Re: [Openstack] [Keystone]Question: Assignment of default role
Hi Adam Thanks a lot for your answer. It is my understanding follows. Would that be OK with you? Case1: Create a user *with* specifying the tenant. * Default role is assigned. * I need to assign the required roles in keystone user-role-add. * The user has two roles. Case2: Create a user *without* specifying the tenant. * I need to assign the required roles and the tenant in keystone user-role-add. * The user has one role. Thanks, Leo Toyoda -Original Message- From: openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc hpad.net [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis ts.launchpad.net] On Behalf Of Adam Young Sent: Saturday, February 23, 2013 5:31 AM To: openstack@lists.launchpad.net Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | _member_ | | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone]Question: Assignment of default role
Hi Dolph Thanks a lot for the reply. I could understand very well. Regards, Leo Toyoda _ From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Tuesday, February 26, 2013 7:11 AM To: Leo Toyoda Cc: Adam Young; openstack Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, those are the two use cases we're supporting, although I'd encourage Case 2, as it's generally much more intuitive. -Dolph On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda toyoda-...@cnt.mxw.nes.nec.co.jp wrote: Hi Adam Thanks a lot for your answer. It is my understanding follows. Would that be OK with you? Case1: Create a user *with* specifying the tenant. * Default role is assigned. * I need to assign the required roles in keystone user-role-add. * The user has two roles. Case2: Create a user *without* specifying the tenant. * I need to assign the required roles and the tenant in keystone user-role-add. * The user has one role. Thanks, Leo Toyoda -Original Message- From: openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc hpad.net [mailto:openstack-bounces+toyoda-reo mailto:openstack-bounces%2Btoyoda-reo =cnt.mxw.nes.nec.co.jp@lis ts.launchpad.net] On Behalf Of Adam Young Sent: Saturday, February 23, 2013 5:31 AM To: openstack@lists.launchpad.net Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | _member_ | | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help
Re: [Openstack] [Keystone]Question: Assignment of default role
Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [Keystone]Question: Assignment of default role
Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
Guang provided the answer for me with a sample JSON create domain request: { domain:{ name: myDomain } } What through me off were the examples in the identity-api-v3 document. None of the domain JSON examples include the highest level domain element. The same is true for most of the other examples in the document. Mark -Original Message- From: openstack-bounces+mark.m.miller=hp@lists.launchpad.net [mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.net] On Behalf Of Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Thursday, February 07, 2013 1:42 PM To: Adam Young; openstack@lists.launchpad.net Subject: Re: [Openstack] keystone question Hi all, I have spent several days installing Grizzly-2 Keystone with SSL and PKI and think I have been successful. I can see some of the new API resources such as v3/domains, v3/groups, and v3/services, but I don't see these listed as commands in the keystoneclient. Are they simply not implemented yet or was I unsuccessful when I installed Grizzly-2? I also want to know if the above resource APIs are fully functional? Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
As for the client-side implementation, keystoneclient supports v3 as a python library, whereas the CLI is being exposed in a different project (by consuming keystoneclient): https://github.com/openstack/python-openstackclient -Dolph On Mon, Feb 11, 2013 at 11:08 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Guang provided the answer for me with a sample JSON create domain request: { domain:{ name: myDomain } } What through me off were the examples in the identity-api-v3 document. None of the domain JSON examples include the highest level domain element. The same is true for most of the other examples in the document. Mark -Original Message- From: openstack-bounces+mark.m.miller=hp@lists.launchpad.net [ mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.netopenstack-bounces+mark.m.miller=hp@lists.launchpad.net] On Behalf Of Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Thursday, February 07, 2013 1:42 PM To: Adam Young; openstack@lists.launchpad.net Subject: Re: [Openstack] keystone question Hi all, I have spent several days installing Grizzly-2 Keystone with SSL and PKI and think I have been successful. I can see some of the new API resources such as v3/domains, v3/groups, and v3/services, but I don't see these listed as commands in the keystoneclient. Are they simply not implemented yet or was I unsuccessful when I installed Grizzly-2? I also want to know if the above resource APIs are fully functional? Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
Hello, Thank you for the answer. So I tried to install openstackclient on an Ubuntu box and am getting the following error. Does anyone have suggestions or know what caused the exception? Regards, Mark sudo python tools/install_venv.py venv already exists... Installing dependencies with pip (this can take a while)... Traceback (most recent call last): File tools/install_venv.py, line 67, in module main(sys.argv) File tools/install_venv.py, line 61, in main install.install_dependencies() File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 126, in install_dependencies self.pip_install('pip==1.1') File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 116, in pip_install redirect_output=False) File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 76, in run_command check_exit_code)[0] File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 68, in run_command_with_code proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout) File /usr/lib/python2.7/subprocess.py, line 679, in __init__ errread, errwrite) File /usr/lib/python2.7/subprocess.py, line 1249, in _execute_child raise child_exception OSError: [Errno 13] Permission denied From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Monday, February 11, 2013 12:09 PM To: Miller, Mark M (EB SW Cloud - RD - Corvallis) Subject: Re: [Openstack] keystone question - Solved - keystoneclient currently provides a python client library for both Identity API v2 and v3 - keystoneclient currently provides a command line interface for Identity API v2 -- but will not do so for Identity API v3 - openstackclient is working towards providing a unified CLI for all openstack projects, by consuming their python client libraries So, the answer depends on your use case. If you want to write python, consume keystoneclient directly. If you want to use the CLI, use openstackclient, which uses keystoneclient behind the scenes. All that said, work on openstackclient only recently ramped up, and a lot of major changes are still in review. Hope this helps! -Dolph On Mon, Feb 11, 2013 at 1:55 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote: Hello Dolph, I have read your email several times. Would you mind giving me a few more detais? I noticed that the keystone CLI does not support the V3 commands/resources such as groups, domains, credentials, and policies. I think you are alluding to this topic but Are you suggesting that I move away from the keystoneclient and instead use the openstackclient? Regards, Mark From: Dolph Mathews [mailto:dolph.math...@gmail.commailto:dolph.math...@gmail.com] Sent: Monday, February 11, 2013 10:28 AM To: Miller, Mark M (EB SW Cloud - RD - Corvallis) Cc: Adam Young; openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] keystone question - Solved As for the client-side implementation, keystoneclient supports v3 as a python library, whereas the CLI is being exposed in a different project (by consuming keystoneclient): https://github.com/openstack/python-openstackclient -Dolph On Mon, Feb 11, 2013 at 11:08 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote: Guang provided the answer for me with a sample JSON create domain request: { domain:{ name: myDomain } } What through me off were the examples in the identity-api-v3 document. None of the domain JSON examples include the highest level domain element. The same is true for most of the other examples in the document. Mark -Original Message- From: openstack-bounces+mark.m.miller=hp@lists.launchpad.netmailto:hp@lists.launchpad.net [mailto:openstack-bounces+mark.m.miller=hp@lists.launchpad.net] On Behalf Of Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Thursday, February 07, 2013 1:42 PM To: Adam Young; openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] keystone question Hi all, I have spent several days installing Grizzly-2 Keystone with SSL and PKI and think I have been successful. I can see some of the new API resources such as v3/domains, v3/groups, and v3/services, but I don't see these listed as commands in the keystoneclient. Are they simply not implemented yet or was I unsuccessful when I installed Grizzly-2? I also want to know if the above resource APIs are fully functional? Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question - Solved
On Mon, Feb 11, 2013 at 6:25 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello Dolph, ** ** I was able to get the openstackclient installed after combining information from several wiki pages and modifying the install commands to use the current paths. I have a few more clarification questions if you don’t mind: ** ** - keystoneclient currently provides a python client library for both Identity API v2 and v3 - keystoneclient currently provides a command line interface for Identity API v2 -- but will not do so for Identity API v3 **· **So then I will not see the new v3 Keystone commands for groups or domains in the keystoneclient CLI? No, we don't have any plans to expose Identity API v3 features in keystoneclient. - openstackclient is working towards providing a unified CLI for all openstack projects, by consuming their python client libraries **· **So then I will see the new v3 Keystone commands for groups and domains in the openstackclinet CLI? The reason I ask is because after installing the openstackclient I still do not see the new commands. I can get to them from curl or from a REST client, but not from the command line interface. Yes. There are still several major changes in review, and the effort is still ramping up, relatively speaking. The clients do not follow the same release cycle as the services, so we're lagging on client-side support. So, the answer depends on your use case. If you want to write python, consume keystoneclient directly. If you want to use the CLI, use openstackclient, which uses keystoneclient behind the scenes. **· **I think we want both. We use the CLI to setup a base Keystone server environment and we use the client from Horizon. ** ** Regards, ** ** Mark Miller ** ** ** ** *From:* Dolph Mathews [mailto:dolph.math...@gmail.com] *Sent:* Monday, February 11, 2013 1:09 PM *To:* Miller, Mark M (EB SW Cloud - RD - Corvallis) *Subject:* Re: [Openstack] keystone question - Solved ** ** keystoneclient is not being deprecated. I'd also suggest raising your question to the list. ** ** -Dolph ** ** On Mon, Feb 11, 2013 at 3:00 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello Dolph, Thank you for the answer. So it looks like keystoneclient is getting deprecated. So I tried to install openstackclient on an Ubuntu box and am getting the following error. Do you have any suggestions? Regards, Mark sudo python tools/install_venv.py venv already exists... Installing dependencies with pip (this can take a while)... Traceback (most recent call last): File tools/install_venv.py, line 67, in module main(sys.argv) File tools/install_venv.py, line 61, in main install.install_dependencies() File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 126, in install_dependencies self.pip_install('pip==1.1') File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 116, in pip_install redirect_output=False) File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 76, in run_command check_exit_code)[0] File /home/build/keystone-grizzly-2/python-openstackclient-master/tools/install_venv_common.py, line 68, in run_command_with_code proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout) File /usr/lib/python2.7/subprocess.py, line 679, in __init__ errread, errwrite) File /usr/lib/python2.7/subprocess.py, line 1249, in _execute_child*** * raise child_exception OSError: [Errno 13] Permission denied root@build-HP-Compaq-6005-Pro-SFF-PC :~/keystone-grizzly-2/python-openstackclient-master# *From:* Dolph Mathews [mailto:dolph.math...@gmail.com] *Sent:* Monday, February 11, 2013 12:09 PM *To:* Miller, Mark M (EB SW Cloud - RD - Corvallis) *Subject:* Re: [Openstack] keystone question - Solved - keystoneclient currently provides a python client library for both Identity API v2 and v3 - keystoneclient currently provides a command line interface for Identity API v2 -- but will not do so for Identity API v3 - openstackclient is working towards providing a unified CLI for all openstack projects, by consuming their python client libraries So, the answer depends on your use case. If you want to write python, consume keystoneclient directly. If you want to use the CLI, use openstackclient, which uses keystoneclient behind the scenes. All that said, work on openstackclient only recently ramped up, and a lot of major changes are still
Re: [Openstack] keystone question
Hi, Thanks a lot. Pat On Fri, 8 Feb 2013 08:52:13 -0500, Tong Li wrote The X-Auth-Token header in your request to validate the user token are not the same thing. You have to login as admin to get a token and hold on to that token, when a user request comes in with his token, you can hand it over to keystone for validation. Here I think will be how the request look like. request: curl -s -X GET http://localhost:35357/tokens/tokenToBeValidated -H X-Auth-Token: adminAccessToken adminAccessToken should be a token you (as admin) to get using the same API and admin userid and password or other means (certificates possibly if that is how it was designed) to get access token just like any other user against keystone. Hope that helps. Tong Li Emerging Technologies Standards pat ---02/08/2013 07:31:25 AM---Hi, Thanks for the reply. From: pat p...@xvalheru.org To: Tong Li/Raleigh/IBM@IBMUS, Cc: openstack@lists.launchpad.net, openstack-bounces+litong01=us.ibm@lists.launchpad.net Date: 02/08/2013 07:31 AM Subject: Re: [Openstack] keystone question --- Hi, Thanks for the reply. I#39;ve been digging and I#39;ve found way how to get token using API: curl -s -X POST http://localhost:35357/tokens -d #39;{auth: {passwordCredentials: {username:XXX, password:XXX}, tenantName:XXX}}#39; -H Content-type: application/json This request returns JSON response, that#39;s fine for me. But how to validate the token? I#39;m following the API: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html and request: curl -s -X GET http://localhost:35357/tokens/XXXYYYXXX -H X-Auth-Token: XXXYYYXXX return 401 (unauthorized). What I#39;m doing wrong? Thanks for help On Wed, 6 Feb 2013 11:46:28 -0500, Tong Li wrote keystone provides APIs for authentication, I would think you only need to develop some code in your app to call the API and parse the response, then following request will have to be verified using the token. If you app is already wsgi app, you will just need to use the keystone middleware in your pipeline. If it is other type of the application, you will just need to develop some code which deal with keystone authentication http request/response and figure out a way to verify the token. Thanks. Tong Li Emerging Technologies Standards pat ---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone. I have an application (Jee web one) which I From: pat p...@xvalheru.org To: openstack@lists.launchpad.net, Date: 02/06/2013 10:35 AM Subject: [Openstack] keystone question Sent by: openstack-bounces+litong01=us.ibm@lists.launchpad.net --- Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp --- Freehosting PIPNI - http://www.pipni.cz/ --- Freehosting PIPNI - http://www.pipni.cz/ --- Freehosting PIPNI - http://www.pipni.cz/ Freehosting PIPNI - http://www.pipni.cz/inline: graycol.gif___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
The X-Auth-Token header in your request to validate the user token are not the same thing. You have to login as admin to get a token and hold on to that token, when a user request comes in with his token, you can hand it over to keystone for validation. Here I think will be how the request look like. request: curl -s -X GET http://localhost:35357/tokens/tokenToBeValidated -H X-Auth-Token: adminAccessToken adminAccessToken should be a token you (as admin) to get using the same API and admin userid and password or other means (certificates possibly if that is how it was designed) to get access token just like any other user against keystone. Hope that helps. Tong Li Emerging Technologies Standards From: pat p...@xvalheru.org To: Tong Li/Raleigh/IBM@IBMUS, Cc: openstack@lists.launchpad.net, openstack-bounces +litong01=us.ibm@lists.launchpad.net Date: 02/08/2013 07:31 AM Subject:Re: [Openstack] keystone question Hi, Thanks for the reply. I've been digging and I've found way how to get token using API: curl -s -X POST http://localhost:35357/tokens -d '{auth: {passwordCredentials: {username:XXX, password:XXX}, tenantName:XXX}}' -H Content-type: application/json This request returns JSON response, that's fine for me. But how to validate the token? I'm following the API: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html and request: curl -s -X GET http://localhost:35357/tokens/XXXYYYXXX -H X-Auth-Token: XXXYYYXXX return 401 (unauthorized). What I'm doing wrong? Thanks for help On Wed, 6 Feb 2013 11:46:28 -0500, Tong Li wrote keystone provides APIs for authentication, I would think you only need to develop some code in your app to call the API and parse the response, then following request will have to be verified using the token. If you app is already wsgi app, you will just need to use the keystone middleware in your pipeline. If it is other type of the application, you will just need to develop some code which deal with keystone authentication http request/response and figure out a way to verify the token. Thanks. Tong Li Emerging Technologies Standards Inactive hide details for pat ---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone. I have an application (Jepat ---02/06/2013 10:35:26 AM---Hi all, I have a question about keystone. I have an application (Jee web one) which I From: pat p...@xvalheru.org To: openstack@lists.launchpad.net, Date: 02/06/2013 10:35 AM Subject: [Openstack] keystone question Sent by: openstack-bounces+litong01=us.ibm@lists.launchpad.net Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp --- Freehosting PIPNI - http://www.pipni.cz/ --- Freehosting PIPNI - http://www.pipni.cz/ inline: graycol.gif___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
Hi all, I have spent several days installing Grizzly-2 Keystone with SSL and PKI and think I have been successful. I can see some of the new API resources such as v3/domains, v3/groups, and v3/services, but I don't see these listed as commands in the keystoneclient. Are they simply not implemented yet or was I unsuccessful when I installed Grizzly-2? I also want to know if the above resource APIs are fully functional? Regards, Mark Miller ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] keystone question
Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone question
keystone provides APIs for authentication, I would think you only need to develop some code in your app to call the API and parse the response, then following request will have to be verified using the token. If you app is already wsgi app, you will just need to use the keystone middleware in your pipeline. If it is other type of the application, you will just need to develop some code which deal with keystone authentication http request/response and figure out a way to verify the token. Thanks. Tong Li Emerging Technologies Standards From: pat p...@xvalheru.org To: openstack@lists.launchpad.net, Date: 02/06/2013 10:35 AM Subject:[Openstack] keystone question Sent by:openstack-bounces+litong01=us.ibm@lists.launchpad.net Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp inline: graycol.gif___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] Question from mgius on IRC about update_user API call
Right now the code to update doesn't allow the operation if the user is disabled as there is a separate call to enable/disable user ie /users/userId/enabled .That call should allow the enabling/disabling of user independent of his current status. Regards Yogeshwar Srikrishnan Rackspace From: openstack-bounces+yogesh.srikrishnan=rackspace@lists.launchpad.net [openstack-bounces+yogesh.srikrishnan=rackspace@lists.launchpad.net] on behalf of Jay Pipes [jaypi...@gmail.com] Sent: Wednesday, July 20, 2011 1:54 PM To: openstack@lists.launchpad.net Subject: [Openstack] [Keystone] Question from mgius on IRC about update_user API call Keystone devs, mgius had a question on IRC: mgius I have a question about Keystone mgius I'm looking to add support to the dashboard so that users can be enabled or disabled from the dashboard mgius but it looks like in update_user if the target user is disabled a 403 is always thrown mgius was that intentional? -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] Question from mgius on IRC about update_user API call
It looks like my previous email didn't go through because I hadn't registered this email address with launchpad. Sending again. Would you be opposed to removing the check for disabled in get_user, and possibly update_user as well? As it stands now, you can only fetch and examine disabled users by fetching every user with get_users. Is there some reason that a disabled user should not be fetched or updated? Mark On Wed, Jul 20, 2011 at 2:12 PM, Mark Gius m...@markgius.com wrote: Would you be opposed to removing the check for disabled in get_user, and possibly update_user as well? As it stands now, you can only fetch and examine disabled users by fetching every user with get_users. Is there some reason that a disabled user should not be fetched or updated? Mark On Wed, Jul 20, 2011 at 1:01 PM, Yogi Srikrishnan yogesh.srikrish...@rackspace.com wrote: Right now the code to update doesn't allow the operation if the user is disabled as there is a separate call to enable/disable user ie /users/userId/enabled .That call should allow the enabling/disabling of user independent of his current status. Regards Yogeshwar Srikrishnan Rackspace From: openstack-bounces+yogesh.srikrishnan=rackspace.com@ lists.launchpad.net [openstack-bounces+yogesh.srikrishnan=rackspace.com@ lists.launchpad.net] on behalf of Jay Pipes [jaypi...@gmail.com] Sent: Wednesday, July 20, 2011 1:54 PM To: openstack@lists.launchpad.net Subject: [Openstack] [Keystone] Question from mgius on IRC about update_userAPI call Keystone devs, mgius had a question on IRC: mgius I have a question about Keystone mgius I'm looking to add support to the dashboard so that users can be enabled or disabled from the dashboard mgius but it looks like in update_user if the target user is disabled a 403 is always thrown mgius was that intentional? -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp