Re: [openstack-dev] [Oslo][all] Pike PTG idea & discussion

Not sure how much time it would require at the PTG - but I'd really like to discuss the ability to add in-code descriptions of oslo.policy objects, and eventually whatever we need to advertise new defaults. I'm hoping this will help OpenStack as a whole move towards providing better policy

Re: [openstack-dev] [keystone] removing Guang Yee (gyee) from keystone-core

Guang, it's been a pleasure working with you and getting to know you as a person. Best of luck in your new endeavors! On Thu, Feb 2, 2017 at 8:16 AM, Rodrigo Duarte wrote: > Thanks for everything Guang! We are already missing you. > > On Thu, Feb 2, 2017 at 10:13 AM,

Re: [openstack-dev] [keystone] Field 'domain_id' doesn't have a default value

Hi Eduardo, Master should populate the domain_id for a user before it gets to the sql layer [0] [1]. Do you have `[identity] default_domain_id` specified in your keystone.conf? Can you give some specifics on the upgrade scenario? Number of nodes? Specific request you're making to create users?

Re: [openstack-dev] Planning for the Pike PTG

I think the keystone team is in the same spot. We have an etherpad [0] for jotting down ideas, but we haven't parsed it or grouped it in into topics yet. I think we were going to start working on that next week since we're still in the middle of wrapping up the last few bits for ocata-3. I was

[openstack-dev] [keystone] [ptl] PTL candidacy for Pike

Greetings, I want to run for keystone PTL to facilitate an environment for others to grow and make meaningful changes so that we continue to build keystone into a more stable, scalable and performant project [0]. January marks my fifth anniversary working with OpenStack. In that time I've had

Re: [openstack-dev] [keystone] 2017-1-11 policy meeting

s to maintain in tree and > everything would be in code.’ Without this file, how can we define > policies? Can user configure policies? > > Ruan > > > > *From:* Lance Bragstad [mailto:lbrags...@gmail.com] > *Sent:* mercredi 18 janvier 2017 23:16 > *To:* OpenStac

Re: [openstack-dev] [keystone] 2017-1-11 policy meeting

Looping this into the operator's list, too! On Wed, Jan 18, 2017 at 2:13 PM, Lance Bragstad <lbrags...@gmail.com> wrote: > Thanks to Morgan in today's policy meeting [0], we were able to shed some > light on the reasons for keystone having two policy files. The main reason > a sec

Re: [openstack-dev] [keystone] 2017-1-11 policy meeting

[2] https://github.com/openstack/keystone/blob/7f2b7e58e74c79e5a09bd5c20e0de9c15d9eabd0/etc/policy.json On Wed, Jan 11, 2017 at 11:28 AM, Lance Bragstad <lbrags...@gmail.com> wrote: > Hey folks, > > In case you missed the policy meeting today, we had a good discussion [0] > aro

Re: [openstack-dev] [devstack][keystone] DRaaS for Keystone

Hi Wasiq! On Tue, Jan 17, 2017 at 1:34 PM, Wasiq Noor wrote: > Hello, > > I am Wasiq from Namal College Mianwali, Pakistan. Following the link: > https://wiki.openstack.org/wiki/DisasterRecovery, I have developed a > disaster recovery solution for Keystone for various

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

I would consider that to be something that spans further than just barbican and keystone. The ability to restrict a token to a single service/operation/resource is a super interesting problem especially when you start to consider operational dependencies between the services. If the approach spans

Re: [openstack-dev] [release] subscribe to the OpenStack release calendar

This is awesome! I pretty much just 'Select All' deleted my other calendars I use for tracking this kind of information. Thank you, Doug! On Thu, Jan 12, 2017 at 12:41 PM, Emilien Macchi wrote: > On Wed, Jan 11, 2017 at 1:51 PM, Doug Hellmann >

[openstack-dev] [keystone] 2017-1-11 policy meeting

Hey folks, In case you missed the policy meeting today, we had a good discussion [0] around incorporating keystone's policy into code using the Nova approach. Keystone is in a little bit of a unique position since we maintain two different policy files [1] [2], and there were a lot of questions

Re: [openstack-dev] [keystone] office hours starting January 6th

something that both keystone and the > community will benefit! :) > > On Wed, Dec 21, 2016 at 4:22 PM, Steve Martinelli <s.martine...@gmail.com> > wrote: > >> Thanks for setting this up Lance! >> >> You can count on me to join and smash some bugs. >> >

[openstack-dev] [keystone] documenting policy guidelines

We had another healthy discussion about policy today [0] and most of it revolved around documenting policy guidelines. The question of the day was where should these guidelines live? To answer that we highlighted the following criteria: - Guidelines should be proposed and reviewed in small

Re: [openstack-dev] [keystone] Feedback for upcoming user survey questionnaire

++ to the suggestions Boris threw out. Answers to any of those would be valuable. In addition to that, I'd find any information about policy useful. Maybe something along the lines of "what changes to the policy files are you making, if any". This could be something that is asked OpenStack-wide

[openstack-dev] [keystone] office hours starting January 6th

Hi folks! If you remember, last year we started a weekly bug day [0]. The idea was to dedicate one day a week to managing keystone's bug queue by triaging, fixing, and reviewing bugs. This was otherwise known as keystone's office hours. I'd like to remind everyone that we are starting up this

[openstack-dev] [keystone] 2016-12-21 policy meeting

Sending a note to summarize the policy meeting we had today [0]. Also to remind folks that our next policy meeting will be Wednesday, January 4th. Hope everyone has a safe and happy holiday season! [0] http://eavesdrop.openstack.org/meetings/policy/2016/policy.2016-12-21-16.01.log.html

Re: [openstack-dev] [keystone] Custom ProjectID upon creation

I put myself in Boris' camp on this one. This can open up the opportunity for negative user-experience, purely based on where I authenticate and which token I happen to authenticate with. A token would no longer be something I can assume to be properly validated against any node in my deployment.

Re: [openstack-dev] [keystone] Custom ProjectID upon creation

The ability to specify IDs at project creation time was proposed as a specification last summer [0]. The common theme from the discussion in that thread was to use shadow mapping [1] to solve that problem. [0] https://review.openstack.org/#/c/323499/ [1]

Re: [openstack-dev] [keystone][devstack][rally][python-novaclient][magnum] switching to keystone v3 by default

FWIW - i'm seeing a common error in several of the rally failures [0] [1] [2] [3]. Dims also pointed out a few bugs in rally for keystone v3 support [4]. I checked with the folks in #openstack-containers to see if they were experiencing anymore fallout, but it looks like the magnum gate is under

[openstack-dev] [keystone] 2016-11-23 policy meeting summary

We had a useful discussion today [0]. I attempted to summarize the meeting in the etherpad [1], crossed off things we accomplished, and documented our action items to complete by next week, which I'll echo below: *ACTION ITEM:* group to review https://review.openstack.org/#/c/391624/ and continue

Re: [openstack-dev] [keystone] Stepping down from keystone core

Thanks for all your hard work, Marek. It's been a pleasure working with you. Best of luck and hopefully our paths cross in the future! On Tue, Nov 22, 2016 at 7:57 PM, Steve Martinelli wrote: > Marek, thanks for everything you've done in Keystone. It was loads of fun >

Re: [openstack-dev] [keystone] Pike PTL

Steve, thanks for all the hard work and dedication over the last 3 cycles. I hope you have a nice break and I look forward to working with you on Pike! Enjoy you're evenings :) On Mon, Nov 21, 2016 at 1:38 PM, Steve Martinelli wrote: > one of these days i'll learn how

Re: [openstack-dev] [keystone] Weekly Policy Meeting

-16.log.html#t2016-11-16T16:01:43 [1] https://review.openstack.org/#/c/398500/ [2] https://etherpad.openstack.org/p/keystone-policy-meeting On Wed, Nov 16, 2016 at 8:32 AM, Lance Bragstad <lbrags...@gmail.com> wrote: > Just sending out a reminder that we'll be having our first meet

Re: [openstack-dev] [keystone] Weekly Policy Meeting

/call/pd36j4qv5zfbldmhxeeatq6f7ae On Fri, Nov 11, 2016 at 8:33 AM, Lance Bragstad <lbrags...@gmail.com> wrote: > I've added some initial content to the etherpad [0], to get things > rolling. Since this is going to be a recurring thing, I'd like our first > meeting to level set th

[openstack-dev] [keystone] meeting format poll

Hey folks, In today's keystone meeting, Morgan mentioned that we had the ability to go back to using OpenStack Wikis for meeting agendas. I created a poll to get feedback [0]. Let's keep it open for the week and look at the results as a team at our next meeting. Thanks! [0]

Re: [openstack-dev] [keystone] Weekly Policy Meeting

ards compatible. > > On Thu, Nov 10, 2016 at 3:30 PM, Lance Bragstad <lbrags...@gmail.com> > wrote: > >> Hi folks, >> >> After hearing the recaps from the summit, it sounds like policy was a hot >> topic (per usual). This is also reinforced by the fact every r

Re: [openstack-dev] [Openstack-operators] [keystone][tripleo][ansible][puppet][all] changing default token format

/operators. Generally they'll want to publish it there first then > you follow-up with your blog post a few days later. > > On Mon, Nov 7, 2016 at 8:17 AM, Lance Bragstad <lbrags...@gmail.com> > wrote: > >> That's a good idea. Is there a page detailing the process for &

[openstack-dev] [keystone] Weekly Policy Meeting

Hi folks, After hearing the recaps from the summit, it sounds like policy was a hot topic (per usual). This is also reinforced by the fact every release we have specifications proposed to re-do policy in some way. It's no doubt policy in OpenStack needs work. Let's dedicate an hour a week to

Re: [openstack-dev] [keystone][tripleo][ansible][puppet][all] changing default token format

t; a blog post on the OpenStack sore might be good. superuser? there are > folks reading this who can help > > Sent from HUAWEI AnyOffice > *From:*Lance Bragstad > *To:*OpenStack Development Mailing List (not for usage questions), > openstack-operat...@lists.openstack.org, &

Re: [openstack-dev] [keystone][tripleo][ansible][puppet][all] changing default token format

I totally agree with communicating this the best we can. I'm adding the operator list to this thread to increase visibility. If there are any other methods folks think of for getting the word out, outside of what we've already done (release notes, email threads, etc.), please let me know. I'd be

Re: [openstack-dev] [keystone] new keystone core (breton)

Great work Boris. Welcome to the team! On Mon, Oct 31, 2016 at 2:50 PM, Kristi Nikolla wrote: > Congrats Boris! Well deserved! > > Kristi > > On 10/31/2016 03:46 PM, Steve Martinelli wrote: > > I want to welcome Boris Bobrov (breton) to the keystone core team. Boris > > has

Re: [openstack-dev] [keystone] new core reviewer (rderose)

+1! He has been doing some great work. Welcome to the team, Ron! On Thu, Sep 1, 2016 at 9:44 AM, Steve Martinelli wrote: > I want to welcome Ron De Rose (rderose) to the Keystone core team. In a > short time Ron has shown a very positive impact. Ron has contributed >

Re: [openstack-dev] [keystone][nova][neutron][all] Rolling upgrades: database triggers and oslo.versionedobjects

Since the encrypted credential work is currently based on triggers, I spent most of today documenting a walk-though migration from Mitaka to Newton [0]. Regardless of the outcome discussed here - figured it would be worth sharing since it's relevant to the thread. Most of the gist contains stuff

Re: [openstack-dev] [requirements] race in keystone unit tests

/freezegun On Tue, Aug 2, 2016 at 9:21 AM, Lance Bragstad <lbrags...@gmail.com> wrote: > Hi Sean, > > Thanks for the information. This obviously looks Fernet-related and I > would be happy to spend some cycles on it. We recently landed a bunch of > refactors in keystone to improve

Re: [openstack-dev] [requirements] race in keystone unit tests

Hi Sean, Thanks for the information. This obviously looks Fernet-related and I would be happy to spend some cycles on it. We recently landed a bunch of refactors in keystone to improve Fernet test coverage. This could be related to those refactors. Just double checking - but you haven't opened a

Re: [openstack-dev] [keystone] Can anyone share some experience for how to configure keystone work with https

There are several upstream deployment projects that have SSL support baked in [0] [1], in case you want to pick through and see exactly how they deploy keystone with SSL. [0] https://github.com/openstack/openstack-ansible-os_keystone [1] https://github.com/openstack/puppet-keystone On Mon, Jul

Re: [openstack-dev] [keystone][all] Incorporating performance feedback into the review process

review the >Rally test cases that we proposed to them > > > Best regards, > Boris Pavlovic > > On Mon, Jun 6, 2016 at 10:45 AM, Clint Byrum <cl...@fewbar.com> wrote: > >> Excerpts from Brant Knudson's message of 2016-06-03 15:16:20 -0500: >>

Re: [openstack-dev] [keystone][all] Incorporating performance feedback into the review process

2016 at 2:35 PM, Lance Bragstad <lbrags...@gmail.com> > wrote: > > > > > Hey all, > > > > > > I have been curious about impact of providing performance feedback as > part > > > of the review process. From what I understand, keystone used to have a >

Re: [openstack-dev] [keystone][all] Incorporating performance feedback into the review process

published publicly (nice to have) On Fri, Jun 3, 2016 at 3:16 PM, Brant Knudson <b...@acm.org> wrote: > > > On Fri, Jun 3, 2016 at 2:35 PM, Lance Bragstad <lbrags...@gmail.com> > wrote: > >> Hey all, >> >> I have been curious about impact of providing

Re: [openstack-dev] [keystone] Changing the project name uniqueness constraint

On Fri, Jun 3, 2016 at 11:20 AM, Henry Nash <henryna...@mac.com> wrote: > > On 3 Jun 2016, at 16:38, Lance Bragstad <lbrags...@gmail.com> wrote: > > > > On Fri, Jun 3, 2016 at 3:20 AM, Henry Nash <henryna...@mac.com> wrote: > >> >> On 3 Jun 2

[openstack-dev] [keystone][all] Incorporating performance feedback into the review process

Hey all, I have been curious about impact of providing performance feedback as part of the review process. From what I understand, keystone used to have a performance job that would run against proposed patches (I've only heard about it so someone else will have to keep me honest about its

Re: [openstack-dev] [keystone] Changing the project name uniqueness constraint

On Fri, Jun 3, 2016 at 3:20 AM, Henry Nash wrote: > > On 3 Jun 2016, at 01:22, Adam Young wrote: > > On 06/02/2016 07:22 PM, Henry Nash wrote: > > Hi > > As you know, I have been working on specs that change the way we handle > the uniqueness of project

Re: [openstack-dev] [keystone] New Core Reviewer (sent on behalf of Steve Martinelli)

Congratulations Rodrigo! Thank you for all the continued and consistent reviews. On Tue, May 24, 2016 at 1:28 PM, Morgan Fainberg wrote: > I want to welcome Rodrigo Duarte (rodrigods) to the keystone core team. > Rodrigo has been a consistent contributor to keystone

Re: [openstack-dev] [keystone] Token providers and Fernet as the default

If we were to write a uuid/fernet hybrid provider, it would only be expected to support something like stable/liberty to stable/mitaka, right? This is something that we could contribute to stackforge, too. On Tue, May 3, 2016 at 9:21 AM, Adam Young wrote: > On 05/03/2016

Re: [openstack-dev] [Keystone] State of Fernet Token deployment

It looks like it does [0]. [0] https://github.com/openstack-dev/devstack/blob/4e7804431ada7e2cc0db63bd4c52b17782d33b5b/lib/keystone#L494-L497 On Mon, Apr 18, 2016 at 10:20 AM, Matt Fischer wrote: > On Mon, Apr 18, 2016 at 8:29 AM, Brant Knudson wrote: > >>

Re: [openstack-dev] [keystone] Newton midycle planning

++ Nice to see this planning happening early! R-14 would probably be a no-go for me. R-12 and R-11 fit my schedule. On Thu, Apr 14, 2016 at 9:11 AM, Henry Nash wrote: > Hi Morgan, > > Great to be planning this ahead of time!!! > > For me either of the July dates are fine -

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

I think we need to ask who we are lowering the barrier of entry for. Are we going down this path because we want developers to have less things to do to stand up a development environment? Or do we want to make it easy for people to realistically test? If you're going to realistically vet magnum,

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Keystone's credential API pre-dates barbican. We started talking about having the credential API back to barbican after it was a thing. I'm not sure if any work has been done to move the credential API in this direction. From a security perspective, I think it would make sense for keystone to back

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

In response to point 2.2, the progress with Fernet in the last year has exposed performance pain points in keystone. Finding sensible solutions for those issues is crucial in order for people to adopt Fernet. In Mitaka we had a lot of discussion that resulted in landing several performance related

Re: [openstack-dev] Is keystone support combined authentication in release L?

Keystone introduced TOTP authentication this release [0]. Like Adam said, in Newton we will build multi-factor authentication on top of TOTP and existing plugins. [0] http://specs.openstack.org/openstack/keystone-specs/specs/mitaka/totp-auth.html On Sun, Mar 13, 2016 at 4:05 PM, Adam Young

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

On Tue, Mar 8, 2016 at 10:58 AM, Adam Young wrote: > On 03/08/2016 11:06 AM, Matt Fischer wrote: > > This would be complicated to setup. How would the Openstack services > validate the token? Which keystone node would they use? A better question > is why would you want to do

[openstack-dev] [keystone] Usage of trusts with v2.0 authentication

When trusts were implemented, they were designed to work as an extension under the version 3 API. The implementation didn't prevent the use of a trust to authenticate against version 2.0, which was never officially documented in the v2.0 API docs. The keystone team is curious if there is anyone

Re: [openstack-dev] [keystone] changes to keystone-core!

++ I'm happy to see this go through! Samuel and Dave have been helping me out a lot lately. Both make great additions to the team! On Thu, Jan 28, 2016 at 9:12 AM, Brad Topol wrote: > CONGRATULATIONS Dave and Samuel. Very well deserved!!! > > --Brad > > > Brad Topol, Ph.D. >

Re: [openstack-dev] [keystone] Let's get together and fix all the bugs

And hope I can put some other folks in too. > > Em sáb, 10 de out de 2015 às 12:03, Lance Bragstad <lbrags...@gmail.com> > escreveu: > >> On Sat, Oct 10, 2015 at 8:07 AM, Boris Bobrov <bbob...@mirantis.com> >> wrote: >> >>> On Saturday 1

Re: [openstack-dev] 答复: [keystone] Is "domain" a mapping to real-world cloud tenant?

Interesting. The paper says that the implementation was based on the Havana release. Just out of curiosity, does anyone know if the code is public? On Mon, Dec 14, 2015 at 6:38 PM, darren wang wrote: > Hi Dolph, > > > > Here it is, >

Re: [openstack-dev] [Openstack-operators] [keystone] Removing functionality that was deprecated in Kilo and upcoming deprecated functionality in Mitaka

On Tue, Dec 1, 2015 at 6:05 AM, Sean Dague wrote: > On 12/01/2015 01:57 AM, Steve Martinelli wrote: > > Trying to summarize here... > > > > - There isn't much interest in keeping eventlet around. > > - Folks are OK with running keystone in a WSGI server, but feel they are > >

Re: [openstack-dev] [keystone][all] Move from active distrusting model to trusting model

I think one of the benefits of the current model was touched on earlier by dstanek. If someone is working on something for their organization, they typically bounce ideas of others they work with closely. This tends to be people within the same organization. The groups developing the feature might

Re: [openstack-dev] [keystone] Let's get together and fix all the bugs

On Sat, Oct 10, 2015 at 8:07 AM, Boris Bobrov wrote: > On Saturday 10 October 2015 08:42:10 Shinobu Kinjo wrote: > > So what's the procedure? > > You go to #openstack-keystone on Friday, choose a bug, talk to someone of > the > core reviewers. After talking to them fix the

Re: [openstack-dev] [keystone] creating new users with invalid mail addresses possible

On Fri, Sep 11, 2015 at 8:04 AM, David Stanek wrote: > On Fri, Sep 11, 2015 at 8:26 AM, Christian Berendt > wrote: > >> At the moment it is possible to create new users with invalid mail >> addresses. I pasted the output of my test at >>

Re: [openstack-dev] [keystone] PTL non-candidacy

Best of luck in your new adventures, and thanks for all your hard work! On Thu, Sep 10, 2015 at 5:28 PM, Dolph Mathews wrote: > Thank you for all your work, Morgan! Good luck with the opportunity to > write some code again :) > > On Thu, Sep 10, 2015 at 4:40 PM, Morgan

Re: [openstack-dev] [keystone] Liberty SPFE Request - IDP Specific WebSSO

etc. --Morgan Sent via mobile On Aug 12, 2015, at 16:20, Lance Bragstad lbrags...@gmail.com wrote: Hey all, I'd like to propose a spec proposal freeze exception for IDP Specific WebSSO [0]. This topic has been discussed, in length, on the mailing list [1], where this spec has been

[openstack-dev] [keystone] Liberty SPFE Request - IDP Specific WebSSO

Hey all, I'd like to propose a spec proposal freeze exception for IDP Specific WebSSO [0]. This topic has been discussed, in length, on the mailing list [1], where this spec has been referenced as a possible solution [2]. This would allow for multiple Identity Providers to use the same

Re: [openstack-dev] [Keystone] [Horizon] Federated Login

On Wed, Aug 12, 2015 at 12:06 PM, David Chadwick d.w.chadw...@kent.ac.uk wrote: On 11/08/2015 01:46, Jamie Lennox wrote: - Original Message - From: Jamie Lennox jamielen...@redhat.com To: OpenStack Development Mailing List (not for usage questions)

Re: [openstack-dev] [Keystone] [Horizon] Federated Login

for Lance Bragstad ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish drfish@us.iLance Bragstad ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish drf...@us.ibm.com wrote: Hi David, From: Lance Bragstad lbrags...@gmail.com

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

for Key distribution and rotation in multiple KeyStone deployment scenario, the database replication (sync. or async.) capability could be leveraged. Best Regards Chaoyi Huang ( Joe Huang ) *From:* Lance Bragstad [mailto:lbrags...@gmail.com] *Sent:* Tuesday, August 04, 2015 10:56 PM

Re: [openstack-dev] [Keystone] [Horizon] Federated Login

protect the list of IdPs? regards David Thanks, Steve Martinelli OpenStack Keystone Core Inactive hide details for Lance Bragstad ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish drfish@us.iLance Bragstad ---2015/08

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Tue, Aug 4, 2015 at 9:28 AM, Boris Bobrov bbob...@mirantis.com wrote: On Tuesday 04 August 2015 08:06:21 Lance Bragstad wrote: On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov bbob...@mirantis.com wrote: On Monday 03 August 2015 21:05:00 David Stanek wrote: On Sat, Aug 1, 2015 at 8:03

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov bbob...@mirantis.com wrote: On Monday 03 August 2015 21:05:00 David Stanek wrote: On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov bbob...@mirantis.com wrote: On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum cl...@fewbar.com wrote: This too is

Re: [openstack-dev] [Keystone] [Horizon] Federated Login

On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish drf...@us.ibm.com wrote: Hi David, This is a cool looking UI. I've made a minor comment on it in InVision. I'm curious if this is an implementable idea - does keystone support large numbers of 3rd party idps? is there an API to retreive the list

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Mon, Aug 3, 2015 at 7:03 AM, David Stanek dsta...@dstanek.com wrote: On Mon, Aug 3, 2015 at 7:14 AM, Davanum Srinivas dava...@gmail.com wrote: agree. Native HA solution was already ruled out in several email threads by keystone cores already (if i remember right). This is a devops issue

Re: [openstack-dev] [keystone] token revocation woes

On Wed, Jul 22, 2015 at 10:06 PM, Adam Young ayo...@redhat.com wrote: On 07/22/2015 05:39 PM, Adam Young wrote: On 07/22/2015 03:41 PM, Morgan Fainberg wrote: This is an indicator that the bottleneck is not the db strictly speaking, but also related to the way we match. This means we need

Re: [openstack-dev] DB2 CI enablement on Keystone

On Mon, Jun 15, 2015 at 5:00 AM, Feng Xi BJ Yan yanfen...@cn.ibm.com wrote: Hi, Keystone guys, Could we have a talk about DB2 CI enablement on this Monday, 8PM central US time? which is Tuesday 9AM beijeing time? Works for me, I'll make a note to be in the channel at 8 PM central. Thanks

Re: [openstack-dev] [Keystone] Midcycle

Hi Adam, Do you have any more information on the Boston University dorm situation? On Tue, Jun 9, 2015 at 1:25 PM, Adam Young ayo...@redhat.com wrote: Keystone Liberty Midcycle Meetup Time and Location When: July 15-17 (Wed-Fri) Where: Boston University, Boston, MA, USA Keystone

Re: [openstack-dev] [keystone][barbican] Regarding exposing X-Group-xxxx in token validation

morgan.fainb...@gmail.com wrote: For Fernet, the groups would only be populated on validate as Dolph outlined. They would not be added to the core payload. We do not want to expand the payload in this manner. --Morgan Sent via mobile On Jun 3, 2015, at 21:51, Lance Bragstad lbrags...@gmail.com

Re: [openstack-dev] [keystone][barbican] Regarding exposing X-Group-xxxx in token validation

I feel if we allowed group ids to be an attribute of the Fernet's core payload, we continue to open up the possibility for tokens to be greater than the initial acceptable size limit for a Fernet token (which I believe was 255 bytes?). With this, I think we need to provide guidance on the number

Re: [openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

On Mon, Feb 16, 2015 at 1:21 PM, Samuel Merritt s...@swiftstack.com wrote: On 2/14/15 9:49 PM, Adam Young wrote: On 02/13/2015 04:19 PM, Morgan Fainberg wrote: On February 13, 2015 at 11:51:10 AM, Lance Bragstad (lbrags...@gmail.com mailto:lbrags...@gmail.com) wrote: Hello all, I'm

Re: [openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

for encrypting. On Sun, Feb 15, 2015 at 12:03 AM, Morgan Fainberg morgan.fainb...@gmail.com wrote: On February 14, 2015 at 9:53:14 PM, Adam Young (ayo...@redhat.com) wrote: On 02/13/2015 04:19 PM, Morgan Fainberg wrote: On February 13, 2015 at 11:51:10 AM, Lance Bragstad (lbrags...@gmail.com) wrote

[openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

Hello all, I'm proposing the Authenticated Encryption (AE) Token specification [1] as an SPFE. AE tokens increases scalability of Keystone by removing token persistence. This provider has been discussed prior to, and at the Paris summit [2]. There is an implementation that is currently up for

Re: [openstack-dev] [Keystone] Proposing Marek Denis for the Keystone Core Team

+1 On Tue, Feb 10, 2015 at 11:56 AM, David Stanek dsta...@dstanek.com wrote: +1 On Tue, Feb 10, 2015 at 12:51 PM, Morgan Fainberg morgan.fainb...@gmail.com wrote: Hi everyone! I wanted to propose Marek Denis (marekd on IRC) as a new member of the Keystone Core team. Marek has been

Re: [openstack-dev] [Keystone] Nominating Brad Topol for Keystone-Spec core

+1 On Jan 18, 2015 1:23 PM, Marek Denis marek.de...@cern.ch wrote: +1 On 18.01.2015 20:11, Morgan Fainberg wrote: Hello all, I would like to nominate Brad Topol for Keystone Spec core (core reviewer for Keystone specifications and API-Specification only:

Re: [openstack-dev] [Keystone] Is anyone working on the following patch?

https://review.openstack.org/#/c/113586/ is owned by dstanek but I understand he is out this week at a conference? It might be worth dropping in #openstack-keystone and seeing if dstanek would be alright with you picking it up, since you're building on it. On Wed, Jan 7, 2015 at 12:21 AM, Ajaya

Re: [openstack-dev] Where should Schema files live?

Keystone also has API documentation in the keystone-spec repo [1], which went in with [2] and [3]. [1] https://github.com/openstack/keystone-specs/tree/master/api [2] https://review.openstack.org/#/c/128712/ [3] https://review.openstack.org/#/c/130577/ On Mon, Dec 8, 2014 at 1:06 PM, Adam Young

Re: [openstack-dev] [all] bugs with paste pipelines and multiple projects and upgrading

On Wed, Dec 3, 2014 at 9:18 AM, Sean Dague s...@dague.net wrote: We've hit two interesting issues this week around multiple projects installing into the paste pipeline of a server. 1) the pkg_resources explosion in grenade. Basically ceilometer modified swift paste.ini to add it's own code

Re: [openstack-dev] [all] removing XML testing completely from Tempest

We are in the process of removing XML support from Keystone [1] and have provided configuration options to Tempest for testing XML in older releases [2]. However, the identity client is still tightly coupled to XML test cases. We can either fix the 309 test cases that use the XML identity client

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

On Tue, Nov 11, 2014 at 3:30 PM, Douglas Mendizabal douglas.mendiza...@rackspace.com wrote: I think it would also be interesting to hear for the Keystone folks that are interested in attending OSSG and/or Barbican. We did record some of our plans for the Keystone mid-cycle meetup during our

Re: [openstack-dev] [QA][All] Prelude to functional testing summit discussions

On Thu, Oct 30, 2014 at 6:30 AM, Eoghan Glynn egl...@redhat.com wrote: Hi everyone, Before we start the larger discussion at summit next week about the future of testing in OpenStack - specifically about spinning up functional testing and how it relates to tempest - I would like

Re: [openstack-dev] [api] Forming the API Working Group

I found a couple of free times available for a weekly meeting if people are interested: https://review.openstack.org/#/c/128332/2 Not sure if a meeting time has been hashed out already or not, and if it has I'll change the patch accordingly. If not, we can iterate on possible meeting times in

Re: [openstack-dev] [api] Forming the API Working Group

On Tue, Oct 14, 2014 at 4:29 PM, Christopher Yeoh cbky...@gmail.com wrote: On Tue, 14 Oct 2014 10:29:34 -0500 Lance Bragstad lbrags...@gmail.com wrote: I found a couple of free times available for a weekly meeting if people are interested: https://review.openstack.org/#/c/128332/2

Re: [openstack-dev] [keystone][swift] Has anybody considered storing tokens in Swift?

On Mon, Sep 29, 2014 at 11:25 AM, Jay Pipes jaypi...@gmail.com wrote: On 09/29/2014 12:15 PM, Julien Danjou wrote: On Mon, Sep 29 2014, Jay Pipes wrote: What if we wrote a token driver in Keystone that uses Swift for backend storage? Yay! I already wrote a PoC to that:

Re: [openstack-dev] [Nova] [All] API standards working group

You can add me to this list as well. Thanks! Lance On Wed, Sep 24, 2014 at 9:41 AM, Alex Xu x...@linux.vnet.ibm.com wrote: I'm interesting in the group too! On 2014年09月24日 18:01, Salvatore Orlando wrote: Please keep me in the loop. The importance of ensuring consistent style across

Re: [openstack-dev] [keystone] Stepping down as PTL

On Tue, Sep 23, 2014 at 3:51 AM, Thierry Carrez thie...@openstack.org wrote: Adam Young wrote: OpenStack owes you more than most people realize. +1 Dolph did a great job of keeping the fundamental piece that is Keystone safe from a release management perspective, by consistently hitting

Re: [openstack-dev] Criteria for giving a -1 in a review

Comments inline below. Best Regards, Lance On Thu, Aug 21, 2014 at 11:40 AM, Adam Young ayo...@redhat.com wrote: On 08/21/2014 12:21 PM, Daniel P. Berrange wrote: On Thu, Aug 21, 2014 at 05:05:04PM +0100, Matthew Booth wrote: I would prefer that you didn't merge this. i.e. The project

Re: [openstack-dev] [nova] objects notifications

Keystone has a notifications module that is based on this idea. When implementing notification in Keystone, we wanted it to be easy to deliver notifications on new resources and extensions [1], which is where the idea of the wrapper came from. With that framework in place, we wrap our CRUD methods

Re: [openstack-dev] Concerns about the ballooning size of keystone tokens

John, Adam had a blog post on Compressed Tokens that might help shed a little light on them in general[1]. We also have a blueprint for tracking the work as it gets done[2]. [1] http://adam.younglogic.com/2014/02/compressed-tokens/ [2]

Re: [openstack-dev] [Openstack-dev] [Nova] use Keystone V3 token to volume attachment

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev Furthermore Russell talked to Dolph in IRC and Dolph created this blueprint for planning the path forward from keystone v2 to v3: https://blueprints.launchpad.net/keystone/+spec/document-v2-to-v3-transition -- Lance

<    1   2   3   4   5