wrote:
On 18 May 2014 08:17, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
We are considering the following connection chain:
- HAProxy - stunnel -OS services bound to
127.0.0.1
Virtual IP
Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [TripleO] Haproxy configuration options
On 18 May 2014 08:17, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.com wrote:
We are considering the following connection chain:
- HAProxy
We are considering the following connection chain:
- HAProxy - stunnel -OS services bound to
127.0.0.1
Virtual IP server IP localhost
127.0.0.1
secure SSL terminate unsecure
In this
Hi Rob,
We quickly discussed your ephemeral CA idea this morning and like it. We also
realize that it will take a lot of work to make it happen. At this point in
time we are attempting to simply add some form of SSL to a cloud installed with
TripleO. We lost all of our previous installation
In Keystone, users are assigned to a domain when they are created. This is a
unique combination.
-Original Message-
From: Robert Collins [mailto:robe...@robertcollins.net]
Sent: Monday, April 28, 2014 11:25 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject:
Hello,
I am somewhat hesitant to bring up the stunnel topic in this thread, but it
needs to be considered in that an endpoint naming solution and a certificate
creation/distribution solution needs to consider both the haproxy and stunnel
requirements because there are many similarities. I am
Hello,
I am attempting to turn SSL and stunnel on with the most current DevTest
TripleO code base and am wondering if anyone has some examples of how to
configure the SSL variables and the TripleO elements.
- SSLBASE
- PUBLIC_API_URL
- /etc/host mappings
- ssl-source.yaml
Thanks,
Mark
Gupta [mailto:dev29...@gmail.com]
Sent: Monday, April 14, 2014 2:30 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); ayo...@redhat.com
Cc: openstack@lists.openstack.org
Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Hi,
I want to enable SSL for all the OpenStack APIs
. I am willing to proceed with it on Havana.
- Devendra
On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.com wrote:
Devendra,
We are now using an SSL terminator solution instead of attempting to turn SSL
on all of the OpenStack services. I have
Thank you for the leads. I will look them up.
Mark
-Original Message-
From: Lee, Alexis
Sent: Thursday, April 10, 2014 3:58 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [TripleO] config options, defaults, oh my!
Miller, Mark M (EB SW
Does anyone have a flowchart of the cloud build/configure process including
interactions between the various components/stages of TripleO and Heat?
-Original Message-
From: Robert Collins [mailto:robe...@robertcollins.net]
Sent: Wednesday, April 09, 2014 2:29 PM
To: OpenStack
This is my Icehouse documentation, I don't know if it will work with Havana:
Mark
1.2 Keystone files changed (WSGI):
NOTE: The Apache2 WSGI configuration scripts below replace the
/etc/init.d/keystone startup script
Create/configure file /etc/apache2/sites-available/keystone.conf to match
Why not use Barbican? It stores credentials after encrypting them.
-Original Message-
From: Jay Pipes [mailto:jaypi...@gmail.com]
Sent: Tuesday, March 25, 2014 9:50 AM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [Ironic][Keystone] Move drivers credentials to
You are welcome.
Mark
From: Douglas Mendizabal [mailto:douglas.mendiza...@rackspace.com]
Sent: Wednesday, March 19, 2014 11:31 AM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); Ferreira, Rafael; Remo
Mattei; Wyllys Ingersoll; openstack@lists.openstack.org
Subject: Re: [Openstack] [Barbican
://github.com/cloudkeep/barbican/wiki/Integration-with-Apache2
Regards,
Mark Miller
From: Douglas Mendizabal [mailto:douglas.mendiza...@rackspace.com]
Sent: Tuesday, March 04, 2014 2:47 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); Ferreira, Rafael; Remo
Mattei; Wyllys Ingersoll; openstack
...@intel.com]
Sent: Thursday, March 06, 2014 5:04 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis);
openstack@lists.openstack.org
Subject: RE: [Openstack] issue when I using PKI for token format
Where can I find these certificates ??
Thanks.
-chen
From: Miller, Mark M (EB SW Cloud - RD
: Tuesday, March 04, 2014 2:47 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); Ferreira, Rafael; Remo
Mattei; Wyllys Ingersoll; openstack@lists.openstack.org
Subject: Re: [Openstack] [Barbican] HTTPS Connection Question
Hi Mark,
I hope I can answer your questions:
1. HTTP support should
.
Regards,
-Doug Mendizabal
[1] http://uwsgi-docs.readthedocs.org/en/latest/Options.html
[2]
http://uwsgi-docs.readthedocs.org/en/latest/HTTPS.html?highlight=ssl#https-support-from-1-3
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com
Date: Tuesday
/etc/barbican/barbican-api-paste.ini
From: Tiwari, Arvind
Sent: Friday, March 07, 2014 9:57 AM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); Douglas Mendizabal;
Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org
Subject: RE: [Openstack] [Barbican] HTTPS
Thank you Arvind for the information. Barbican information is very precious.
Mark
From: Tiwari, Arvind
Sent: Tuesday, March 04, 2014 5:08 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); Douglas Mendizabal;
Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org
blueprint is trying to accomplish.
Thanks,
-Doug
From: Tiwari, Arvind arvind.tiw...@hp.commailto:arvind.tiw...@hp.com
Date: Tuesday, March 4, 2014 at 7:08 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com, Douglas Mendizabal
douglas.mendiza
Hello,
I’ve been digging and digging and I have not been able to locate the following
information:
1. Does Barbican provide support for HTTPS connections to it? I noticed
“protocol=http” in several .ini files and a .conf file, but no information on
how to configure Barbican to use it.
Hello Doug,
Thank you for the information. I will keep you informed if we decide to use
Apache2 as a front end.
Regards,
Mark
From: Douglas Mendizabal [mailto:douglas.mendiza...@rackspace.com]
Sent: Tuesday, March 04, 2014 2:47 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis); Ferreira
I agree about not needing extra identity information outside of the user's
UUID, but what about the role/project/domain information stored in the PKI
token? Does it remain or go away?
From: Morgan Fainberg [mailto:m...@metacloud.com]
Sent: Thursday, February 27, 2014 12:11 PM
To: OpenStack
Hello,
I have been reading Keystone blueprints that hint about using Apache2 with
mod_auth_mellon as a SAML front end. Does anyone have any documentation as to
how to set up Apache2 and mod_auth_mellon as a front end for Keystone?
Regards,
Mark
___
Hello,
I want to set up and start testing the new Keystone federation extensions using
Apache2 and a SAML IDP. Does anyone have some notes on how to set this up and
what Open Source SAML server to use?
Regards,
Marmk
___
Mailing list:
I haven't used the Apache2 WSGI front end for Icehouse, but I did use it with
Grizzly. The Keystone endpoints should not change. The following URLs are
incorrect.
export OS_AUTH_URL=http://10.65.235.39:5000/keystone/main;
export SERVICE_ENDPOINT=http://10.65.235.39:35357/keystone/admin;
Mark
Hello,
I read the following and want to register a disagreement:
With token revocation events in place, we no longer have a need to store a
token revocation list. The token revocation list is the primary reason why
keystone bothers to persist PKI tokens, so without it, PKI tokens can become
I wish it was that easy. The Apache headers that you can adjust are not the
ones creating the problem. The problem is with the response header size which
you cannot adjust. Following is a comment from Graham Dumpleton:
On 17/01/2014, at 5:36 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis
Hello,
We ran into a problem when using Apache2 and WSGi as the web front end for
Keystone. Keystone v2.0 returns the token in the response body but v3 returns
the token in the response header. Apache has an internal limit of 8190 bytes
for the response header which means that you will get an
I ran into problems when I tested it and filed a bug against it.
https://bugs.launchpad.net/keystone/+bug/1218094
Mark
-Original Message-
From: James [mailto:jamesze...@gmail.com]
Sent: Wednesday, January 22, 2014 7:23 AM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Cc
This feature didn't quite make it into the Havana code base in that it still
had a few bugs. I will be interested to see if it was fixed for Icehouse.
Mark
-Original Message-
From: James [mailto:jamesze...@gmail.com]
Sent: Tuesday, January 21, 2014 2:37 PM
To:
Hello,
I have come across a bug or limitation when using an Apache2 SSL-WSGI front end
for Keystone. If the returned token for a Keystone authenticate request is
greater than 8190 bytes, the mod_wsgi code throws an error similar to the
following:
[Thu Jan 16 22:27:47 2014] [info] Initial
, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.com wrote:
Hello,
I have come across a bug or limitation when using an Apache2 SSL-WSGI
front end for Keystone. If the returned token for a Keystone authenticate
request is greater than 8190 bytes, the mod_wsgi code throws
It turns out that there is a bug filed against the problem we are facing:
https://bugs.launchpad.net/keystone/+bug/1255321
-Original Message-
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Thursday, January 16, 2014 11:09 PM
To: OpenStack Development Mailing List
Dave,
Have you tried Keystone under Apache2 using WSGI?
http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keystone/
Mark
-Original Message-
From: Dave Walker [mailto:em...@daviey.com]
Sent: Friday, December 27, 2013 5:09 AM
To: openstack@lists.openstack.org
Subject:
Hello,
I am trying to get the Grizzly Glance service working with Apache2 through the
WSGI interface. I am having problems with the _upload method of file
glance/api/v1/images.py It appears that the req.body_file pointer is invalid
as I get the following error: (9, 'Bad file descriptor').
I
)
exceptions = {errno.EFBIG: exception.StorageFull(),
errno.ENOSPC: exception.StorageFull(),
errno.EACCES: exception.StorageWriteDenied()}
raise exceptions.get(e.errno, e)
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent
: [openstack-dev] Nova SSL Apache2 Question
On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
I finally found a set of web pages that has a working set of configuration
files for the major OpenStack services
http
(not for usage questions)
Subject: Re: [openstack-dev] Nova SSL Apache2 Question
On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
I finally found a set of web pages that has a working set of configuration
files
I believe I found it under nova-network.
Thanks,
Mark
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Thursday, November 14, 2013 9:31 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] Nova SSL Apache2 Question
Hello Jesse,
Thank you
/2013 07:20 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
wrote:
Hello,
I am trying to front all of the Grizzly OpenStack services with
Apache2 in order to enable SSL. I've got Horizon and Keystone working
but am struggling with Nova. The only documentation I have been able
to find
Hi Anne,
I finally found what I was looking for:
http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/
Regards,
Mark
From: Anne Gentle [mailto:a...@openstack.org]
Sent: Wednesday, November 06, 2013 10:42 PM
To: Alain Roy; diane.fleming
Cc:
Hello,
I am trying to front all of the Grizzly OpenStack services with Apache2 in
order to enable SSL. I've got Horizon and Keystone working but am struggling
with Nova. The only documentation I have been able to find is at URL
http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/
/yum/content/installing-openstack-dashboard.html
Anne Gentle
Content Stacker
a...@openstack.org
On Nov 7, 2013, at 8:20 AM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.com wrote:
Hello,
I am trying to front all of the Grizzly OpenStack services with Apache2
Hello community,
I am trying to go through my OpenStack installation and turn on SSL. For the
Horizon server I have found environment variable OPENSTACK_SSL_NO_VERIFY to
use with unsigned certificates (set it to True for self-signed certificates).
This works great when I turn Keystone SSL on
can track this?
https://bugs.launchpad.net/keystone
Thanks!
On Fri, Oct 25, 2013 at 5:47 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Hello,
We are getting an HTTP 500 error when we try to list all trusts. We can list
individual
Hello,
Is there any direct TLS support by Keystone other than using the Apache2 front
end?
Mark
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
, Client hello (1):
root@build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone#
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Friday, October 25, 2013 8:58 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] Keystone TLS Question
Hello,
Is there any direct TLS support
Hello,
We are getting an HTTP 500 error when we try to list all trusts. We can list
individual trusts, but not the generic list.
GET REST Request:
curl -v -X GET http://10.1.8.20:35357/v3/OS-TRUST/trusts -H X-Auth-Token:
ed241ae1e986319086f3
REST Response:
{
error: {
] Keystone OS-EP-FILTER descrepancy
We have imporved the extension enumeration in Keystone. If you got to
http://hostname:35357/v3 you should see a listing of the extensions that are
enabled for that Keystone server
On 10/08/2013 07:07 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
wrote
Hello,
I am attempting to test the Havana v3 OS-EP-FILTER extension with the latest
RC1 bits and I get a 404 error response.
The documentation actually shows 2 different URIs for this API:
- GET /OS-EP-FILTER/projects/{project_id}/endpoints and
in the
service catalog. The endpoint filter will return only the ones that you have
associated with a particular project.
Please bear in mind that this works only with scoped token (meaning where you
pass a project id).
-Original Message-
From: Miller, Mark M (EB SW Cloud - RD
.
-Original Message-
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Tuesday, October 08, 2013 1:30 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Here is the response from Fabio:
Mark,
Please have a look
/keystone-manage db_sync --extension endpoint_filter
5. Once you have done the changes restart the keystone-server to apply the
changes.
-Original Message-
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Tuesday, October 08, 2013 1:51 PM
To: OpenStack Development Mailing List
Hello,
I would like to try/test the latest Keystone OS-OAUTH1 Extension, but I have
not figured out how to access it with the latest H-3 code release. The
documentation states that this extension requires v3.0+ of the Identity API.
Questions:
1. What version of the Identity API is included in
| A4-317 @ IBM Toronto Software Lab
Software Developer - OpenStack
Phone: (905) 413-2851
E-Mail: steve...@ca.ibm.commailto:steve...@ca.ibm.com
[Inactive hide details for Miller, Mark M (EB SW Cloud - RD - Corvallis)
---09/23/2013 04:12:15 PM---Hello, I would like to t]Miller, Mark M (EB SW
Cloud
Hello to all you documenters,
I have spent the day reviewing the latest OpenStack Identity API documents and
want to say that you have done a truly TERRIFIC job. The latest revisions are
clear and complete.
Thank you,
Mark Miller
___
OpenStack-dev
FYI: We were thinking about using the new Keystone policy API, but fell back to
using files on the file system due to not having a way to retrieve the policies
from Keystone other than with an ID string. After saving the policy file you
need to save the policy ID somewhere so you might as well
and user roles
On Mon, Sep 16, 2013 at 11:35 AM, Miller, Mark M (EB SW Cloud - RD -
Corvallis) mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
FYI: We were thinking about using the new Keystone policy API, but fell back to
using files on the file system due to not having a way to retrieve
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] OpenLdap for Keystone
I would lov
On Thu, Sep 5, 2013 at 2:57 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Thanks Dean. I was able to combine sections of each script
On Thu, Sep 5, 2013 at 11:18 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Thanks Brad for the pointer. Is there any way to just install the OpenLdap
piece and not the entire OpenStack?
You can install a Keystone-only DevStack, but I suspect
Hello,
I am looking for recent OpenLDAP installation and configuration documentation
to use with Keystone Havana H2. Please let me know if you have a pointer to
some.
Regards,
Mark Miller
___
OpenStack-dev mailing list
Hello,
I would think you would want to reuse the same token but update the expiration
time as if it were the first time the token had been generated.
Mark
From: Yongsheng Gong [mailto:gong...@unitedstack.com]
Sent: Friday, August 23, 2013 12:40 AM
To: OpenStack Development Mailing List
Is OpenStack supported on CentOS running Python 2.6?
Thanks,
Mark
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Hello,
I am looking for documentation on how to install/configure Apache2 as the
Keystone front end for Ubuntu 12.04. I have found various documentation
snippets for a variety of applications and operating systems, but nothing for
Ubuntu. Any pointers would greatly be appreciated. I have been
] Keystone Apache2 Installation Question
What problem(s) are you running into when following the above documentation /
examples?
On Mon, Aug 12, 2013 at 3:32 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Hello,
I am looking
:
https://github.com/openstack/keystone/blob/master/doc/source/apache-httpd.rst
Thanks,
Mark
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Monday, August 12, 2013 1:45 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Monday, August 12, 2013 3:10 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
Looks like I may be ahead of the game. It doesn't look like this blueprint has
been started yet. Am I correct
The main reason I use user lists (i.e. keystone user-list) is to get the list
of usernames/IDs for other keystone commands. I do not see the value of showing
all of the users in an LDAP server when they are not part of the keystone
database (i.e. do not have roles assigned to them). Performing
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] Keystone Split Backend LDAP Hang Problem
On 08/07/2013 08:05 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) wrote:
I have been thinking about the keystone user lookup GET API for a split
LDAP/SQL backend when you are using a read
Hello,
I am trying to figure out what to use for the user_enabled_* attributes for
the HP Enterprise Directory servers. It looks like the enabled attribute values
in the keystone.conf file are expected to have numerical values.
From(URL
Hello,
I ran into an issue/problem with keystone and it is ok to simply tell me to
don't do that, but I am wondering how others approach this problem.
I have the keystone H-2 split backend code connected the HP Enterprise
Directory which is humongous in size. From that directory I have only
://blueprints.launchpad.net/keystone/+spec/pagination-backend-support
On Wed, Aug 7, 2013 at 3:56 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis)
mark.m.mil...@hp.commailto:mark.m.mil...@hp.com wrote:
Hello,
I ran into an issue/problem with keystone and it is ok to simply tell me to
don't do
of the
“get_user_by_name()” method.
Does anyone know why or how to fix this or if what I am trying to do even works?
Regards,
Mark Miller
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Friday, August 02, 2013 4:00 PM
To: OpenStack Development Mailing List; Adam Young (ayo...@redhat.com); Dolph
PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Cc: OpenStack Development Mailing List; Dolph Mathews
(dolph.math...@gmail.com); Yee, Guang
Subject: Re: Keystone Split Backend LDAP Question
On 08/02/2013 06:59 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) wrote:
Hello,
With some minor
Hello,
With some minor tweaking of the keystone common/ldap/core.py file, I have been
able to authenticate and get an unscoped token for a user from an LDAP
Enterprise Directory. I want to continue testing but I have some questions that
need to be answered before I can continue.
1. Do
Hello,
Summary:
I am attempting to configure the Keystone H-2 release to use an Enterprise
Directory as the Identity backend and SQL as the Assignment backend (without
TLS for now). I first installed Keystone H-2 on an Ubuntu vm server and got it
up and running using a local SQL database for
Thank you.
From: Adam Young [mailto:ayo...@redhat.com]
Sent: Friday, July 26, 2013 9:54 AM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] A vision for Keystone
On 07/26/2013 12:26 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) wrote:
Adam,
Which Havana Blueprint provides
79 matches
Mail list logo