Re: [openstack-dev] [all] OpenStack Bootstrapping Hour - Keystone - Friday Dec 5th 20:00 UTC (15:00 Americas/New_York)

On Thursday 04 December 2014 19:08:06 Sean Dague wrote: Sorry for the late announce, too much turkey and pie This Friday, Dec 5th, we'll be talking with Steve Martinelli and David Stanek about Keystone Authentication in OpenStack. Wiki page says that the event will be Friday Dec 5th -

Re: [openstack-dev] Deprecation warnings considered harmful?

On Thursday 12 March 2015 12:24:57 Duncan Thomas wrote: ubuntu@devstack-multiattach:~/devstack$ cinder-manage db sync /usr/local/lib/python2.7/dist-packages/oslo_db/_i18n.py:19: DeprecationWarning: The oslo namespace package is deprecated. Please use oslo_i18n instead. from oslo import i18n

Re: [openstack-dev] Deprecation warnings considered harmful?

bugreports. Filing a bug is pretty easy ;) https://bugs.launchpad.net/oslo.db/+bug/1431268 On 12 March 2015 at 11:41, Boris Bobrov bbob...@mirantis.com wrote: On Thursday 12 March 2015 12:24:57 Duncan Thomas wrote: ubuntu@devstack-multiattach:~/devstack$ cinder-manage db sync /usr/local/lib

Re: [openstack-dev] [Fuel] Testing DB migrations

tests and running them in in-memory sqlite was proven ineffective.The only solution we've come to is to run all db-related tests against real rdbmses. -- Best regards, Boris Bobrov __ OpenStack Development Mailing List

[openstack-dev] [stable] Freeze exception for Correct initialization order for logging to use eventlet locks

in his cloud. There is no known workaround for the bug. -- Best regards, Boris Bobrov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

[openstack-dev] [keystone][fernet] Fernet tokens sync

too. -- Best regards, Boris Bobrov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo

Re: [openstack-dev] [keystone][fernet] Fernet tokens sync

On Friday 27 March 2015 17:14:28 Boris Bobrov wrote: Hello, As you know, keystone introduced non-persistent tokens in kilo -- Fernet tokens. These tokens use Fernet keys, that are rotated from time to time. A great description of key rotation and replication can be found on [0] and [1

Re: [openstack-dev] [all][tc] SQL Schema Downgrades and Related Issues

On Thursday 29 January 2015 22:06:25 Morgan Fainberg wrote: I’d like to propose we stop setting the expectation that a downwards migration is a “good idea” or even something we should really support. Offering upwards-only migrations would also simplify the migrations in general. This downward

Re: [openstack-dev] [all][tc] SQL Schema Downgrades and Related Issues

On Friday 30 January 2015 01:01:00 Boris Bobrov wrote: On Thursday 29 January 2015 22:06:25 Morgan Fainberg wrote: I’d like to propose we stop setting the expectation that a downwards migration is a “good idea” or even something we should really support. Offering upwards-only migrations

[openstack-dev] [stable][keystone] FFE for Speed up memcache lock

was already accepted in master branch. -- Best regards, Boris Bobrov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http

Re: [openstack-dev] [Keystone] SQLite support (migrations, work-arounds, and more), is it worth it?

On Saturday 04 April 2015 03:55:59 Morgan Fainberg wrote: I am looking forward to the Liberty cycle and seeing the special casing we do for SQLite in our migrations (and elsewhere). My inclination is that we should (similar to the deprecation of eventlet) deprecate support for SQLite in

Re: [openstack-dev] [keystone]Why not common definition about normal HTTP status code like 2xx and 3xx?

definitions? These are standard HTTP codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Description in exceptions is given because one error code can be used for several errors. Success codes always have one meaning. -- Best regards, Boris Bobrov

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum cl...@fewbar.com wrote: This too is overly complex and will cause failures. If you replace key 0, you will stop validating tokens that were encrypted with the old key 0. No. Key 0 is replaced after rotation. Also, come on, does

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Saturday 01 August 2015 16:27:17 bdobre...@mirantis.com wrote: I suggest to use pacemaker multistate clone resource to rotate and rsync fernet tokens from local directories across cluster nodes. The resource prototype is described here

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Monday 03 August 2015 21:05:00 David Stanek wrote: On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov bbob...@mirantis.com wrote: On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum cl...@fewbar.com wrote: This too is overly complex and will cause failures. If you replace key 0, you

Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

On Tuesday 04 August 2015 08:06:21 Lance Bragstad wrote: On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov bbob...@mirantis.com wrote: On Monday 03 August 2015 21:05:00 David Stanek wrote: On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov bbob...@mirantis.com wrote: Also, come on, does http

Re: [openstack-dev] [fuel] FF Exception request for Fernet tokens support.

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Best regards, Boris Bobrov __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org

Re: [openstack-dev] [keystone] LDAP identity driver with groups from local DB

as an overlay. This would seem to solve the issue you outline? As far as I understand the issue is that corps want to have users in read-only LDAP and have an ability to create groups outside of LDAP, in SQL. Am I right? -- Best regards, Boris Bobrov

Re: [openstack-dev] [Keystone] [Horizon] Pagination support for Identity dashboard entities

l > [2] http://developer.openstack.org/api-ref-identity-v3.html > [3] https://blueprints.launchpad.net/keystone/+spec/pagination -- Best regards, Boris Bobrov __ OpenStack Development Mailing List (not for us

Re: [openstack-dev] Apache2 vs uWSGI vs ...

There are 2 dimensions this discussion should happen in: web server and application server. Now we use apache2 as web server and mod_wsgi as app server. I don't have a specific opinion on the app server (mod_wsgi vs uwsgi) and I don't really care. Regarding apache2 vs nginx. I don't see any

Re: [openstack-dev] [Openstack-operators] [keystone] Removing functionality that was deprecated in Kilo and upcoming deprecated functionality in Mitaka

nd support mod_wsgi (which is tightly integrated with apache) as an app server. We can still require Apache and support uwsgi as an app server, without any changes to federation. -- Best regards, Boris Bobrov __

Re: [openstack-dev] [Keystone]: Help needed with RBAC policies

Hi, Try passing --os-identity-api-version=3 to `openstack`. Or set env variable OS_IDENTITY_API_VERSION=3. On 07/19/2016 09:56 PM, Nasim, Kam wrote: Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be

Re: [openstack-dev] [Keystone]: Help needed with RBAC policies

Also, you might need to change OS_AUTH_URL to /v3/ or to unversioned. Policy works only with v3 api. In v2 you are either admin or user, and there are no policies or roles. On 07/19/2016 10:08 PM, Boris Bobrov wrote: Hi, Try passing --os-identity-api-version=3 to `openstack`. Or set env

Re: [openstack-dev] [kolla][keystone] is there chance the keystone cached the catalog and can not get the latest endpoints?

On Wednesday 29 June 2016 15:53:15 Kairat Kushaev wrote: > Hi, > Looks like this bug is duplicate of > https://bugs.launchpad.net/oslo.cache/+bug/1590779 Looks like it. > HTH > > Best regards, > Kairat Kushaev > > On Wed, Jun 29, 2016 at 3:32 PM, Jeffrey Zhang > >

Re: [openstack-dev] Hierarchical quotas at the PTG?

I would like to talk about it too. On 02/10/2017 11:56 PM, Matt Riedemann wrote: > Operators want hierarchical quotas [1]. Nova doesn't have them yet and > we've been hesitant to invest scarce developer resources in them since > we've heard that the implementation for hierarchical quotas in

Re: [openstack-dev] [All] IRC Mishaps

Hi, This: http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-01-24-18.01.log.html#l-304 On 02/08/2017 11:36 PM, Kendall Nelson wrote: > Hello All! > > So I am sure we've all seen it: people writing terminal commands into our > project channels, misusing '/' commands, etc. But

Re: [openstack-dev] [OSC] Tenant Resource Cleanup

Hello, I wonder if it would be worth integrating ospurge into openstackclient. Are there any osc sessions planned at the summit? On 09/07/2016 04:05 PM, John Davidge wrote: Hello, During the Mitaka cycle we merged a new feature into the python-neutronclient called ’neutron purge’. This

Re: [openstack-dev] [ptl] code churn and questionable changes

Hello, in addition to this, please, PLEASE stop creating 'all project bugs'. i don't want to get emails on updates to projects unrelated to the ones i care about. also, it makes updating the bug impossible because it times out. i'm too lazy to search ML but this has been raise before, please

Re: [openstack-dev] [ptl] code churn and questionable changes

/16, 7:35 AM, "Boris Bobrov" <bbob...@mirantis.com> wrote: Hello, > in addition to this, please, PLEASE stop creating 'all project bugs'. i > don't want to get emails on updates to projects unrelated to the ones i > care about. also, it makes updating t

Re: [openstack-dev] [Keystone] Project name DB length

Hi, At any rate, would be great to know, and if there isn't a strong reason against it we can make project name 255 for some more flexibility. Plus although there is no true official standard, most projects in OpenStack seem to use 255 as the default for a lot of string fields. Weirdly enough,

Re: [openstack-dev] [keystone] Custom ProjectID upon creation

Hi, On 12/05/2016 09:20 PM, Andrey Grebennikov wrote: > Hi keystoners, > I'd like to open the discussion about the little feature which I'm > trying to push forward for a while but I need some > feedbacks/opinions/concerns regarding this. > Here is the review I'm talking > about

Re: [openstack-dev] [keystone] Custom ProjectID upon creation

On 12/06/2016 01:46 AM, Andrey Grebennikov wrote: > Hi, > > On 12/05/2016 09:20 PM, Andrey Grebennikov wrote: > > Hi keystoners, > > I'd like to open the discussion about the little feature which I'm > > trying to push forward for a while but I need some > >

Re: [openstack-dev] [keystone] Feedback for upcoming user survey questionnaire

"What were you trying to accomplish with keystone but failed" "What functionality in keystone did you try to use but it wasn't good enough" "In your opinion, what in keystone requires most attention" with choices "federation", "performance", "policy", "backend support" and some other options. On

Re: [openstack-dev] [tc][appcat] The future of the App Catalog

On 03/15/2017 10:06 PM, Jay Pipes wrote: > +Boris B > > On 03/15/2017 02:55 PM, Fox, Kevin M wrote: >> I think they are. If they are not, things will break if federation is >> used for sure. If you know that it is please let me know. I want to >> deploy federation at some point but was waiting

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Hi, Please paste your mapping to paste.openstack.org On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: > I am on Ocata with Shibboleth auth enabled. I noticed that Federated > users with the admin role no longer have authorization to use the > Admin** panels in Horizon related to Nova, Cinder and

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

-E >> -- >> Evan F. Bollig, PhD >> Scientific Computing Consultant, Application Developer | Scientific >> Computing Solutions (SCS) >> Minnesota Supercomputing Institute | msi.umn.edu >> University of Minnesota | umn.edu >> boll0...@umn.edu | 612-624-

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

-E >> -- >> Evan F. Bollig, PhD >> Scientific Computing Consultant, Application Developer | Scientific >> Computing Solutions (SCS) >> Minnesota Supercomputing Institute | msi.umn.edu >> University of Minnesota | umn.edu >> boll0...@umn.edu | 612-624-

Re: [openstack-dev] [keystone] Does the policy.json for trusts works?

Hi, On 13.09.2017 18:54, Adrian Turjak wrote: > Hello Keystone devs! > > I've been playing with some policy changes and realised that the trust > policy rules were mostly blank. Which, based on how the policy logic > works means that any authed user can list trusts: >

Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

Hi, > On 12/07/2017 12:27 PM, Colleen Murphy wrote: >> On Thu, Dec 7, 2017 at 5:37 PM, Pavlo Shchelokovskyy >> wrote: >>> Hi all, >>> >>> We have a following use case - several independent keystones (say KeyA and >>> KeyB), using fernet tokens and synchronized

Re: [openstack-dev] [keystone] keystone client service_catalog is None

Hi, Have a look at how openstackclient does this. Read this code: https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/catalog.py#L43 and then this code: https://github.com/openstack/osc-lib/blob/master/osc_lib/clientmanager.py#L239 On 09.12.2017 04:15,

[openstack-dev] [keystone] Stepping down from Keystone core

Hey! I don't work on Keystone as much as I used to any more, so i'm stepping down from core reviewers. Don't expect to get rid of me though. I still work on OpenStack-related stuff and i will annoy you all in #openstack-keystone and in other IRC channels.

Re: [openstack-dev] Help still needed at FOSDEM!

Hi, What is expected from people at the booth? On 24.01.2018 15:55, Rich Bowen wrote: > We have a table at FOSDEM, and we desperately need people to sign up to > staff it. > > https://etherpad.openstack.org/p/fosdem-2018 > > If you have an hour free at FOSDEM, please join us. Ideally, we need