Re: [Openstack] OpenStack Identity: Keystone API Proposal

pad.net<mailto:openstack@lists.launchpad.net> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Hot, Texas summer regards to all! Since my last note we have had much progress on Keystone. Particularly: * We now have Nova, Dashboard, Glance, and Keystone integration (htt

Re: [Openstack] OpenStack Identity: Keystone API Proposal

: Re: [Openstack] OpenStack Identity: Keystone API Proposal Hot, Texas summer regards to all! Since my last note we have had much progress on Keystone. Particularly: * We now have Nova, Dashboard, Glance, and Keystone integration (https://github.com/cloudbuilders/deploy.sh

Re: [Openstack] OpenStack Identity: Keystone API Proposal

Hot, Texas summer regards to all! Since my last note we have had much progress on Keystone. Particularly: * We now have Nova, Dashboard, Glance, and Keystone integration (https://github.com/cloudbuilders/deploy.sh * We've done some work on Swift integration (https://github.com/rackspace

Re: [Openstack] OpenStack Identity: Keystone API Proposal

gt; Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal > > Below: > > On Jul 18, 2011, at 3:28 AM, Salvatore Orlando wrote: > > > Hi, > > I’m jumping in this thread to understand whether there’s a chance KeyStone > can implement some use cases arou

Re: [Openstack] OpenStack Identity: Keystone API Proposal

Hi Vish, Please see my comments inline. From: Vishvananda Ishaya [mailto:vishvana...@gmail.com] Sent: 18 July 2011 17:36 To: Salvatore Orlando Cc: Ziad Sawalha; openstack@lists.launchpad.net Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Below: On Jul 18, 2011, at 3:28 AM

Re: [Openstack] OpenStack Identity: Keystone API Proposal

Below: On Jul 18, 2011, at 3:28 AM, Salvatore Orlando wrote: > Hi, > > I’m jumping in this thread to understand whether there’s a chance KeyStone > can implement some use cases around the concept of object ownership. > I apologise if this email turns out to be a bunch of nonsense; unfortunatel

Re: [Openstack] OpenStack Identity: Keystone API Proposal

citrix@lists.launchpad.net [mailto:openstack-bounces+salvatore.orlando=eu.citrix@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: 13 July 2011 05:45 To: Rouault, Jason (Cloud Services); andi abes Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Her

Re: [Openstack] OpenStack Identity: Keystone API Proposal

awalha mailto:ziad.sawa...@rackspace.com>> Cc: Jay Pipes mailto:jaypi...@gmail.com>>, Bryan Taylor mailto:btay...@rackspace.com>>, "openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: Re: [Openst

Re: [Openstack] OpenStack Identity: Keystone API Proposal

> From: Thor Wolpert > Date: Wed, 13 Jul 2011 17:17:03 -0700 > To: Ziad Sawalha > Cc: Jay Pipes , Bryan Taylor , > "openstack@lists.launchpad.net" > Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal > > If they had called it "global" or some other

Re: [Openstack] OpenStack Identity: Keystone API Proposal

d, 13 Jul 2011 17:17:03 -0700 To: Ziad Sawalha mailto:ziad.sawa...@rackspace.com>> Cc: Jay Pipes mailto:jaypi...@gmail.com>>, Bryan Taylor mailto:btay...@rackspace.com>>, "openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.n

Re: [Openstack] OpenStack Identity: Keystone API Proposal

I'm a bit confused as to how Keystone will handle authorization. It sounds now like it is only handling authentication. Can you clarify? Devin On Jul 13, 2011, at 9:41 PM, Ziad Sawalha wrote: > We've taken much of that out of the current API; so the API does not allow > creating these entiti

Re: [Openstack] OpenStack Identity: Keystone API Proposal

We've taken much of that out of the current API; so the API does not allow creating these entities through the service API. And we don't have delegation over tenant administration either, although the API we have in place can fully support atier that implements itŠ. Z On 7/13/11 11:30 AM, "Bryan

Re: [Openstack] OpenStack Identity: Keystone API Proposal

k@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Dropped off the thread for a while... sorry. Ziad, I think this sounds very reasonable. I think the only hiccup might be w

Re: [Openstack] OpenStack Identity: Keystone API Proposal

mplete IDM solution… > >I *think*. > > ** ** > > ** ** > > ** ** > > > > ** ** > > ** ** > > ** ** > > ** ** > > On Wed, Jun 15, 2011 at 11:52 AM, Rouault, Jason (Cloud Services) < > jason.roua...@hp.com> wrote: > >

Re: [Openstack] OpenStack Identity: Keystone API Proposal

If they had called it "global" or some other container name, would you be happier with that? If you're trying to leverage some LDAP style framework, then you'd always want users in some container instead of at the raw root. Maybe some guidance or default schema would help those groups out? On W

Re: [Openstack] OpenStack Identity: Keystone API Proposal

And some current Nova users have created 'dummy' tenants to house global users. That's ugly and hard to maintain, so we wanted to avoid 'dummy' tenant solutions if possible. Given we're creating the spec right here and now, we can do that :-) On 7/13/11 12:14 PM, "Jay Pipes" wrote: >On Wed, Ju

Re: [Openstack] OpenStack Identity: Keystone API Proposal

On Wed, Jul 13, 2011 at 12:30 PM, Bryan Taylor wrote: > How is this different in effect than letting swift or nova be tenants? Each > tenant gets to define users, roles, and groups, right? A service can have multiple tenants. For instance, an installation of Nova might have a RAX tenant and a RAX

Re: [Openstack] OpenStack Identity: Keystone API Proposal

How is this different in effect than letting swift or nova be tenants? Each tenant gets to define users, roles, and groups, right? On 07/13/2011 10:39 AM, Jay Pipes wrote: On Wed, Jul 13, 2011 at 12:45 AM, Ziad Sawalha wrote: Here's a possible use case we can implement to address this: A se

Re: [Openstack] OpenStack Identity: Keystone API Proposal

On Wed, Jul 13, 2011 at 12:45 AM, Ziad Sawalha wrote: > Here's a possible use case we can implement to address this: > > A service 'registers' itself with Keystone and reserves a name (Ex. Swift, > or nova). Keystone will guarantee uniqueness. > Registered services can then create roles for the se

Re: [Openstack] OpenStack Identity: Keystone API Proposal

rackspace.com>>, "openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: RE: [Openstack] OpenStack Identity: Keystone API Proposal See inline… Jason From: andi abes [mailto:andi.a...@gmail.com] Sent: W

Re: [Openstack] OpenStack Identity: Keystone API Proposal

;openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal On PUT operations: The identifier for users right now (username) is supplied in the payload, so it is a PUT. Same with

Re: [Openstack] OpenStack Identity: Keystone API Proposal

3:17:02 -0500 To: Ziad Sawalha mailto:ziad.sawa...@rackspace.com>>, "openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal I'm reading through the de

Re: [Openstack] OpenStack Identity: Keystone API Proposal

enstack@lists.launchpad.net> Subject: [Openstack] OpenStack Identity: Keystone API Proposal Time flies! It's June 10th already. In my last email to this community I had proposed today as the day to lock down the Keystone API so we can finalize implementation by Diablo-D2 (June 30th). We

Re: [Openstack] OpenStack Identity: Keystone API Proposal

ion that can be kept current within a desired latency by efficient polling of the atom feeds. From: Ziad Sawalha mailto:ziad.sawa...@rackspace.com>> Date: Fri, 10 Jun 2011 23:24:24 + To: "openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lis

Re: [Openstack] OpenStack Identity: Keystone API Proposal

o:ziad.sawa...@rackspace.com>> Date: Fri, 10 Jun 2011 23:24:24 +0000 To: "openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: [Openstack] OpenStack Identity: Keystone API Proposal Time flies! It's June 10

Re: [Openstack] OpenStack Identity: Keystone API Proposal

See inline. Jason From: andi abes [mailto:andi.a...@gmail.com] Sent: Wednesday, June 15, 2011 5:04 PM To: Rouault, Jason (Cloud Services) Cc: Ziad Sawalha; openstack@lists.launchpad.net Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Jason, Sounds like the

Re: [Openstack] OpenStack Identity: Keystone API Proposal

> > > > > > *From:* andi abes [mailto:andi.a...@gmail.com] > *Sent:* Wednesday, June 15, 2011 9:18 AM > *To:* Rouault, Jason (Cloud Services) > *Cc:* Ziad Sawalha; openstack@lists.launchpad.net > *Subject:* Re: [Openstack] OpenStack Identity: Keystone API Proposal >

Re: [Openstack] OpenStack Identity: Keystone API Proposal

: Ziad Sawalha; openstack@lists.launchpad.net Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal I would expect that the API of each service would have to interpret the role assigned to a user in the context of that service - roles for swift nova glance quantum etc would probably

Re: [Openstack] OpenStack Identity: Keystone API Proposal

sts.launchpad.net[mailto: > openstack-bounces+jason.rouault=hp@lists.launchpad.net] *On Behalf Of > *Ziad Sawalha > *Sent:* Friday, June 10, 2011 5:24 PM > *To:* openstack@lists.launchpad.net > *Subject:* [Openstack] OpenStack Identity: Keystone API Proposal > > > > Time f

Re: [Openstack] OpenStack Identity: Keystone API Proposal

@lists.launchpad.net] On Behalf Of Ziad Sawalha Sent: Friday, June 10, 2011 5:24 PM To: openstack@lists.launchpad.net Subject: [Openstack] OpenStack Identity: Keystone API Proposal Time flies! It's June 10th already. In my last email to this community I had proposed today as the day to lock

Re: [Openstack] OpenStack Identity: Keystone API Proposal

d.net>" mailto:openstack@lists.launchpad.net>> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Ziad, thanks the quick edits. One more quick question, mostly because I haven't followed the full keystone discussions. How does this API relate (if at all) to

Re: [Openstack] OpenStack Identity: Keystone API Proposal

lso refer to the readme which today has instructions for setting up > your Keystone instance. > > Let me know if that gets you going, Andi. > > Regards, > Ziad > > > From: Ziad Sawalha > Date: Sat, 11 Jun 2011 14:44:12 + > To: Andiabes > > Cc: "openstac

Re: [Openstack] OpenStack Identity: Keystone API Proposal

mailto:openstack@lists.launchpad.net>> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal Your guess is correct. The only calls you should be able to make without having a token are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc

Re: [Openstack] OpenStack Identity: Keystone API Proposal

d.net<mailto:openstack@lists.launchpad.net>" mailto:openstack@lists.launchpad.net>> Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal It might be useful to include in the API guide some information about authentication to keystone itself. I.e when requesting a list of users,te

Re: [Openstack] OpenStack Identity: Keystone API Proposal

It might be useful to include in the API guide some information about authentication to keystone itself. I.e when requesting a list of users,tenants etc the requestor should somehow authenticate itself I'm guessing that the flow involve acquiring a token that authenticates the user to keystone a

[Openstack] OpenStack Identity: Keystone API Proposal

Time flies! It's June 10th already. In my last email to this community I had proposed today as the day to lock down the Keystone API so we can finalize implementation by Diablo-D2 (June 30th). We've been working on this feverishly over the past couple of weeks and have just pushed out a propose