 12:35 PM, Monty Taylor mord...@inaugust.commailto:mord...@inaugust.com wrote: This has now been installed and activated. Anonymous users should be able to read the config of any job now. I've got admin access, so it's kinda of hard to test - would someone mind verifying that they can, in fact, see the job configs? Thanks! Monty On 07/14/2011 11:50 AM, Alexander Sakhnov wrote: Hi, there is a plugin for Jenkins that extends standart permission matrix. http://wiki.hudson-ci.org/display/HUDSON/Extended+Read+Permission+Plugin Maybe this would help. On Thu, Jul 14, 2011 at 7:27 PM, adrian_f_sm...@dell.commailto:adrian_f_sm...@dell.com mailto:adrian_f_sm...@dell.commailto:adrian_f_sm...@dell.com wrote: That something will likely be a drop of a bunch of xml files That would be perfect. Thanks Monty. Adrian -Original Message- From: openstack-bounces+adrian_f_smith=dell.comhttp://dell.com http://dell.com@lists.launchpad.nethttp://lists.launchpad.net http://lists.launchpad.net [mailto:openstack-bounces+adrian_f_smithmailto:openstack-bounces%2Badrian_f_smith mailto:openstack-bounces%2Badrian_f_smithmailto:openstack-bounces%252Badrian_f_smith=dell.comhttp://dell.com http://dell.com@lists.launchpad.nethttp://lists.launchpad.net http://lists.launchpad.net] On Behalf Of Monty Taylor Sent: Thursday, July 14, 2011 4:01 PM To: openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net mailto:openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Jenkins Job Configuration Hi! We're working on a decent solution for this. Jenkins itself does not have a setting which allows you to see the job config without also giving you access to edit it. (fail) However, it's been on my todo list to a) just publish these somewhere or b) even better, an easy way for you to spin up an identical jenkins (albeit one which does not publish tarballs) I'm going to move a) up on my list and see if I can't get you something today. That something will likely be a drop of a bunch of xml files but it's at least something. :) Monty On 07/14/2011 09:30 AM, adrian_f_sm...@dell.commailto:adrian_f_sm...@dell.com wrote: Would it be possible to see the individual configuration files for the jobs running on http://jenkins.openstack.org? ___ Mailing list: https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net mailto:openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net mailto:openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net mailto:openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp -- Best regards, Alexander Sakhnov ___ Mailing list: https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstackhttps://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net