Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production
Using a middleware is what we are doing also. Can you give more details about your structure? Our middleware is like the Rackspace OpenRepose. What do you use for role definitions? Are you using any backend for Keystone like LDAP? Regards. On Thu, Dec 10, 2015 at 9:55 PM, Jesse Keatingwrote: > We use RBAC, however we've done it based on roles and some middleware. The > policy files are essentially static. > > > - jlk > > On Wed, Dec 9, 2015 at 12:39 AM, Oguz Yarimtepe > wrote: > >> Hi, >> >> I am wondering whether there are people using RBAC at production. The >> policy.json file has a structure that requires restart of the service each >> time you edit the file. Is there and on the fly solution or tips about it? >> >> >> >> ___ >> OpenStack-operators mailing list >> openstack-operat...@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > > -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production
In other projects the policy.json file is read each time of api request. So changes to the file take place immediately. I was 90% sure keystone was the same way? ___ Kris Lindgren Senior Linux Systems Engineer GoDaddy On 12/9/15, 1:39 AM, "Oguz Yarimtepe"wrote: >Hi, > >I am wondering whether there are people using RBAC at production. The >policy.json file has a structure that requires restart of the service >each time you edit the file. Is there and on the fly solution or tips >about it? > > > >___ >OpenStack-operators mailing list >openstack-operat...@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production
We use RBAC in production but basically modify networking operations and some compute ones. In our case we don’t need to restart the services if we modify the policy.json file. I am surprise that keystone is not following the same process. Edgar On 12/9/15, 9:06 AM, "Kris G. Lindgren"wrote: >In other projects the policy.json file is read each time of api request. So >changes to the file take place immediately. I was 90% sure keystone was the >same way? > >___ >Kris Lindgren >Senior Linux Systems Engineer >GoDaddy > > > > > > > >On 12/9/15, 1:39 AM, "Oguz Yarimtepe" wrote: > >>Hi, >> >>I am wondering whether there are people using RBAC at production. The >>policy.json file has a structure that requires restart of the service >>each time you edit the file. Is there and on the fly solution or tips >>about it? >> >> >> >>___ >>OpenStack-operators mailing list >>openstack-operat...@lists.openstack.org >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >___ >OpenStack-operators mailing list >openstack-operat...@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production
We are running keystone kilo in production, and I¹m actively implementing RBAC right now. I¹m certain that, at least with the version of keystone we¹re running, a restart is NOT required when the policy file is modified. Tim On 12/9/15, 9:18 AM, "Edgar Magana"wrote: >We use RBAC in production but basically modify networking operations and >some compute ones. In our case we don¹t need to restart the services if >we modify the policy.json file. I am surprise that keystone is not >following the same process. > >Edgar > > > > >On 12/9/15, 9:06 AM, "Kris G. Lindgren" wrote: > >>In other projects the policy.json file is read each time of api request. >> So changes to the file take place immediately. I was 90% sure keystone >>was the same way? >> >>___ >>Kris Lindgren >>Senior Linux Systems Engineer >>GoDaddy >> >> >> >> >> >> >> >>On 12/9/15, 1:39 AM, "Oguz Yarimtepe" wrote: >> >>>Hi, >>> >>>I am wondering whether there are people using RBAC at production. The >>>policy.json file has a structure that requires restart of the service >>>each time you edit the file. Is there and on the fly solution or tips >>>about it? >>> >>> >>> >>>___ >>>OpenStack-operators mailing list >>>openstack-operat...@lists.openstack.org >>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>___ >>OpenStack-operators mailing list >>openstack-operat...@lists.openstack.org >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production
Whether or not a restart is required is actually handled by oslo.policy. Which is only included in Kilo and newer versions of Keystone. The work to avoid restarting the service went in in commit [0] and was further worked on in [1]. Juno and older versions are using the oslo-incubator code to handle policy (before it was turned into it's own library), and AFAICT don't have the check to see if policy.json has been modified. [0] https://github.com/openstack/oslo.policy/commit/63d699aff89969fdfc584ce875a23ba0a90e5b51 [1] https://github.com/openstack/oslo.policy/commit/b5f07dfe4cd4a5d12c7fecbc3954694d934de642 Thanks, Steve Martinelli OpenStack Keystone Project Team Lead From: Timothy Symanczyk <timothy_symanc...@symantec.com> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org>, "Kris G. Lindgren" <klindg...@godaddy.com>, Oguz Yarimtepe <oguzyarimt...@gmail.com>, "openstack-operat...@lists.openstack.org" <openstack-operat...@lists.openstack.org> Date: 2015/12/09 04:40 PM Subject: Re: [openstack-dev] [Openstack-operators] [keystone] RBAC usage at production We are running keystone kilo in production, and I¹m actively implementing RBAC right now. I¹m certain that, at least with the version of keystone we¹re running, a restart is NOT required when the policy file is modified. Tim On 12/9/15, 9:18 AM, "Edgar Magana" <edgar.mag...@workday.com> wrote: >We use RBAC in production but basically modify networking operations and >some compute ones. In our case we don¹t need to restart the services if >we modify the policy.json file. I am surprise that keystone is not >following the same process. > >Edgar > > > > >On 12/9/15, 9:06 AM, "Kris G. Lindgren" <klindg...@godaddy.com> wrote: > >>In other projects the policy.json file is read each time of api request. >> So changes to the file take place immediately. I was 90% sure keystone >>was the same way? >> >>___ >>Kris Lindgren >>Senior Linux Systems Engineer >>GoDaddy >> >> >> >> >> >> >> >>On 12/9/15, 1:39 AM, "Oguz Yarimtepe" <oguzyarimt...@gmail.com> wrote: >> >>>Hi, >>> >>>I am wondering whether there are people using RBAC at production. The >>>policy.json file has a structure that requires restart of the service >>>each time you edit the file. Is there and on the fly solution or tips >>>about it? >>> >>> >>> >>>___ >>>OpenStack-operators mailing list >>>openstack-operat...@lists.openstack.org >>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>___ >>OpenStack-operators mailing list >>openstack-operat...@lists.openstack.org >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev