Re: [Openstack] IMPORTANT: Openstack List Migration (Please read)

2013-07-25 Thread Adam Young
Yes, but subscribing for that gets a page with The requested URL /mailman/subscribe/openstack was not found on this server. On 07/25/2013 08:52 AM, Damion Parry wrote: Hello, I happened to stumble across: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack HTH, Damion. On 25 Jul

Re: [Openstack] glance: Invalid Openstack Identity Credentials

2013-07-24 Thread Adam Young
On 07/24/2013 10:45 AM, Salvatore Orlando wrote: Hav you tried checking the credentials that glance uses for validating tokens with keystone? They are defined in glance's conf files in the section: [keystone_authtoken] signing_dir = /var/cache/glance/api make sure that the directory

Re: [Openstack] glance: Invalid Openstack Identity Credentials

2013-07-24 Thread Adam Young
I wrote this up as a general answer. Hope it helps. https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/ On 07/24/2013 11:44 AM, Adam Young wrote: On 07/24/2013 10:45 AM, Salvatore Orlando wrote: Hav you tried checking the credentials that glance uses for validating tokens

Re: [Openstack] Keystone client auth plugins

2013-07-18 Thread Adam Young
On 07/18/2013 12:33 AM, Alessio Ababilov wrote: Hi, Chmouel! I have seen your commit https://review.openstack.org/#/c/36427/2 introducing auth plugins to keystone client. I have developed a common API client library that already has auth plugin mechanism found in novaclient. The library

Re: [Openstack] can one user in multiple tenants?

2013-07-18 Thread Adam Young
The CLI keystone user-role-list should be returning that, so long as you don't filter by tenant. From an API perspective, you would call /users/{user_id}/roles http://docs.openstack.org/developer/keystone/api_curl_examples.html#get-users-user-id-roles On 07/18/2013 04:04 AM, Peter Cheung

Re: [Openstack] can one user in multiple tenants?

2013-07-17 Thread Adam Young
On 07/18/2013 12:12 AM, Peter Cheung wrote: Hi all 1) can one user in multiple tenants? I think yes, but when i keystone user-get, i can see only one tenant field. User has a role assignemnt. The default role is Member, and they can have this role in multiple tenants. You are seeing the

Re: [Openstack] [keystone] How to validate token without admin privileges

2013-06-20 Thread Adam Young
We are moving to an RBAC system for enforcing access to the APIs. So, where as in the past we enforced is admin when checking a token, in the future, you can specify your own policy rule. PKI based Tokens can be verified without talking to Keystone. See the auth_token middleware and cms.py

Re: [Openstack] Keystone, pki tokens and memcache

2013-06-17 Thread Adam Young
On 06/17/2013 12:27 AM, Sam Morrison wrote: I'm currently looking into Grizzly and have been having some issues getting PKI tokens to work. If I have memcache as the token backend keystone issues uuid based tokens, if I have sql as the backend then it issues PKI tokens. Does this mean you

Re: [Openstack] [Keystone] Splitting the Identity Backend

2013-05-21 Thread Adam Young
, Adam Young wrote: Currently, the Identity backend has Domains, Users , Groups, Roles, Role Assignments and Projects. I've proposed splitting it into 3 distinct pieces. Domain, Identity, and Projects. Here is the rationale: Somewhere between a third and a half of the OpenStack deployments

Re: [Openstack] AuthN/AuthZ

2013-05-20 Thread Adam Young
ports. You will want Keystone on a separate machine from Horizon. On Wed, May 15, 2013 at 3:57 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk to AD. On 05/14/2013 06:11 PM, Aaron Knister

[Openstack] [Keystone] Splitting the Identity Backend

2013-05-20 Thread Adam Young
Currently, the Identity backend has Domains, Users , Groups, Roles, Role Assignments and Projects. I've proposed splitting it into 3 distinct pieces. Domain, Identity, and Projects. Here is the rationale: Somewhere between a third and a half of the OpenStack deployments are using LDAP.

Re: [Openstack] [Grizzly] NoneType object unsubscriptable while setting up keystone

2013-05-15 Thread Adam Young
Look in the bug database, I think there is already an entry for this. user-list works in general, so it has to be something in your environment that is triggering it. If I remember correctly, you are likely using the Admin token. What are the openstack variables in your environment? On

Re: [Openstack] AuthN/AuthZ

2013-05-15 Thread Adam Young
Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk to AD. On 05/14/2013 06:11 PM, Aaron Knister wrote: *bump* Here's the tl;dr version: - How have other folks handled integration of OpenStack with existing authN/authZ infrastructures? I'm particularly interested in the

Re: [Openstack] keystone

2013-05-14 Thread Adam Young
Looks like you have typos in x.sh On 05/14/2013 08:43 AM, Mahzad Zahedi wrote: I have followed basic install guide openstack on ubuntu (grizzy) so for configuration keystone first, I have created openrc File and added below lines into it: export OS_TENANT_NAME=admin export OS_USERNAME=admin

Re: [Openstack] Heat PTL candidacy

2013-04-25 Thread Adam Young
On 04/23/2013 10:15 AM, Steven Hardy wrote: Repost to correctly include openstack-dev on Cc On Tue, Apr 23, 2013 at 02:45:31PM +0100, Steven Hardy wrote: Hi! I'd like to propose myself as a candidate for the Heat PTL role, ref Thierry's nominations email [1] I've been professionally involved

Re: [Openstack] New site for questions http://ask.openstack.org

2013-03-27 Thread Adam Young
Is there a way I can get notified for any new Questions specific to Keystone? I'm a core dev on Keystone, and can probably answer some of the more esoteric stuff. ___ Mailing list: https://launchpad.net/~openstack Post to :

Re: [Openstack] [Keystone]Question: Assignment of default role

2013-02-22 Thread Adam Young
Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems.

Re: [Openstack] [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release

2013-02-16 Thread Adam Young
On 02/14/2013 09:38 AM, Heiko Krämer wrote: Heyho Guys, i'm testing Swift and Keystone (Grizzly). !NOTE! I'm posting only the importent stuff (output, responses, configs) I've upgraded and migrate the database, the migration are working not correct (kyestone-manage db_sync) because in the

Re: [Openstack] keystone delegate Athentication

2013-02-06 Thread Adam Young
by Apache and sent to Keystone saying the username of the authenticated user. Will that work for you? On 02/06/2013 09:58 AM, Dolph Mathews wrote: Adam Young is working on introducing delegation in grizzly: https://blueprints.launchpad.net/keystone/+spec/trusts I'm sure he'd appreciate some help

Re: [Openstack] keystone question

2013-02-06 Thread Adam Young
On 02/06/2013 10:06 AM, pat wrote: Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/

Re: [Openstack] [OpenStack] Keystone did not start - DevStack Installation

2013-02-05 Thread Adam Young
On 02/05/2013 08:00 AM, Antonio Tirri wrote: Hi all, actually i'm trying to install OpenStack through DevStack script. Unfortunately the installation is not successful because the keystone service doesn't start. This is the log of the script: 2013-02-05 13:19:05 + SCREEN_NAME=stack

Re: [Openstack] [OpenStack] Keystone did not start - DevStack Installation

2013-02-05 Thread Adam Young
that command with sudo, it seems that it runs. Thank you, Antonio On 5 February 2013 17:04, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 02/05/2013 08:00 AM, Antonio Tirri wrote: Hi all, actually i'm trying to install OpenStack through DevStack script

Re: [Openstack] [keystone] Why are we returing such a big payload in validate token?

2013-01-31 Thread Adam Young
On 01/31/2013 07:44 PM, Ali, Haneef wrote: Hi, As of now v3 validateToken response has tokens, service catalog, users, project , roles and domains. (i.e) Except for groups we are returning everything. We also discussed about the possibility of 100s of endpoints. ValidateToken is

Re: [Openstack] [keystone] Why are we returing such a big payload in validate token?

2013-01-31 Thread Adam Young
/trusts Vish Thanks Haneef *From:*openstack-bounces+haneef.ali=hp@lists.launchpad.net mailto:openstack-bounces+haneef.ali=hp@lists.launchpad.net [mailto:openstack-bounces+haneef.ali=hp@lists.launchpad.net mailto:bounces+haneef.ali=hp@lists.launchpad.net]*On Behalf Of*Adam Young

Re: [Openstack] Poll: H release cycle naming

2013-01-24 Thread Adam Young
On 01/24/2013 10:13 AM, Thierry Carrez wrote: It's that time of the year again... As is the tradition, we'd like the help of the community to help select the code name of the next release cycle of OpenStack. The Technical Committee narrowed the list of valid candidates to 4 names, and we'd

Re: [Openstack] Glance image upload Keystone error

2013-01-23 Thread Adam Young
On 01/23/2013 06:34 AM, Trinath Somanchi wrote: Hi Stackers- I have installed glance and Keystone and configured them. Not sure how you installed, but you need to make sure the PKI provisioning is done. You can do it by hand with the keystone_manage command. Make sure you run it as the

Re: [Openstack] keystone + LDAP username only with numbers

2013-01-18 Thread Adam Young
On 01/18/2013 08:18 AM, Marcelo Mariano Miziara wrote: Hello to everyone. First of all sorry for my bad english. Second, i'm implementing openstack here in my company, and we pretend to use it with ldap integration. I detected a problem when the username is only numbers (in our case we use

Re: [Openstack] Logging Keystone x Remote Syslog

2013-01-11 Thread Adam Young
On 01/11/2013 07:31 AM, Alex Vitola wrote: It's possible send to logs to remote server? Logging is using the standard Python logging module: In keystone/common/logging: import logging import logging.config You should be able to configure this to use SysLog:

Re: [Openstack] [keystone] IBM DB2 configuration

2012-12-20 Thread Adam Young
What I think we need is a simple way to run our current body of unit tests, to include the sql Migration tests, against a Live database, kindof the same way as I have et up for the live LDAP test. The steps: create a file under keystone/tests that doesn't trigger the nameing scheme that

Re: [Openstack] LDAP + Keystone,, Error after authentication..

2012-12-11 Thread Adam Young
On 12/11/2012 04:15 AM, yasith tharindu wrote: Hi Team; I was trying to configure ldap + keystone but it seems not working. I feel like authentication is successful but horizon return me python error. Im unable to trace as its does not give any detail. Following I have attached the error,

Re: [Openstack] S3 Token

2012-12-11 Thread Adam Young
On 12/11/2012 01:40 AM, Chmouel Boudjnah wrote: On Mon, Dec 10, 2012 at 4:17 AM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: As a Keystone core developer, I have to say that I don't see it as a huge burden to keep it in place. We want to maintain API backward

Re: [Openstack] S3 Token

2012-12-11 Thread Adam Young
On 12/11/2012 11:11 AM, Adam Young wrote: On 12/11/2012 01:40 AM, Chmouel Boudjnah wrote: On Mon, Dec 10, 2012 at 4:17 AM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: As a Keystone core developer, I have to say that I don't see it as a huge burden to keep it in place

Re: [Openstack] S3 Token

2012-12-09 Thread Adam Young
On 12/08/2012 08:22 AM, Chmouel Boudjnah wrote: Hi, I'm working on removing the swift+keystone middleware from keystone, we have moved it already as keystoneauth since last OpenStack release into the main swift repository. One thing that left in keystone is the s3_token middleware. Since in

Re: [Openstack] [devstack] keystone failed to get-token

2012-12-03 Thread Adam Young
On 12/03/2012 05:57 AM, benzwt benzwt wrote: I gitted the devstack with version 6540d8910194bb523601ffdd06cdf4c2126e3fd0 I ran it but it returned glance: error: argument --os-auth-token: expected one argument after tracing the code I found that it was due to line 1662 in stack.sh as the

[Openstack] [Keystone] LDAP Backend for Catalog

2012-12-03 Thread Adam Young
Right now, only the Identity submodule has an LDAP backend. This is user, tenants, and roles. Is there any requirement for the Catalog to have an LDAP back end? Endpoints and Services do not necessarily map directly to the LDAP view of machines, but could probably be made to fit. I will

Re: [Openstack] Configuring keystone with ldap

2012-11-30 Thread Adam Young
On 11/29/2012 11:47 PM, yasith tharindu wrote: I was trying to enable enable keystone with ldap. but always return me with a this error. *Error: *Invalid user name or password. and no log trace can be found. All I can say is it looks correct enough, but you obviosuly have a problem in

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread Adam Young
of that token is the resource that provides a list of available tenants. -jOrGe W. On Oct 22, 2012, at 9:57 PM, Adam Young wrote: Are you guys +1 ing the original Idea, my suggestion to make it optional, the fact that I think we should call these sloppy tokens? On 10/22/2012 03:40 PM, Jorge

Re: [Openstack] [keystone] Domain Name Spaces

2012-10-30 Thread Adam Young
On 10/30/2012 06:43 AM, David Chadwick wrote: On 27/10/2012 00:17, Henry Nash wrote: So to pick up on a couple of the areas of contention: a) Roles. I agree that role names must stay globally unique. One way of thinking about this is that it is not actually keystone that is creating the role

Re: [Openstack] [keystone] Domain Name Spaces

2012-10-26 Thread Adam Young
On 10/26/2012 07:17 PM, Henry Nash wrote: So to pick up on a couple of the areas of contention: a) Roles. I agree that role names must stay globally unique. One way of thinking about this is that it is not actually keystone that is creating the role name space it is the other services (Nova

Re: [Openstack-qa-team] Changes with ids/uuids?

2012-10-25 Thread Adam Young
On 10/25/2012 12:49 PM, Daryl Walleck wrote: You hit the nail on the head. I got a bit jumpy and ended up filing a bug to Keystone and got that same response, which explains the token. I suppose the flavor id change was intentional as well, but I would've expected it to be a uuid instead of a

Re: [Openstack-qa-team] Changes with ids/uuids?

2012-10-25 Thread Adam Young
have specified the date. -David On 10/25/2012 1:13 PM, Adam Young wrote: On 10/25/2012 12:49 PM, Daryl Walleck wrote: You hit the nail on the head. I got a bit jumpy and ended up filing a bug to Keystone and got that same response, which explains the token. I suppose the flavor id change

Re: [Openstack] [SWIFT] Proxies Sizing for 90.000 / 200.000 RPM

2012-10-24 Thread Adam Young
On 10/24/2012 07:45 PM, heckj wrote: John brought the concern over auth_token middleware up to me directly - I don't know of anyone that's driven the keystone middleware to these rates and determined where the bottlenecks are other than folks deploying swift and driving high performance

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-10-23 Thread Adam Young
a way to tweak the noses of the project members named Joe. -jOrGe W. On Oct 22, 2012, at 9:57 PM, Adam Young wrote: Are you guys +1 ing the original Idea, my suggestion to make it optional, the fact that I think we should call these sloppy tokens? On 10/22/2012 03:40 PM, Jorge Williams wrote

Re: [Openstack] Keystone-dev question

2012-10-22 Thread Adam Young
On 10/22/2012 02:16 PM, Ken Thomas wrote: Greetings all, I'm working on a keystone bug (to get my feet wetter) and I have a couple of questions. Could someone please take a look at comment #2 in https://bugs.launchpad.net/python-keystoneclient/+bug/1031245 (Get a User by Name) and let me

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-10-22 Thread Adam Young
be kept as limited as possible. Personally, I don't feel like limiting the tenant list makes much difference. THe more I think about it, the real benefit comes from limiting the endpoints. On Oct 20, 2012, at 21:07, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 10/20/2012

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-10-20 Thread Adam Young
On 10/20/2012 01:50 PM, heckj wrote: I sent this to the openstack-dev list, and thought I'd double post this onto the openstack list at Launchpad for additional feedback. -joe Begin forwarded message: *From: *heckj he...@mac.com mailto:he...@mac.com *Subject: **[openstack-dev] [keystone]

Re: [Openstack] A simple guide to install OpenStack Folsom

2012-10-10 Thread Adam Young
On 10/10/2012 05:27 AM, Skible OpenStack wrote: Le 10/10/2012 11:23, Alan Pevec a écrit : On Wed, Oct 10, 2012 at 11:10 AM, Skible OpenStack skible.openst...@gmail.com wrote: I am counting on our your feedback to enhance my work and contribute it to the OpenStack Eco System. I wonder about

Re: [Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

2012-09-25 Thread Adam Young
://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/ Many thanks. On Sep 24, 2012, at 11:10 PM, Adam Young wrote: Role is grouped in the collection under the Tenant, with the userid in the members attribute for that role. On 09/24/2012 03:18 AM, 邱剑 wrote: Openstack services

Re: [Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

2012-09-24 Thread Adam Young
. User and tenants information can be fetched from LDAP. However, I could not figure out how to assign roles to users in specific tenants. I'm wondering whether someone can help? I noticed that Mr. Adam Young had post a blog about this topic: http://adam.younglogic.com/2012/09/ldaps

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

2012-09-10 Thread Adam Young
On 09/10/2012 11:29 AM, boden wrote: I've been munking with the latest Keystone LDAP identity driver and based on what I'm seeing the driver does not support the 'list' resource based methods. For example 'list users', 'list tenants'... For example, config your keystone.conf up to use an LDAP

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

2012-09-10 Thread Adam Young
/keystone/+bug/983304 -Dolph On Mon, Sep 10, 2012 at 11:32 AM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 09/10/2012 11:29 AM, boden wrote: I've been munking with the latest Keystone LDAP identity driver and based on what I'm seeing the driver does

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

2012-09-10 Thread Adam Young
On 09/10/2012 03:55 PM, Adam Young wrote: On 09/10/2012 02:28 PM, Joseph Heck wrote: Hey Boden, It's not scheduled to be fixed in the Folsom release, the linkages to milestones and such indicate that. The original developer that proposed a patch disappeared in that flow, so it stagnated

Re: [Openstack] Cannot submit topic for Summit.

2012-09-09 Thread Adam Young
+donald.d.dugger=intel@lists.launchpad.net [mailto:openstack-bounces+donald.d.dugger=intel@lists.launchpad.net] On Behalf Of Adam Young Sent: Saturday, September 08, 2012 6:53 PM To: openstack Subject: [Openstack] Cannot submit topic for Summit. I've been through the sequence to submit

[Openstack] Cannot submit topic for Summit.

2012-09-08 Thread Adam Young
I've been through the sequence to submit a topic proposal for the summit a handful of times. I submit, and it says You are not logged in. And yes, I logged back in afterwards. ___ Mailing list: https://launchpad.net/~openstack Post to :

Re: [Openstack] [Keystone] LDAP integratiom

2012-09-07 Thread Adam Young
On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote: Hi Everyone, Keystone uses python-ldap library to communicate with LDAP server. There are to points where Keystone communicates with LDAP server: keystone.common ldap and keystone.identity.backends.ldap packages. According to the current

Re: [Openstack] [Keystone] LDAP integratiom

2012-09-07 Thread Adam Young
, keystone would be configured to use LDAP as the identity store. -Dolph On Fri, Sep 7, 2012 at 8:30 AM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote: Hi Everyone, Keystone uses python-ldap library to communicate

Re: [Openstack] [Keystone] Creating tenant failed when using ldap as identity backend: 'attribute type undefined'

2012-09-06 Thread Adam Young
Interesting. We have this outstanding bug report https://code.launchpad.net/bugs/980085 I would appreciate it if you could add what you found to the bug report. On 09/06/2012 03:50 AM, Yanping Xie wrote: Hi, All I have resolved this problem by add 'enabled' attribute to class

Re: [Openstack] Keystone PKI support

2012-09-04 Thread Adam Young
On 09/04/2012 09:36 AM, boden wrote: Hi, I'm trying to better understand the current status of PKI (http://wiki.openstack.org/PKI) and delegated authZ from a folsom perspective. I can see the blueprint targets folsom-rc1, is marked as implemented

Re: [Openstack] ldaps support in keystone?

2012-08-22 Thread Adam Young
On 08/22/2012 09:38 AM, Yanping Xie wrote: Hi, all Could I ask if ldaps is supported in keystone? I do know that ldap is supported in keystone, but I couldn't find any information about ladps support in keystone via google nor openstack doc. Could anyone give some explicit information about

Re: [Openstack] Keyring support in openstack

2012-08-22 Thread Adam Young
On 08/22/2012 07:15 PM, Bhuvaneswaran A wrote: On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com

Re: [Openstack] implementing custom keystone module

2012-08-21 Thread Adam Young
On 08/21/2012 05:10 PM, pat wrote: Hello, I want to implement custom keystone authentication module. I went through the What are you trying to do? There is a good chance that one of the other modules can be a good example. documentation and I'm not sure where to start :-\ Please, could

Re: [Openstack] keystone initialization problem

2012-08-17 Thread Adam Young
OK, SERVICE_TOKEN is the same as --token You can follow the steps here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/ Specifically: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/1/html/Getting_Started_Guide/ch02.html#id3165390 ||

Re: [Openstack] The Return of Hyper-V

2012-08-13 Thread Adam Young
On 08/13/2012 11:26 AM, Peter Pouliot wrote: Hello Everyone, I would like to take this moment to make everyone aware of the following: https://review.openstack.org/#/c/11276/ I would like to thank the following individuals, who have given so much to help this project progress to this state.

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-07 Thread Adam Young
On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review:

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-03 Thread Adam Young
, just reimplementaiton of ideas from other projects. Nate On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 08/01/2012 11:05 PM, Maru Newby wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Adam Young
routine. So, let me put the onus on you: make the argument for rapid revocation of tokens. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support

[Openstack] Fwd: Re: Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Adam Young
be a touchy subject when we first started designing it, and suspected that it would take some form of commit before the discussion hit the majority of the community. On 08/02/2012 02:20 PM, Christopher MacGown wrote: On Thursday, August 2, 2012 at 6:59 AM, Adam Young wrote: So, let me put the onus

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Adam Young
, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-01 Thread Adam Young
On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review:

Re: [Openstack] Hiding complexity of paste config files from operators

2012-07-30 Thread Adam Young
On 07/30/2012 05:12 AM, Thierry Carrez wrote: Lorin Hochstein wrote: I wanted to discuss the usability of the paste config files from an operator's point of view. The paste config files are opaque to administrators who are trying to stand an OpenStack cloud for the first time, since they expose

Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Adam Young
On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides

Re: [Openstack] Performing HPCC Benchmark on OpenStack Cloud

2012-07-30 Thread Adam Young
On 07/30/2012 10:22 AM, Reza Bakhshayeshi wrote: Hi I want to run HPCC benchmark on OpenStack cloud, I want you to help me to make the results more real. How can we impute the results to OpenStack and not to my computers? Do I really need a server farm to perform the test? And I think I have

Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Adam Young
On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki

Re: [Openstack] [keystone] Multi-tenants per user, authentication tokens and global roles

2012-07-26 Thread Adam Young
On 07/26/2012 08:30 PM, Ryan Lane wrote: I'm working on upgrading to essex, which means I need to start using keystone. My use case seems to not fit keystone very well, though... In my environment, one user can be a member of many projects (some users are in up to 20-30 projects). Management of

Re: [Openstack] [Keystone] Quotas: LDAP Help

2012-07-25 Thread Adam Young
=cern...@lists.launchpad.net [mailto:openstack-bounces+tim.bell=cern...@lists.launchpad.net] On Behalf Of Ryan Lane Sent: 17 July 2012 20:43 To: Adam Young Cc: Joseph Heck; openstack Subject: Re: [Openstack] [Keystone] Quotas: LDAP Help I haven't been thinking about quotas, so bear with me here

Re: [Openstack] 回复: Keystone client could not behave well, call for help

2012-07-23 Thread Adam Young
On 07/22/2012 09:12 AM, 延生 付 wrote: reply: 'HTTP/1.1 503 Service Unavailable\r\n' This seems to be the main problem. The error message /string indices must be integers, not str /seems to be a bug in trying to parse the error page. ___ Mailing

Re: [Openstack] Identity API v3 - Why allow multi-tenant users?

2012-07-18 Thread Adam Young
=hp@lists.launchpad.net mailto:hp@lists.launchpad.net] *On Behalf Of *Adam Young *Sent:* Tuesday, July 17, 2012 11:55 AM *To:* openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net *Subject:* Re: [Openstack] Identity API v3 - Why allow

Re: [Openstack] Change user password (not admin)

2012-07-17 Thread Adam Young
On 06/06/2012 07:24 PM, Sam Morrison wrote: Hi, There has been a first attempt at this in keystone. See https://review.openstack.org/#/c/7437/ And bug: https://bugs.launchpad.net/keystone/+bug/996922 It needs more work to make it secure though. WHat do you think it needs? Please open a bug

Re: [Openstack] enforce admin_required with LDAP admin user

2012-07-17 Thread Adam Young
You need an admin token and to go against port 35357 for those types of operations. A basic user does not have permission to do so. It has nothing to do with LDAP. On 05/22/2012 11:47 AM, Sharif Islam wrote: I think my LDAP bind is working by tenant-list and user-list gives me

Re: [Openstack] debugging a db migration script

2012-07-17 Thread Adam Young
On 07/16/2012 11:59 PM, Jim Fehlig wrote: I'm working on a patch that adds a column to the compute_nodes table in the nova db, but it seems my db migration script fails when calling 'db sync' in stack.sh. I tried running the command manually, same failure: stack@virt71:~

Re: [Openstack] [Keystone] Quotas: LDAP Help

2012-07-17 Thread Adam Young
On 07/17/2012 11:18 AM, Everett Toews wrote: On Mon, Jul 16, 2012 at 7:20 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: Usually a Quota is a limitation on a resource. I suspect that the problem here is we have not nailed down the resource objects that you would

Re: [Openstack] debugging a db migration script

2012-07-17 Thread Adam Young
On 07/17/2012 11:42 AM, Jim Fehlig wrote: Hengqing Hu wrote: There is a test in nova: You can run run_tests.sh in your nova root like this: ./run_tests.sh -v test_migrations Thanks for the tip! To set a breakpoint, you can either run python -m pdb run_tests.py or modify your code

Re: [Openstack] Identity API v3 - Why allow multi-tenant users?

2012-07-17 Thread Adam Young
On 05/29/2012 01:18 PM, Caitlin Bestler wrote: One of the major complication I see in the API is that users can be associated with multiple tenants. What is the benefit of this? What functionality would be lost if a human user merely had to use a different account with each tenant? There

Re: [Openstack] [Keystone] Quotas: LDAP Help

2012-07-17 Thread Adam Young
On 07/17/2012 02:42 PM, Ryan Lane wrote: I haven't been thinking about quotas, so bear with me here. A few thoughts: Certain deployments might not be able to touch the LDAP backend. I am thinking specifically where there is a corporate AD/LDAP server. I tried to keep the scheme dependency

Re: [Openstack] [INTERNAL ONLY (NDA)] Fwd: Reqs for OpenStack from Intel IT - Redhat/OpenStack discussions

2012-07-17 Thread Adam Young
On 07/17/2012 02:53 PM, Adam Young wrote: On 07/17/2012 02:01 PM, Perry Myers wrote: CONFIDENTIAL/INTERNAL ONLY (NDA) Please do not forward this spreadsheet outside of this list. Please do not talk about any of these features externally as Something Intel has asked for. We can talk about

Re: [Openstack] [Keystone] API Question

2012-07-17 Thread Adam Young
On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity

Re: [Openstack] [Keystone] API Question

2012-07-17 Thread Adam Young
On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list

Re: [Openstack] [Keystone] API Question

2012-07-17 Thread Adam Young
= self.identity_api.get_tenants_for_user(context, user_ref['id']) I'm not sure that this is the right semantics for it, but it looks like it does what you want. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote

Re: [Openstack] [Keystone] API Question

2012-07-17 Thread Adam Young
On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce

Re: [Openstack] Routing ReST API Calls by URL

2012-07-16 Thread Adam Young
On 07/13/2012 05:39 PM, Nathanael Burton wrote: Dan, Adam Young was advocating for something like this. I don't know if a consensus was ever reached, but I thought it was a good idea. https://lists.launchpad.net/openstack/msg10864.html Nate Dan, Here's my proposed scheme. http

Re: [Openstack] UnifiedCLI suggestion

2012-07-16 Thread Adam Young
On 06/28/2012 11:54 AM, Dean Troyer wrote: On Mon, Jun 25, 2012 at 5:28 PM, Doug Hellmann doug.hellm...@dreamhost.com wrote: On Mon, Jun 25, 2012 at 6:19 PM, Ken Thomas k...@yahoo-inc.com wrote: [...] I've already submitted the keystone changes for review

Re: [Openstack] [Keystone] Quotas: LDAP Help

2012-07-16 Thread Adam Young
On 07/16/2012 07:31 PM, Everett Toews wrote: Hi All, I've got a working implementation of quotas in Keystone. However it's only working for the KVS and SQL backends right now and I need it to work with LDAP before submitting it for review. I have limited experience with LDAP and only from an

[Openstack] Keystone Federation

2012-07-05 Thread Adam Young
I am contemplating writing up a post-Folsom Blueprint for Keystone Federation and /or replication, and would like to solicit input from the community. With Signed tokens, we can provide the name of the Keystone server that signed the token. With this comes the need to verify that the

Re: [Openstack] Keystone Federation

2012-07-05 Thread Adam Young
at 11:26 AM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: I am contemplating writing up a post-Folsom Blueprint for Keystone Federation and /or replication, and would like to solicit input from the community. With Signed tokens, we can provide the name

[Openstack] PKI Token Generation

2012-07-03 Thread Adam Young
The discussion during the Keystone meeting today had a couple of key points I'd like to address. The Current token length is 32 characters long. An example: e50d580692d644cfb8bec0246aede2c2 With PKI Signed tokens, they will be much longer

Re: [Openstack] OVF vs. bare container formats for qcow2 images

2012-06-29 Thread Adam Young
On 04/01/2012 11:15 AM, Lorin Hochstein wrote: On Mar 29, 2012, at 12:40 PM, Daniel P. Berrange wrote: On Wed, Mar 28, 2012 at 04:41:28PM -0400, Lorin Hochstein wrote: All: Given that I have a qcow2 image from somewhere (e.g., downloaded it from a uec-images.ubuntu.com

Re: [Openstack] [Devstack]Keystone authentication problem when installing

2012-06-27 Thread Adam Young
Can you post your localrc file? YOu can blank out the passwords. Also, what distribution? On 06/27/2012 09:30 PM, Ke Wu wrote: Hi, I can't find a mailing list of devstack so I choose to ask here, hope this doesn't spam you guys. I was trying to build Devstack on my VM (Ubuntu 12.04

Re: [Openstack] [keystone] Keystone on port 5000 - proposing change default port to 8770

2012-06-20 Thread Adam Young
That is for admin, 5000 is for normal usage. Personally, I'd like to see all of the custom ports go away and we use an URL scheme as proposed: http://wiki.openstack.org/URLs On 06/20/2012 08:56 PM, Mellquist, Peter wrote: What happened to 35357? In general, new port #s should be applied

Re: [Openstack] [keystone] v3 API draft (update and questions to the community)

2012-06-12 Thread Adam Young
On 06/12/2012 04:24 AM, Gabriel Hurley wrote: Mark, Apparently you must have missed my lightning talk at the Essex summit... ;-) (http://gabrielhurley.github.com/slides/openstack/apis_like_orms/index.html) Filtering, pagination, and many other API features are *critical* for a rich dashboard

[Openstack] noVNC and EPEL

2012-06-12 Thread Adam Young
I have a working noVNC RPM for both F17 and EPEL. Well...I think it is working...everything is set as best as I can tell to what it should be. However, I have not been able to get a VNC console on a VM from the Web UI. I have been able to do so using noVNC, so we have a partial solution.

  1   2   >