[openstack-dev] [keystone] Usage of trusts with v2.0 authentication
When trusts were implemented, they were designed to work as an extension under the version 3 API. The implementation didn't prevent the use of a trust to authenticate against version 2.0, which was never officially documented in the v2.0 API docs. The keystone team is curious if there is anyone creating trusts using v3 and then using them against version 2.0. If not, we'd like to remove/deprecate support for that case in v2.0. If so, then we'll have to add official documentation for trusts against v2.0 and incorporate that case into fernet. Thanks! Lance __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Usage of trusts with v2.0 authentication
On 02/09/2016 12:06 PM, Lance Bragstad wrote: The keystone team is curious if there is anyone creating trusts using v3 and then using them against version 2.0. If not, we'd like to remove/deprecate support for that case in v2.0. If so, then we'll have to add official documentation for trusts against v2.0 and incorporate that case into fernet. i'm curious if this will affect the usage of trusts through the python keystoneclient? the sahara projects creates several trusts through the python client, and this seems to work regardless of the version endpoint we use. we aren't specifically using these trusts against a v2 endpoint, but we do use whatever endpoint is provided in our configuration for the identity endpoint. thanks for bringing this up. regards, mike __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Usage of trusts with v2.0 authentication
On Tue, Feb 09, 2016 at 11:06:10AM -0600, Lance Bragstad wrote: >When trusts were implemented, they were designed to work as an extension >under the version 3 API. The implementation didn't prevent the use of a >trust to authenticate against version 2.0, which was never officially >documented in the v2.0 API docs. >The keystone team is curious if there is anyone creating trusts using v3 >and then using them against version 2.0. If not, we'd like to >remove/deprecate support for that case in v2.0. If so, then we'll have to >add official documentation for trusts against v2.0 and incorporate that >case into fernet. Heat has been using trusts internally for a long time, but until very recently, almost all installation methods for OpenStack resulted in all services having v2.0 versioned endpoints. Does the auth_token middleware now always use v3 by default, even when all the keystone endpoints are versioned to v2.0 (still very common IME)? IIRC we relied on the v2.0 behavior you reference when we first introduced our trusts usage back in 2013, but it may be that auth_token version discovery now means all services are hitting v3 even with v2.0 endpoints in the catalog, in which case I guess this may be OK (probably something to test tho). It'd be good to confirm such mixed environments will continue to function, otherwise this might end up a disruptive break in backwards compatibility. Thanks, Steve __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
