[openstack-dev] [keystone][nova]Quotas: Store resources and limits in the Keystone

[Kseniya Tychkova]

Hi,
I would like to share a spec [1] with you.
The main idea of this spec is to start a discussion about quota management
in the OpenStack.

Quotas are scattered across OpenStack services. Each service defines it's
own model and API for
managing resource's limits. Because of that, there are several problems:

   - Names of the resources and resource-service mapping  are hardcoded.
   They are hardcoded in the service code (Nova, for example) and it should be
   hardcoded in the client code (Horizon, for example).


   - There is no centralized quota management for OpenStack projects.
   - Cinder, Nova and Neutron support (or going to support) hierarchical
   quotas in different ways.

There should be a single point of managing quotas in OpenStack.
Keystone looks like a proper place to store resource's limits because:

   - Keystone stores projects
   - Limits are belong to project.


There are a lot of possible issues with “store limits in Keystone”
approach. But all of them can be discussed
and such discussion should lead to the good solution for quotas management
 in Openstack.

Please take a look at the spec when you have time and share your ideas or
concerns.

[1] https://review.openstack.org/#/c/363765/


Kind regards,
Kseniya
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Can anyone share some experience for how to configure keystone work with https

[Kseniya Tychkova]

Hi,
just follow instruction for your web server. For example, for Apache  -
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
In short:
- create certificates
- install and enable ssl module
- enable ssl for keystone site (add directives in your
/etc/apache2/sites-available/keystone-wsgi. conf file)

On Mon, Jul 11, 2016 at 6:22 AM, Jay Lau  wrote:

> Hi,
>
> Does anyone have some experience or some document for how to configure
> keystone work with https? If so, can you please help share with me or show
> some links that can help?
>
> --
> Thanks,
>
> Jay Lau (Guangya Liu)
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

[Kseniya Tychkova]

Hi
I would like to share article Keystone and WebSSO: Using Active Directory
Federation Services with OpenStack Keystone

 (http://xuctarine.blogspot.ru/2016/05/keystone-and-websso-using-active.html
).
In this article you can find step-by-step manual for SSO on Windows with
Keystone.


On Fri, May 20, 2016 at 3:03 AM, Adam Young  wrote:

> On 05/19/2016 07:40 AM, Rodrigo Duarte wrote:
>
> Hi,
>
> So you are trying to use keystone to authorize your users, but want to
> avoid having to authenticate via keystone, right?
>
> Check if the Federated Identity feature [1] covers your use case.
>
> [1]
> http://docs.openstack.org/security-guide/identity/federated-keystone.html
>
> On Thu, May 19, 2016 at 8:27 AM, OpenStack Mailing List Archive <
> cor...@gmail.com> wrote:
>
>> Link: https://openstack.nimeyo.com/85057/?show=85057#q85057
>> From: imocha 
>>
>> I have to call the keystone APIs and want to use the windows
>> authentication using Active Directory. Keystone provides integration with
>> AD at the back end. To get the initial token to use OpenStack APIs, I need
>> to pass user name and password in the keystone token creation api.
>>
>> Since I am already logged on to my windows domain, is there any way that
>> I can get the token without passing the password in the api.
>>
> Yes, use SSSD and Mod_Lookup_Identity:
>
>
> https://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/
>
>
>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Rodrigo Duarte Sousa
> Senior Quality Engineer @ Red Hat
> MSc in Computer Science
> http://rodrigods.com
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [keystone] Single Sign On integration research

[Kseniya Tychkova]

Hi,
as you may know currently Keystone supports Single Sign-On (SSO) and as I
think it is one of the most interesting features in Keystone.
I've done research on Single Sign-On in Keystone. Practically I just tried
to set up Keystone in 2 different configuration.
As a result of my research I have 2 blog posts and I would like to share
links with you:

*1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
profile)
*:

( http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html )
Post describes how to step-by-step deploy Shibboleth Identity Provider with
Keystone Service Provider.
This configuration is interesting because you can easily replace Shibboleth
Identity Provider
with any other Identity Provider with SAML support.
So it is, I think, most popular use case for SSO in Keystone.


*2. How to setup Keystone with Shibboleth (ECP profile):
*(
http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html
)
Post describes how to deploy Keystone Identity Provider with Keystone
Service Provider.
It is Keystone-to-Keystone configuration and it uses ECP profile (Enhanced
Client or Proxy) of SAML Protocol.
A lot of information for this post I took from rodrigods blog (
http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo
).

I hope my posts will help you to deploy/configure SSO or at least will be
interesting to take a look at SSO feature in Keystone.

Kind regards, Kseniya
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev