Re: [Openstack] [Keystone]Question: Assignment of default role
Hi Adam Thanks a lot for your answer. It is my understanding follows. Would that be OK with you? Case1: Create a user *with* specifying the tenant. * Default role is assigned. * I need to assign the required roles in keystone user-role-add. * The user has two roles. Case2: Create a user *without* specifying the tenant. * I need to assign the required roles and the tenant in keystone user-role-add. * The user has one role. Thanks, Leo Toyoda -Original Message- From: openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc hpad.net [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis ts.launchpad.net] On Behalf Of Adam Young Sent: Saturday, February 23, 2013 5:31 AM To: openstack@lists.launchpad.net Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | _member_ | | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone]Question: Assignment of default role
Hi Dolph Thanks a lot for the reply. I could understand very well. Regards, Leo Toyoda _ From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Tuesday, February 26, 2013 7:11 AM To: Leo Toyoda Cc: Adam Young; openstack Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, those are the two use cases we're supporting, although I'd encourage Case 2, as it's generally much more intuitive. -Dolph On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda toyoda-...@cnt.mxw.nes.nec.co.jp wrote: Hi Adam Thanks a lot for your answer. It is my understanding follows. Would that be OK with you? Case1: Create a user *with* specifying the tenant. * Default role is assigned. * I need to assign the required roles in keystone user-role-add. * The user has two roles. Case2: Create a user *without* specifying the tenant. * I need to assign the required roles and the tenant in keystone user-role-add. * The user has one role. Thanks, Leo Toyoda -Original Message- From: openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc hpad.net [mailto:openstack-bounces+toyoda-reo mailto:openstack-bounces%2Btoyoda-reo =cnt.mxw.nes.nec.co.jp@lis ts.launchpad.net] On Behalf Of Adam Young Sent: Saturday, February 23, 2013 5:31 AM To: openstack@lists.launchpad.net Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | _member_ | | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help
Re: [Openstack] [Keystone]Question: Assignment of default role
Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [Keystone]Question: Assignment of default role
Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
Guang provided the answer for me with a sample JSON create domain request:
{ domain:{
name: myDomain
}
}
What through me off were the examples in the identity-api-v3 document. None of
the domain JSON examples include the highest level domain element. The same
is true for most of the other examples in the document.
Mark
-Original Message-
From: openstack-bounces+mark.m.miller=hp@lists.launchpad.net
[mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.net] On Behalf
Of Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Thursday, February 07, 2013 1:42 PM
To: Adam Young; openstack@lists.launchpad.net
Subject: Re: [Openstack] keystone question
Hi all,
I have spent several days installing Grizzly-2 Keystone with SSL and PKI and
think I have been successful. I can see some of the new API resources such as
v3/domains, v3/groups, and v3/services, but I don't see these listed as
commands in the keystoneclient. Are they simply not implemented yet or was I
unsuccessful when I installed Grizzly-2? I also want to know if the above
resource APIs are fully functional?
Regards,
Mark Miller
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
As for the client-side implementation, keystoneclient supports v3 as a
python library, whereas the CLI is being exposed in a different project (by
consuming keystoneclient):
https://github.com/openstack/python-openstackclient
-Dolph
On Mon, Feb 11, 2013 at 11:08 AM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.com wrote:
Guang provided the answer for me with a sample JSON create domain
request:
{ domain:{
name: myDomain
}
}
What through me off were the examples in the identity-api-v3 document.
None of the domain JSON examples include the highest level domain
element. The same is true for most of the other examples in the document.
Mark
-Original Message-
From: openstack-bounces+mark.m.miller=hp@lists.launchpad.net [
mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.netopenstack-bounces+mark.m.miller=hp@lists.launchpad.net]
On Behalf Of Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Thursday, February 07, 2013 1:42 PM
To: Adam Young; openstack@lists.launchpad.net
Subject: Re: [Openstack] keystone question
Hi all,
I have spent several days installing Grizzly-2 Keystone with SSL and PKI
and think I have been successful. I can see some of the new API resources
such as v3/domains, v3/groups, and v3/services, but I don't see these
listed as commands in the keystoneclient. Are they simply not implemented
yet or was I unsuccessful when I installed Grizzly-2? I also want to know
if the above resource APIs are fully functional?
Regards,
Mark Miller
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
Hello,
Thank you for the answer. So I tried to install openstackclient on an Ubuntu
box and am getting the following error. Does anyone have suggestions or know
what caused the exception?
Regards,
Mark
sudo python tools/install_venv.py
venv already exists...
Installing dependencies with pip (this can take a while)...
Traceback (most recent call last):
File tools/install_venv.py, line 67, in module
main(sys.argv)
File tools/install_venv.py, line 61, in main
install.install_dependencies()
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 126, in install_dependencies
self.pip_install('pip==1.1')
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 116, in pip_install
redirect_output=False)
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 76, in run_command
check_exit_code)[0]
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 68, in run_command_with_code
proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout)
File /usr/lib/python2.7/subprocess.py, line 679, in __init__
errread, errwrite)
File /usr/lib/python2.7/subprocess.py, line 1249, in _execute_child
raise child_exception
OSError: [Errno 13] Permission denied
From: Dolph Mathews [mailto:dolph.math...@gmail.com]
Sent: Monday, February 11, 2013 12:09 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Subject: Re: [Openstack] keystone question - Solved
- keystoneclient currently provides a python client library for both Identity
API v2 and v3
- keystoneclient currently provides a command line interface for Identity API
v2 -- but will not do so for Identity API v3
- openstackclient is working towards providing a unified CLI for all openstack
projects, by consuming their python client libraries
So, the answer depends on your use case. If you want to write python, consume
keystoneclient directly. If you want to use the CLI, use openstackclient, which
uses keystoneclient behind the scenes.
All that said, work on openstackclient only recently ramped up, and a lot of
major changes are still in review.
Hope this helps!
-Dolph
On Mon, Feb 11, 2013 at 1:55 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Hello Dolph,
I have read your email several times. Would you mind giving me a few more
detais? I noticed that the keystone CLI does not support the V3
commands/resources such as groups, domains, credentials, and policies. I think
you are alluding to this topic but Are you suggesting that I move away from the
keystoneclient and instead use the openstackclient?
Regards,
Mark
From: Dolph Mathews
[mailto:dolph.math...@gmail.commailto:dolph.math...@gmail.com]
Sent: Monday, February 11, 2013 10:28 AM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Cc: Adam Young;
openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
Subject: Re: [Openstack] keystone question - Solved
As for the client-side implementation, keystoneclient supports v3 as a python
library, whereas the CLI is being exposed in a different project (by consuming
keystoneclient): https://github.com/openstack/python-openstackclient
-Dolph
On Mon, Feb 11, 2013 at 11:08 AM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Guang provided the answer for me with a sample JSON create domain request:
{ domain:{
name: myDomain
}
}
What through me off were the examples in the identity-api-v3 document. None of
the domain JSON examples include the highest level domain element. The same
is true for most of the other examples in the document.
Mark
-Original Message-
From:
openstack-bounces+mark.m.miller=hp@lists.launchpad.netmailto:hp@lists.launchpad.net
[mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.net] On Behalf
Of Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Thursday, February 07, 2013 1:42 PM
To: Adam Young;
openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
Subject: Re: [Openstack] keystone question
Hi all,
I have spent several days installing Grizzly-2 Keystone with SSL and PKI and
think I have been successful. I can see some of the new API resources such as
v3/domains, v3/groups, and v3/services, but I don't see these listed as
commands in the keystoneclient. Are they simply not implemented yet or was I
unsuccessful when I installed Grizzly-2? I also want to know if the above
resource APIs are fully functional?
Regards,
Mark Miller
___
Mailing list: https://launchpad.net/~openstack
Post to :
openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
On Mon, Feb 11, 2013 at 6:25 PM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.com wrote:
Hello Dolph,
** **
I was able to get the openstackclient installed after combining
information from several wiki pages and modifying the install commands to
use the current paths. I have a few more clarification questions if you
don’t mind:
** **
- keystoneclient currently provides a python client library for both
Identity API v2 and v3
- keystoneclient currently provides a command line interface for Identity
API v2 -- but will not do so for Identity API v3
**· **So then I will not see the new v3 Keystone commands for
groups or domains in the keystoneclient CLI?
No, we don't have any plans to expose Identity API v3 features in
keystoneclient.
- openstackclient is working towards providing a unified CLI for all
openstack projects, by consuming their python client libraries
**· **So then I will see the new v3 Keystone commands for groups
and domains in the openstackclinet CLI? The reason I ask is because after
installing the openstackclient I still do not see the new commands. I can
get to them from curl or from a REST client, but not from the command line
interface.
Yes. There are still several major changes in review, and the effort is
still ramping up, relatively speaking. The clients do not follow the same
release cycle as the services, so we're lagging on client-side support.
So, the answer depends on your use case. If you want to write python,
consume keystoneclient directly. If you want to use the CLI, use
openstackclient, which uses keystoneclient behind the scenes.
**· **I think we want both. We use the CLI to setup a base
Keystone server environment and we use the client from Horizon.
** **
Regards,
** **
Mark Miller
** **
** **
*From:* Dolph Mathews [mailto:dolph.math...@gmail.com]
*Sent:* Monday, February 11, 2013 1:09 PM
*To:* Miller, Mark M (EB SW Cloud - RD - Corvallis)
*Subject:* Re: [Openstack] keystone question - Solved
** **
keystoneclient is not being deprecated. I'd also suggest raising your
question to the list.
** **
-Dolph
** **
On Mon, Feb 11, 2013 at 3:00 PM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.com wrote:
Hello Dolph,
Thank you for the answer. So it looks like keystoneclient is getting
deprecated. So I tried to install openstackclient on an Ubuntu box and am
getting the following error. Do you have any suggestions?
Regards,
Mark
sudo python tools/install_venv.py
venv already exists...
Installing dependencies with pip (this can take a while)...
Traceback (most recent call last):
File tools/install_venv.py, line 67, in module
main(sys.argv)
File tools/install_venv.py, line 61, in main
install.install_dependencies()
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 126, in install_dependencies
self.pip_install('pip==1.1')
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 116, in pip_install
redirect_output=False)
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 76, in run_command
check_exit_code)[0]
File
/home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py,
line 68, in run_command_with_code
proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout)
File /usr/lib/python2.7/subprocess.py, line 679, in __init__
errread, errwrite)
File /usr/lib/python2.7/subprocess.py, line 1249, in _execute_child***
*
raise child_exception
OSError: [Errno 13] Permission denied
root@build-HP-Compaq-6005-Pro-SFF-PC
:~/keystone-grizzly-2/python-openstackclient-master#
*From:* Dolph Mathews [mailto:dolph.math...@gmail.com]
*Sent:* Monday, February 11, 2013 12:09 PM
*To:* Miller, Mark M (EB SW Cloud - RD - Corvallis)
*Subject:* Re: [Openstack] keystone question - Solved
- keystoneclient currently provides a python client library for both
Identity API v2 and v3
- keystoneclient currently provides a command line interface for Identity
API v2 -- but will not do so for Identity API v3
- openstackclient is working towards providing a unified CLI for all
openstack projects, by consuming their python client libraries
So, the answer depends on your use case. If you want to write python,
consume keystoneclient directly. If you want to use the CLI, use
openstackclient, which uses keystoneclient behind the scenes.
All that said, work on openstackclient only recently ramped up, and a lot
of major changes are still
Re: [Openstack] keystone question
Hi,
Thanks a lot.
Pat
On Fri, 8 Feb 2013 08:52:13 -0500, Tong Li wrote
The X-Auth-Token header in your request to validate the user token are not
the same thing. You have to login as admin to get a token and hold on to that
token, when a user request comes in with his token, you can hand it over to
keystone for validation. Here I think will be how the request look like.
request: curl -s -X GET http://localhost:35357/tokens/tokenToBeValidated -H
X-Auth-Token: adminAccessToken
adminAccessToken should be a token you (as admin) to get using the same API
and admin userid and password or other means (certificates possibly if that
is how it was designed) to get access token just like any other user against
keystone.
Hope that helps.
Tong Li
Emerging Technologies Standards
pat ---02/08/2013 07:31:25 AM---Hi, Thanks for the reply.
From: pat p...@xvalheru.org
To: Tong Li/Raleigh/IBM@IBMUS,
Cc: openstack@lists.launchpad.net,
openstack-bounces+litong01=us.ibm@lists.launchpad.net
Date: 02/08/2013 07:31 AM
Subject: Re: [Openstack] keystone question
---
Hi,
Thanks for the reply.
I#39;ve been digging and I#39;ve found way how to get token using API:
curl -s -X POST http://localhost:35357/tokens -d #39;{auth:
{passwordCredentials: {username:XXX, password:XXX},
tenantName:XXX}}#39; -H Content-type: application/json
This request returns JSON response, that#39;s fine for me.
But how to validate the token? I#39;m following the API:
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html
and request: curl -s -X GET http://localhost:35357/tokens/XXXYYYXXX -H
X-Auth-Token: XXXYYYXXX
return 401 (unauthorized).
What I#39;m doing wrong?
Thanks for help
On Wed, 6 Feb 2013 11:46:28 -0500, Tong Li wrote
keystone provides APIs for authentication, I would think you only need to
develop some code in your app to call the API and parse the response, then
following request will have to be verified using the token. If you app is
already wsgi app, you will just need to use the keystone middleware in your
pipeline. If it is other type of the application, you will just need to
develop some code which deal with keystone authentication http
request/response and figure out a way to verify the token.
Thanks.
Tong Li
Emerging Technologies Standards
pat ---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone.
I have an application (Jee web one) which I
From: pat p...@xvalheru.org
To: openstack@lists.launchpad.net,
Date: 02/06/2013 10:35 AM
Subject: [Openstack] keystone question
Sent by: openstack-bounces+litong01=us.ibm@lists.launchpad.net
---
Hi all,
I have a question about keystone. I have an application (Jee web one) which
I
want to authenticate against keystone. What I have to do?
Thanks
Pat
Freehosting PIPNI - http://www.pipni.cz/
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
---
Freehosting PIPNI - http://www.pipni.cz/
---
Freehosting PIPNI - http://www.pipni.cz/
---
Freehosting PIPNI - http://www.pipni.cz/
Freehosting PIPNI - http://www.pipni.cz/inline: graycol.gif___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
The X-Auth-Token header in your request to validate the user token are not
the same thing. You have to login as admin to get a token and hold on to
that token, when a user request comes in with his token, you can hand it
over to keystone for validation. Here I think will be how the request look
like.
request: curl -s -X GET http://localhost:35357/tokens/tokenToBeValidated
-H X-Auth-Token: adminAccessToken
adminAccessToken should be a token you (as admin) to get using the same API
and admin userid and password or other means (certificates possibly if that
is how it was designed) to get access token just like any other user
against keystone.
Hope that helps.
Tong Li
Emerging Technologies Standards
From: pat p...@xvalheru.org
To: Tong Li/Raleigh/IBM@IBMUS,
Cc: openstack@lists.launchpad.net, openstack-bounces
+litong01=us.ibm@lists.launchpad.net
Date: 02/08/2013 07:31 AM
Subject:Re: [Openstack] keystone question
Hi,
Thanks for the reply.
I've been digging and I've found way how to get token using API:
curl -s -X POST http://localhost:35357/tokens -d '{auth:
{passwordCredentials: {username:XXX, password:XXX},
tenantName:XXX}}' -H Content-type: application/json
This request returns JSON response, that's fine for me.
But how to validate the token? I'm following the API:
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html
and request: curl -s -X GET http://localhost:35357/tokens/XXXYYYXXX -H
X-Auth-Token: XXXYYYXXX
return 401 (unauthorized).
What I'm doing wrong?
Thanks for help
On Wed, 6 Feb 2013 11:46:28 -0500, Tong Li wrote
keystone provides APIs for authentication, I would think you only need to
develop some code in your app to call the API and parse the response, then
following request will have to be verified using the token. If you app is
already wsgi app, you will just need to use the keystone middleware in your
pipeline. If it is other type of the application, you will just need to
develop some code which deal with keystone authentication http
request/response and figure out a way to verify the token.
Thanks.
Tong Li
Emerging Technologies Standards
Inactive hide details for pat ---02/06/2013 10:35:26
AM---Hi all, I
have a question about keystone. I have an application (Jepat
---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone. I
have an application (Jee web one) which I
From: pat p...@xvalheru.org
To: openstack@lists.launchpad.net,
Date: 02/06/2013 10:35 AM
Subject: [Openstack] keystone question
Sent by: openstack-bounces+litong01=us.ibm@lists.launchpad.net
Hi all,
I have a question about keystone. I have an application (Jee web one)
which I
want to authenticate against keystone. What I have to do?
Thanks
Pat
Freehosting PIPNI - http://www.pipni.cz/
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
---
Freehosting PIPNI - http://www.pipni.cz/
---
Freehosting PIPNI - http://www.pipni.cz/
inline: graycol.gif___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
Hi all, I have spent several days installing Grizzly-2 Keystone with SSL and PKI and think I have been successful. I can see some of the new API resources such as v3/domains, v3/groups, and v3/services, but I don't see these listed as commands in the keystoneclient. Are they simply not implemented yet or was I unsuccessful when I installed Grizzly-2? I also want to know if the above resource APIs are fully functional? Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] keystone question
Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
keystone provides APIs for authentication, I would think you only need to develop some code in your app to call the API and parse the response, then following request will have to be verified using the token. If you app is already wsgi app, you will just need to use the keystone middleware in your pipeline. If it is other type of the application, you will just need to develop some code which deal with keystone authentication http request/response and figure out a way to verify the token. Thanks. Tong Li Emerging Technologies Standards From: pat p...@xvalheru.org To: openstack@lists.launchpad.net, Date: 02/06/2013 10:35 AM Subject:[Openstack] keystone question Sent by:openstack-bounces+litong01=us.ibm@lists.launchpad.net Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp inline: graycol.gif___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] Question from mgius on IRC about update_user API call
Right now the code to update doesn't allow the operation if the user is disabled as there is a separate call to enable/disable user ie /users/userId/enabled .That call should allow the enabling/disabling of user independent of his current status. Regards Yogeshwar Srikrishnan Rackspace From: openstack-bounces+yogesh.srikrishnan=rackspace@lists.launchpad.net [openstack-bounces+yogesh.srikrishnan=rackspace@lists.launchpad.net] on behalf of Jay Pipes [jaypi...@gmail.com] Sent: Wednesday, July 20, 2011 1:54 PM To: openstack@lists.launchpad.net Subject: [Openstack] [Keystone] Question from mgius on IRC about update_user API call Keystone devs, mgius had a question on IRC: mgius I have a question about Keystone mgius I'm looking to add support to the dashboard so that users can be enabled or disabled from the dashboard mgius but it looks like in update_user if the target user is disabled a 403 is always thrown mgius was that intentional? -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] Question from mgius on IRC about update_user API call
It looks like my previous email didn't go through because I hadn't registered this email address with launchpad. Sending again. Would you be opposed to removing the check for disabled in get_user, and possibly update_user as well? As it stands now, you can only fetch and examine disabled users by fetching every user with get_users. Is there some reason that a disabled user should not be fetched or updated? Mark On Wed, Jul 20, 2011 at 2:12 PM, Mark Gius m...@markgius.com wrote: Would you be opposed to removing the check for disabled in get_user, and possibly update_user as well? As it stands now, you can only fetch and examine disabled users by fetching every user with get_users. Is there some reason that a disabled user should not be fetched or updated? Mark On Wed, Jul 20, 2011 at 1:01 PM, Yogi Srikrishnan yogesh.srikrish...@rackspace.com wrote: Right now the code to update doesn't allow the operation if the user is disabled as there is a separate call to enable/disable user ie /users/userId/enabled .That call should allow the enabling/disabling of user independent of his current status. Regards Yogeshwar Srikrishnan Rackspace From: openstack-bounces+yogesh.srikrishnan=rackspace.com@ lists.launchpad.net [openstack-bounces+yogesh.srikrishnan=rackspace.com@ lists.launchpad.net] on behalf of Jay Pipes [jaypi...@gmail.com] Sent: Wednesday, July 20, 2011 1:54 PM To: openstack@lists.launchpad.net Subject: [Openstack] [Keystone] Question from mgius on IRC about update_userAPI call Keystone devs, mgius had a question on IRC: mgius I have a question about Keystone mgius I'm looking to add support to the dashboard so that users can be enabled or disabled from the dashboard mgius but it looks like in update_user if the target user is disabled a 403 is always thrown mgius was that intentional? -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
