Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

On 03/09/2016 01:44 AM, Matt Fischer wrote: I don't think your example is right: "PKI will validate that token without going to any keystone server". How would it track revoked tokens? I'm pretty sure that they still get validated, they are stored in the DB even.

Re: [openstack-dev] [all][zaqar][cloudkitty] Default ports list

On 03/09/2016 04:35 PM, Fei Long Wang wrote: Hi all, Yesterday I just found cloudkitty is using the same default port () which is used by Zaqar now. So I'm wondering if there is any rule/policy for those new services need to be aware. I googled but can't find anything about this. The only

Re: [openstack-dev] [horizon] PTL noncandidacy

On 03/11/2016 12:19 PM, David Lyle wrote: After five cycles as PTL of Horizon, I've decided not to run for the Newton cycle. I am exceptionally proud of the things we've accomplished over this time. I'm amazed by how much our project's community has grown and evolved. Looking at the community n

[openstack-dev] [Keystone] PTL Candidacy for Adam Young

I am, once again, throwing my hat in the ring. No long position statement. If you know me, you know what I stand for. If you don't know me, you won;t be voting in the Keystone PTL election. I will state this: part of a successful organization is that the leadership position be held accountab

Re: [openstack-dev] Is keystone support combined authentication in release L?

On 03/12/2016 11:37 PM, 赵智龙 wrote: hi guys. i just want to ask a small question. Is keystone support combined authentication in release L? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: opensta

Re: [openstack-dev] [puppet] PTL candidacy

On 03/13/2016 05:44 PM, Emilien Macchi wrote: This is my candidacy for PTL role in the Puppet OpenStack team for the Newton release cycle. https://review.openstack.org/#/c/292145/ Puppet OpenStack is a great example of project where collaboration works between developers and operators. Expect m

[openstack-dev] [tripleo] instack virt setup with visible external networks.

I have been able to get instack to run and get both under and overclouds to deploy, but the overcloud VMs are not accessable except if I first ssh in to the baremetal install and then into the instack (undercloud) VM. I've been told that there is an option to set up some form of Network Isolat

Re: [openstack-dev] [cross-project] [all] Quotas -- service vs. library

On 03/16/2016 10:04 AM, Davanum Srinivas wrote: To complete the context: https://review.openstack.org/#/c/132127/ https://etherpad.openstack.org/p/kilo-oslo-common-quota-library (from https://wiki.openstack.org/wiki/Design_Summit/Kilo/Etherpads) -- Dims On Wed, Mar 16, 2016 at 9:53 AM, Doug Hel

Re: [openstack-dev] [QA][all] Propose to remove negative tests from Tempest

On 03/16/2016 09:20 PM, Ken'ichi Ohmichi wrote: Hi I have one proposal[1] related to negative tests in Tempest, and hoping opinions before doing that. Now Tempest contains negative tests and sometimes patches are being posted for adding more negative tests, but I'd like to propose removing them

Re: [openstack-dev] [QA][all] Propose to remove negative tests from Tempest

On 03/16/2016 11:01 PM, Ken'ichi Ohmichi wrote: 2016-03-16 19:29 GMT-07:00 Adam Young : On 03/16/2016 09:20 PM, Ken'ichi Ohmichi wrote: Hi I have one proposal[1] related to negative tests in Tempest, and hoping opinions before doing that. Now Tempest contains negative tests and

[openstack-dev] [Tripleo][Fuel][Kolla][Ansible][Puppet] Parsing and Managing Policy in Keystone

The policy API is currently a Blob-based operation. Keystone knows nothing about the data stored or retrieved. There is an API to fetch the policy file for a given endpoint. http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst What I would l

Re: [openstack-dev] [oslo][all] What would you like changed/fixed/new in oslo??

On 03/19/2016 11:33 PM, Joshua Harlow wrote: Howday all, Just to start some conversation for the next cycle, I wanted to start thinking about what folks may like to see in oslo (or yes, even what u dislike in any of the oslo libraries). For those who don't know, oslo[1] is a lot of libraries

Re: [openstack-dev] [TripleO] propose EmilienM for core

On 03/20/2016 02:22 PM, Dan Prince wrote: I'd like to propose that we add Emilien Macchi to the TripleO core review team. Emilien has been getting more involved with TripleO during this last release. In addition to help with various Puppet things he also has experience in building OpenStack insta

Re: [openstack-dev] [puppet] Prefecting user and user_roles resources with domain-specific conf is failing.

On 03/21/2016 09:34 AM, Sofer Athlan-Guyot wrote: Hi, we have a big problem when using domain-specific configuration. The listing of all users is not supported by keystone when it's used[1][2]. What this means is that prefetch method in keystone_user won't work, or more specifically, instances

[openstack-dev] [oslo][nova] Messaging: everything can talk to everything, and that is a bad thing

I had a good discussion with the Nova folks in IRC today. My goal was to understand what could talk to what, and the short according to dansmith " any node in nova land has to be able to talk to the queue for any other one for the most part: compute->compute, compute->conductor, conductor->c

Re: [openstack-dev] [oslo][nova] Messaging: everything can talk to everything, and that is a bad thing

On 03/22/2016 09:15 AM, Flavio Percoco wrote: On 21/03/16 21:43 -0400, Adam Young wrote: I had a good discussion with the Nova folks in IRC today. My goal was to understand what could talk to what, and the short according to dansmith " any node in nova land has to be able to talk t

Re: [openstack-dev] [oslo][nova] Messaging: everything can talk to everything, and that is a bad thing

On 03/22/2016 05:42 PM, Dan Smith wrote: Shouldn't we be trying to remove central bottlenecks by decentralizing communications where we can? I think that's a good goal to continue having. Some deployers have setup firewalls between compute nodes, or between compute nodes and the database, so we

Re: [openstack-dev] [TripleO][Heat][Kolla][Magnum] The zen of Heat, containers, and the future of TripleO

On 03/23/2016 11:42 AM, Michał Jastrzębski wrote: Hello, So Ryan, I think you can make use of heat all the way. Architecture of kolla doesn't require you to use ansible at all (in fact, we separate ansible code to a different repo). Truth is that ansible-kolla is developed by most people and con

Re: [openstack-dev] [TripleO][Heat][Kolla][Magnum] The zen of Heat, containers, and the future of TripleO

On 03/23/2016 03:11 PM, Fox, Kevin M wrote: If heat convergence worked (Is that a thing yet?), it could potentially be used instead of a COE like kubernetes. The thing ansible buys us today would be upgradeability. Ansible is config management, but its also a workflow like tool. Heats bad at w

Re: [openstack-dev] [kite] Seeking core reviewers

On 03/24/2016 05:17 PM, Ian Cordasco wrote: -Original Message- From: Ronald Bradford Reply: OpenStack Development Mailing List (not for usage questions) Date: March 24, 2016 at 16:16:22 To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [kite]

Re: [openstack-dev] [keystone] [murano] Does anybody need OAuth1 API in keystone?

On 03/25/2016 08:44 AM, Alexander Tivelkov wrote: Hi Alexander, We - the murano team (so adding [murano] to subj) - are planning to utilise keystone's OAuth flow in Newton timeframe. Our use cases require to have ability to delegate some of user's privileges o various kinds of external (i.e.

Re: [openstack-dev] [OpenStack-Dev][Manila] BP https://blueprints.launchpad.net/manila/+spec/access-group

On 03/25/2016 08:43 AM, nidhi.h...@wipro.com wrote: Hi All, A gentle reminder.. Could you please share your thoughts on the approach proposed here .. https://etherpad.openstack.org/p/access_group_nidhimittalhada Thanks Nidhi *From:* Nidhi Mittal Hada (Product Engineering Service) *Sent:* W

Re: [openstack-dev] [ptl][kolla][release] Deploying the big tent

On 03/26/2016 12:27 PM, Steven Dake (stdake) wrote: Hey fellow PTLs and core reviewers of those projects, Kolla at present deploys the compute kit, and some other services that folks have added over time including other projects like Ironic, Heat, Mistral, Murano, Magnum, Manilla, and Swift.

Re: [openstack-dev] [keystone] Flush expired tokens automatically ?

Short term answers: The amount of infrastructure we would have to build to replicate CRON is not worth it. Figuring out a CRON strategy for nontrivial deployment is part of a larger data management scheme. Long term answers: Tokens should not be persisted. We have been working toward eph

Re: [openstack-dev] [tc] Take back the naming process

On 01/27/2015 05:19 PM, Jim Meyer wrote: +1 all the way down. More fun double-plus-good. —j On Jan 27, 2015, at 1:50 PM, Monty Taylor wrote: I do not like how we are selecting names for our releases right now. The current process is autocratic and opaque and not fun - which is the exact opp

Re: [openstack-dev] [all][tc] SQL Schema Downgrades and Related Issues

On 01/30/2015 07:23 AM, Sandy Walsh wrote: From: Johannes Erdfelt [johan...@erdfelt.com] Sent: Thursday, January 29, 2015 9:18 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all][tc] SQL Schema Downgrades

Re: [openstack-dev] [all][tc] SQL Schema Downgrades and Related Issues

On 01/29/2015 03:11 PM, Mike Bayer wrote: Morgan Fainberg wrote: Are downward migrations really a good idea for us to support? Is this downward migration path a sane expectation? In the real world, would any one really trust the data after migrating downwards? It’s a good idea for a migrat

Re: [openstack-dev] [Heat][Keystone] Native keystone resources in Heat

On 01/30/2015 02:19 AM, Thomas Spatzier wrote: From: Zane Bitter To: openstack Development Mailing List Date: 29/01/2015 17:47 Subject: [openstack-dev] [Heat][Keystone] Native keystone resources in Heat I got a question today about creating keystone users/roles/tenants in Heat templates. We

Re: [openstack-dev] [Murano] SQLite support - drop or not?

Drop. It is wasting cycles, and not something we should use in production. Migrations specific to SQLPlus are the most time consuming work-arounds we have. SQLPlus does not suit our development approach. On 02/03/2015 01:32 PM, Georgy Okrokvertskhov wrote: I think we should switch to clean

Re: [openstack-dev] [horizon][keystone]

On 02/04/2015 03:54 PM, Thai Q Tran wrote: Hi all, I have been helping with the websso effort and wanted to get some feedback. Basically, users are presented with a login screen where they can select: credentials, default protocol, or discovery service. If user selects credentials, it works e

Re: [openstack-dev] [horizon][keystone]

On 02/05/2015 04:20 AM, Anton Zemlyanov wrote: Hi, I guess "Credentials" is login and password. I have no idea what is "Default Protocol" or "Discovery Service". The proposed UI is rather embarrassing. No it is not. It is a rapid prototyping technique to get things to fail fast, and to get f

Re: [openstack-dev] [Keystone] Proposing Marek Denis for the Keystone Core Team

On 02/10/2015 12:51 PM, Morgan Fainberg wrote: Hi everyone! I wanted to propose Marek Denis (marekd on IRC) as a new member of the Keystone Core team. Marek has been instrumental in the implementation of Federated Identity. His work on Keystone and first hand knowledge of the issues with extr

Re: [openstack-dev] [keystone] [nova]

On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote: Hi ! I investigated trust's use cases and encountered the problem: When I use auth_token obtained from keystoneclient using trust, I get *403* Forbidden error: *You are not authorized to perform the requested action.* Steps to reproduce: - Im

Re: [openstack-dev] [keystone] [nova]

matches what the trustor normally works as, not the project in question. If these two values don't match, then, yes, the rule would fail. | On Wed, Feb 11, 2015 at 7:55 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote:

Re: [openstack-dev] [keystone] [nova]

On Wed, Feb 11, 2015 at 9:10 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 02/11/2015 12:16 PM, Nikolay Makhotkin wrote: No, I just checked it. Nova receives trust token and raise this error. In my script, I see: http://paste.openstack.org/show/171452/

Re: [openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

On 02/13/2015 04:19 PM, Morgan Fainberg wrote: On February 13, 2015 at 11:51:10 AM, Lance Bragstad (lbrags...@gmail.com ) wrote: Hello all, I'm proposing the Authenticated Encryption (AE) Token specification [1] as an SPFE. AE tokens increases scalability of Keysto

Re: [openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

On 02/16/2015 02:21 PM, Samuel Merritt wrote: On 2/14/15 9:49 PM, Adam Young wrote: On 02/13/2015 04:19 PM, Morgan Fainberg wrote: On February 13, 2015 at 11:51:10 AM, Lance Bragstad (lbrags...@gmail.com <mailto:lbrags...@gmail.com>) wrote: Hello all, I'm proposing the Au

Re: [openstack-dev] [keystone] [nova]

a3886ccce1442b538a0" http://192.168.0.2:8774/v3/servers { "servers": [ ] } How I can use trust-scoped tokrn via client? On Fri, Feb 13, 2015 at 9:16 PM, Alexander Makarov mailto:amaka...@mirantis.com>> wrote: Adam, Nova client does it for some reason during a call

Re: [openstack-dev] [horizon][keystone]

ck here. Unfortunately, my GO-TO team member has decided to GO-TO a trip around the world...who can we pull in to make this flow in with the rest of Horizon? regards David On 18/02/2015 16:06, Dolph Mathews wrote: On Fri, Feb 6, 2015 at 12:47 PM, Adam Young mailto:ayo...@redhat.com>&g

Re: [openstack-dev] Kerberos in OpenStack

On 02/24/2015 01:53 PM, Sanket Lawangare wrote: Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authenti

Re: [openstack-dev] Kerberos in OpenStack

am pretty sure i will have many). Sanket On Tue, Feb 24, 2015 at 1:26 PM, Adam Young mailto:ayo...@redhat.com>> wrote: On 02/24/2015 01:53 PM, Sanket Lawangare wrote: Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying

[openstack-dev] HTTPD Config

I'm trying to get a grip on what the HTTPD configuration should be for Horizon in order for it to use HTTPS. This rally should be the default, but the devstack and puppet choice of putting the Horizon config inside a Virtualhoat *:80 section in the config file makes it tricky. If I remove th

Re: [openstack-dev] HTTPD Config

On 03/06/2015 02:37 AM, Matthias Runge wrote: On 05/03/15 19:49, Adam Young wrote: I'd like to drop port 5000 all-together, as we are using a port assigned to a different service. 35357 is also problematic as it is in the middle of the Ephemeral range. Since we are talking about ru

Re: [openstack-dev] HTTPD Config

On 03/06/2015 10:44 AM, Rich Megginson wrote: On 03/06/2015 12:37 AM, Matthias Runge wrote: On 05/03/15 19:49, Adam Young wrote: I'd like to drop port 5000 all-together, as we are using a port assigned to a different service. 35357 is also problematic as it is in the middle of the Ephe

Re: [openstack-dev] HTTPD Config

On 03/06/2015 01:29 PM, Matthias Runge wrote: On Fri, Mar 06, 2015 at 11:08:44AM -0500, Adam Young wrote: No matter what we do in devstack, this is something, horizon and keystone devs need to fix first. E.g. in Horizon, we still discover hard coded URLs here and there. To catch that kind of

Re: [openstack-dev] [Keystone]ON DELETE RESTRICT VS ON DELETE CASCADE

On 03/08/2015 02:28 PM, Morgan Fainberg wrote: On March 8, 2015 at 11:24:37 AM, David Stanek (dsta...@dstanek.com ) wrote: On Sun, Mar 8, 2015 at 1:37 PM, Mike Bayer>wrote: can you elaborate on your reasoning that FK constraints should

Re: [openstack-dev] [Keystone]ON DELETE RESTRICT VS ON DELETE CASCADE

On 03/09/2015 01:26 PM, Mike Bayer wrote: Im about -1000 on disabling foreign key constraints. So was I. We didn't do it out of performance. Since I am responsible for tipping over this particular cow, let me explain. No, is too much. Let me sum up. In the murky past, Keystone was primarily

Re: [openstack-dev] [Keystone]ON DELETE RESTRICT VS ON DELETE CASCADE

On 03/10/2015 10:23 AM, Mike Bayer wrote: if*that’s* what you mean, that’s known as a “polymorphic foreign key”, and it is not actually a foreign key at all, it is a terrible antipattern started by the PHP/Rails community and carried forth by projects like Django. A) Heh. it is much, much older

[openstack-dev] [QA][Keystone] Test plan template

I posted a test plan temoplate for review. WHile my template is specific to Keystone, I think that it will benefit from a wider review. I did not see a comparable document elsewhere. There are the qa specs, but those look more like feature proposals for QA infrastructure than for test plans.

Re: [openstack-dev] Fedora cloud image compression format

We had the following exchange on the Fedora Cloud list, but I think it now more properly belongs here; On 03/12/2015 12:37 PM, Daniel P. Berrange wrote: On Thu, Mar 12, 2015 at 12:17:06PM -0400, Adam Young wrote: So, it looks like xz is not supported by OpenStack. "So what&quo

Re: [openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

On 03/16/2015 05:33 AM, joehuang wrote: [Topic]: Huge token size Hello, As you may or may not be aware of, a requirement project proposal Multisite[1] was started in OPNFV in order to identify gaps in implementing OpenStack across multiple sites. Although the proposal has not been approved

[openstack-dev] [keystone][congress][group-policy] Fetching policy from a remote source

Oslo policy has been released as a stand alone library. This is great, in that the rules engine is relatively non-applicaition specific, and I assume that all of the policy based project are planning to migrate over to using the policy library instead of the incubated version. Part of the pus

Re: [openstack-dev] [keystone][congress][group-policy] Fetching policy from a remote source

On 03/16/2015 01:45 PM, Doug Hellmann wrote: All of these are reasons we have so far resisted building a service to deploy updates to oslo.config's input files, and rely on provisioning tools to update them. Have we consider using normal provisioning tools for pushing out changes to policy files

Re: [openstack-dev] [keystone][congress][group-policy] Fetching policy from a remote source

ervices to ignore that. Probably a better, more scalable approach would be for an inheritance scheme, where by policy enforcement can inherit the core rules as well as rules specific to each project. Fodder for the next summit. More inline... On Mar 16, 2015, at 8:10 AM, Adam Young wrote: O

Re: [openstack-dev] [keystone][congress][group-policy] Fetching policy from a remote source

On 03/16/2015 03:24 PM, Doug Hellmann wrote: Excerpts from Adam Young's message of 2015-03-16 14:17:16 -0400: On 03/16/2015 01:45 PM, Doug Hellmann wrote: All of these are reasons we have so far resisted building a service to deploy updates to oslo.config's input files, and rely on provisioning

Re: [openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

On 03/17/2015 03:30 AM, David Chadwick wrote: Encryption per se does not decrease token size, the best it can do is keep the token size the same size. So using Fernet tokens will not on its own alter the token size. Fernet is striking a blanace. It is encruypting a subset of the data. Not th

Re: [openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

On 03/17/2015 02:51 AM, joehuang wrote: It’s not reality to deploy KeyStone service ( including backend store ) in each site if the number, for example, is more than 10. The reason is that the stored data including data related to revocation need to be replicated to all sites in synchronizat

Re: [openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

alera like inbound cluster ware. Write it up as a full spec, and we will discuss at the summit. Best Regards Chaoyi Huang ( Joe Huang ) *From:*Adam Young [mailto:ayo...@redhat.com] *Sent:* Tuesday, March 17, 2015 10:00 PM *To:* openstack-dev@lists.openstack.org *Subject:* Re: [openstack-dev] [

[openstack-dev] Is yaml-devel still needed for Devstack

I recently got Devstack to run on RHEL. In doing so, I had to hack around the dependency on yaml-devel (I just removed it from devstack's required packages) There is no yaml-devel in EPEL or the main repos for RHEL7.1/Centos7. Any idea what the right approach is to this moving forward? Is th

Re: [openstack-dev] [tc] Request to adopt security as a project team

On 04/02/2015 11:56 AM, Clark, Robert Graham wrote: Technical Committee, Please consider this request to recognize the security team as an OpenStack project team. This is a milestone for the OpenStack Security Group and follows from our merging with the VMT. Over the last few years what started

Re: [openstack-dev] [Keystone] PTL Candidacy

On 04/02/2015 04:31 PM, Morgan Fainberg wrote: Hello Everyone! It’s been an exciting development cycle (Kilo) and it is now time to start looking forward at Liberty and what that will hold. With that said, I’d like to ask for the community’s support to continue as the Keystone PTL for the Li

Re: [openstack-dev] Problem about Juno Keystone Identity V3

On 04/03/2015 11:09 AM, Amy Zhang wrote: Hi guys, I have done switching Keystone Identity V2 to V3 in Icehouse and it works perfect. However, I use the same way to switch Keystone Identity V2 to V3 in Juno, it doesn't work. It give me the error: "ERROR: openstack Internal Server Error (HTTP 5

Re: [openstack-dev] [docs] [End User Guide] [Keystone] keyring support for python-keystoneclient and python-openstackclient

On 04/07/2015 09:44 AM, Brant Knudson wrote: On Tue, Apr 7, 2015 at 3:52 AM, Olena Logvinova mailto:ologvin...@mirantis.com>> wrote: Good day to everyone! My name is Olena, I am new in OpenStack (working as a tech writer). And I'm stuck on a bug https://launchpad.net/bugs/14

Re: [openstack-dev] [all] Introducing the Cloud Service Federation project (cross-project design summit proposal)

On 04/15/2015 04:23 PM, Geoff Arnold wrote: That’s the basic idea. Now, if you’re a reseller of cloud services, you deploy Horizon+Aggregator/Keystone behind your public endpoint, with your branding on Horizon. You then bind each of your Aggregator Regions to a Virtual Region from one of your

Re: [openstack-dev] [keystone] Changes to Spec Proposal Freeze and Feature Freeze dates for Keystone in Liberty

On 04/17/2015 11:31 PM, Morgan Fainberg wrote: As a quick update, for the Liberty cycle, keystone will be using the first milestone as our Spec Proposal Freeze (SPF), with Feature Proposal Freeze (API Impacting features must be code complete / ready for review / gating) at the second milestone

Re: [openstack-dev] Kerberization (and PKI-rization) of Horizon

On 04/19/2015 06:05 PM, Diogenes S. Jesus wrote: Hi man. I've seen your thread on OpenStack mailing list regarding using Kerberos on Horizon. I've been pulling my hair around this topic, however I'm trying to authen

Re: [openstack-dev] [oslo][policy][neutron] oslo.policy API is not powerful enough to switch Neutron to it

On 04/17/2015 08:45 AM, Ihar Hrachyshka wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, tl;dr neutron has special semantics for policy targets that relies on private symbols from oslo.policy, and it's impossible to introduce this semantics into oslo.policy itself due to backwards compa

Re: [openstack-dev] [puppet] Moving forward with puppet-keystone CI (beaker tests)

On 04/22/2015 10:51 AM, Emilien Macchi wrote: Hi, Some important work is being done on Keystone v3 API support in puppet-keystone. We've clearly seen there is a lack of review and I think we all worry about breaking something. Spencer & I are working on beaker tests lately and the jobs are non-v

Re: [openstack-dev] [Heat] [Keystone] Heat cfn-push-stats failed with '403 SignatureDoesNotMatch', it may be Keystone problem.

On 08/24/2014 01:55 AM, Yukinori Sagara wrote: Can you please submit this patch to Gerrit. Taking it off the mailing list without a signed contributors agreement is problematic. Hi. I am trying Heat instance HA, using RDO Icehouse. After instance boot, instance push own stats to heat ala

Re: [openstack-dev] Please stop reviewing code while asking questions

On 04/24/2015 04:14 AM, Julien Danjou wrote: Hi there, This is now happening weekly to me now, probably because I write too many patches touching almost all OpenStack projects once a cycle, and I'm really tired of that behavior, so PLEASE: *Stop sending Code-Review-1 when asking a question i

Re: [openstack-dev] [puppet][operators] How to specify Keystone v3 credentials?

On 05/04/2015 10:37 PM, Rich Megginson wrote: I'm starting to think about some sort of credentials vault. You store credentials in it and you tell your resource to use that specific credentials. You then no longer need to pass around 6-7 variables/parameters. I'm sure Adam Young has

Re: [openstack-dev] [keystone] On dynamic policy, role hierarchies/groups/sets etc.

On 05/05/2015 07:05 AM, Henry Nash wrote: We’ve been discussing changes to these areas for a while - and although I think there is general agreement among the keystone cores that we need to change *something*, we’ve been struggling to get agreement on exactly how.. So to try and ground the dis

Re: [openstack-dev] [keystone] On dynamic policy, role hierarchies/groups/sets etc.

On 05/06/2015 06:54 PM, Hu, David J (Converged Cloud) wrote: david8hu> One of the first thing we have to do is get all of our glossary straight J I am starting to hear about “capability”. Are we talking about “rule” in oslo policy terms? Or “action” in nova policy terms? Or this is something

[openstack-dev] [Keystone] Upstream QA test plans

Yes, we have Tempest and unit tests and Functional tests. But still we need test plans Keystone often plays a role deep in others work flows. Often we have complicated features that span multiple services; WebSSO, Trusts and HEAT, EC2 Credentials... Before we can automate the tests, w

Re: [openstack-dev] Console issue in Kilo dashboard

On 05/12/2015 06:10 AM, sonali.pra...@accenture.com wrote: Hi Team, I have installed the Kilo version on Ubuntu 14.04, I got the dashboard. Able to launch an instance (but not with the tiny flavor), but not able to get console. Nova service-list are all up. Kindly help me to resolve this i

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

Bug 968696 and System Roles. Needs to be addressed across the Service catalog. On Mon, Jan 29, 2018 at 7:38 AM, Luke Hinds wrote: > Just a reminder as we have not had many uptakes yet.. > > Are there any projects (new and old) that would like to make use of the > security SIG for either gainin

[openstack-dev] [tripleo] Modifying just a few values on overcloud redeploy

I worked through how to do a complete clone of the templates to do a deploy and change a couple values here: http://adam.younglogic.com/2016/06/custom-overcloud-deploys/ However, all I want to do is to set two config options in Keystone. Is there a simple way to just modify the two values bel

Re: [openstack-dev] [tripleo] Modifying just a few values on overcloud redeploy

On 07/27/2016 06:04 AM, Steven Hardy wrote: On Tue, Jul 26, 2016 at 05:23:21PM -0400, Adam Young wrote: I worked through how to do a complete clone of the templates to do a deploy and change a couple values here: http://adam.younglogic.com/2016/06/custom-overcloud-deploys

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

On 07/28/2016 10:05 PM, Tim Hinrichs wrote: I've never worked on the authentication details, so this may be off track, but that error message indicates the failure is happening inside Congress's oslo_policy. Error message shows up here as a Python exception class. https://github.com/openstac

[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone sect

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:54 PM, Adam Young wrote: On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 06:40 PM, Fox, Kevin M wrote: *From:* Adam Young [ayo...@redhat.com] *Sent:* Friday, August 05, 2016 3:06 PM *To:* openstack-dev@lists.openstack.org *Subject:* Re: [openstack-dev] [keystone][tripleo

[openstack-dev] [tripleo] HA with only one node.

As I try to debug Federaion problems, I am often finding I have to check three nodes to see where the actual requrest was processed. However, If I close down to of the controller nodes in Nova, the whole thing just fails. So, while that in it self is a problem, what I would like to be able to

Re: [openstack-dev] [tripleo] HA with only one node.

On 08/06/2016 03:20 PM, Dan Prince wrote: On Sat, 2016-08-06 at 13:21 -0400, Adam Young wrote: As I try to debug Federaion problems, I am often finding I have to check three nodes to see where the actual requrest was processed. However, If I close down to of the controller nodes in Nova, the

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml

[openstack-dev] [tripleo] Fernet Key rotation

The Fernet token format uses a symmetric key to sign tokens. In order to check the signature, these keys need to be synchronized across all of the Keystone servers. I don't want to pass around nake symmetric keys. The right way to do this is to put them into a PKCS 11 Envelope. Roughly, th

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e. not as part of a stack) to push changes to the servers. (I say 'push' but it's more a case of making the data available for os-collect-config t

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 09:21 PM, Adam Young wrote: On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e. not as part of a stack) to push changes to the servers. (I say 'push' but it's

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 05:11 PM, Adam Young wrote: The Fernet token format uses a symmetric key to sign tokens. In order to check the signature, these keys need to be synchronized across all of the Keystone servers. I don't want to pass around nake symmetric keys. The right way to do this

[openstack-dev] [Tripleo] Tripleo HA Federation Proof-of-Concept

http://adam.younglogic.com/2016/08/ooo-ha-fed-poc/ It is painful, sloppy, Mitaka based. Have at it, and lets make Federation a reality for Newton based deployments. Feedback eagerly sought. Thanks for all the people that helped get me through this. Won't list you all, as it would start t

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.openstack.org/#/c/317739/ added a new dynamic metadata handler to nova. The basic jist is that rather than serving metadata statically, it can be done dyamically, so that certain values aren't provided until they are needed, mo

[openstack-dev] [Cross-Project] [Cinder][Neutron][Cue]

These changes are necessary so policy files can in include the check "is_admin_project:True" which allows us to Scope what is meant by "Admin" Use from_environ to load context Use to_policy_values for enforcing policy Use context from_environ to load contexts Use from_dict to load context p

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.openstack.org/#/c/317739/ added a new dynamic metadata handler to nova. The basic jist is that rather than serving metadata statically, it can be done dyamically

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

is correct. Michael On Fri, Aug 26, 2016 at 12:46 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.opens

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

g to be when the instance itself makes a metadata request). I think what you're saying though is that the middleware wont let any requests through if they have no auth details? Is that correct? Michael On Fri, Aug 26, 2016 at 12:46 PM, Adam You

Re: [openstack-dev] [keystone] new core reviewer (rderose)

On 09/01/2016 10:44 AM, Steve Martinelli wrote: I want to welcome Ron De Rose (rderose) to the Keystone core team. In a short time Ron has shown a very positive impact. Ron has contributed feature work for shadowing LDAP and federated users, as well as enhancing password support for SQL users.

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 09/01/2016 08:48 PM, Michael Still wrote: On Thu, Sep 1, 2016 at 11:58 AM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 08/31/2016 07:56 AM, Michael Still wrote: There is a quick sketch of what a service account might look like at https://review.openstack.org/#

Re: [openstack-dev] [Keystone] Weirdness around domain/project scope in role assignments

On Fri, Mar 9, 2018 at 2:42 AM, Adrian Turjak wrote: > Sooo to follow up from the discussion last night partly with Lance and > Adam, I'm still not exactly sure what difference, if any, there is > between a domain scoped role assignment, and a project scoped role > assignment. And... It appears s

[openstack-dev] Replacing Keystone Admin Accounts

As we attempt to close the gap on Bug 968696, we have to make sure we are headed forward in a path that won't get us stuck. It seems that many people use Admin-every accounts for many things that they are not really meant for. Such as performing Operations that should be scoped to a project, like

<    1   2   3   4   5   6   7   >