[openstack-dev] Keystone PTL Candidacy

Hello, everyone! I'd like to keep my name in the hat as PTL for Keystone during the Juno release cycle. As I'm not looking to shake things up for Juno, I'm going to direct you to my Icehouse PTL candidacy email [1], and promise that I will continue to deliver on that philosophy in Juno.

Re: [openstack-dev] [All][Keystone] Deprecation of the v2 API

On Tue, Apr 1, 2014 at 7:40 PM, Anne Gentle a...@openstack.org wrote: On Wed, Mar 26, 2014 at 5:30 AM, Thierry Carrez thie...@openstack.orgwrote: Russell Bryant wrote: [...] First, it seems there isn't a common use of deprecated. To me, marking something deprecated means that the

Re: [openstack-dev] Operators Design Summit ideas for Atlanta

On Mon, Mar 31, 2014 at 10:40 PM, Adam Young ayo...@redhat.com wrote: On 03/28/2014 03:01 AM, Tom Fifield wrote: Thanks to those projects that responded. I've proposed sessions in swift, ceilometer, tripleO and horizon. Keystone would also be interested in user feedback, of course.

Re: [openstack-dev] [All][Keystone] Deprecation of the v2 API

On Wed, Apr 2, 2014 at 8:43 AM, Russell Bryant rbry...@redhat.com wrote: On 04/02/2014 09:20 AM, Dolph Mathews wrote: On Tue, Apr 1, 2014 at 7:40 PM, Anne Gentle a...@openstack.org mailto:a...@openstack.org wrote: On Wed, Mar 26, 2014 at 5:30 AM, Thierry Carrez thie

Re: [openstack-dev] [keystone] [oslo] Using oslo.cache in keystoneclient.middleware.auth_token

dogpile.cache would be substantially lighter on the client-side as it only has a hard dependency on dogpile.core. It supports plenty of backends beyond memcached and we already use it in keystone quite heavily. http://dogpilecache.readthedocs.org/en/latest/ On Mon, Mar 31, 2014 at 11:35 AM,

Re: [openstack-dev] [keystone] [horizon] [nova]

FWIW, that issue is tracked here: https://bugs.launchpad.net/keystone/+bug/967832 On Fri, Mar 28, 2014 at 1:02 PM, Ryan Hallisey rhall...@redhat.com wrote: Currently, when you delete a tenant that has 1 or more running instances, the tenant will be deleted without warning and the running

Re: [openstack-dev] [Ironic][Keystone] Move drivers credentials to Keystone

On Tue, Mar 25, 2014 at 12:49 PM, Jay Pipes jaypi...@gmail.com wrote: On Tue, 2014-03-25 at 17:39 +, Miller, Mark M (EB SW Cloud - RD - Corvallis) wrote: Why not use Barbican? It stores credentials after encrypting them. No reason not to add a Barbican driver as well. If Keystone's

Re: [openstack-dev] [All][Keystone] Deprecation of the v2 API

On Tue, Mar 25, 2014 at 5:50 PM, Russell Bryant rbry...@redhat.com wrote: We discussed the deprecation of the v2 keystone API in the cross-project meeting today [1]. This thread is to recap and bring that discussion to some consensus. The issue is that Keystone has marked the v2 API as

Re: [openstack-dev] [keystone] python-keystoneclient unit tests only if python-memcache is installed

FWIW, I opened a bug [1] and proposed a fix [2]. [1]: https://bugs.launchpad.net/python-keystoneclient/+bug/1296794 [2]: https://review.openstack.org/#/c/82527/ On Fri, Mar 21, 2014 at 12:38 AM, Thomas Goirand z...@debian.org wrote: On 03/20/2014 11:48 PM, Dolph Mathews wrote: Yes, those

Re: [openstack-dev] [keystone] python-keystoneclient unit tests only if python-memcache is installed

Yes, those tests are conditionally executed if https://pypi.python.org/pypi/python-memcached/ is installed and if so, memcached is assumed to be accessible on localhost. Unfortunately the test suite doesn't have a sanity check for that following assumption, so the test failures aren't particularly

Re: [openstack-dev] [Nova] Updates to Juno blueprint review process

On Thu, Mar 20, 2014 at 10:49 AM, Russell Bryant rbry...@redhat.com wrote: We recently discussed the idea of using gerrit to review blueprint specifications [1]. There was a lot of support for the idea so we have proceeded with putting this together before the start of the Juno development

Re: [openstack-dev] [Heat] [Keystone] Where are the strings in the keystone API's defined?

For posterity, I assume this thread is related to: http://lists.openstack.org/pipermail/openstack-dev/2014-February/028125.html Anyway, keystone itself has issued 36-char tenant ID's in the past (diablo, I believe, if not essex as well). Something like this: $ python -c import uuid; s =

Re: [openstack-dev] [all][keystone] Increase of USER_ID length maximum from 64 to 255

On Mon, Mar 3, 2014 at 8:48 AM, Jay Pipes jaypi...@gmail.com wrote: On Sun, 2014-03-02 at 12:05 -0800, Morgan Fainberg wrote: Having done some work with MySQL (specifically around similar data sets) and discussing the changes with some former coworkers (MySQL experts) I am inclined to

Re: [openstack-dev] [keystone] Notification When Creating/Deleting a Tenant in openstack

or get these notifications ? Regards, Nader. On Feb 20, 2014, at 9:06 AM, Dolph Mathews dolph.math...@gmail.com wrote: Yes, see: http://docs.openstack.org/developer/keystone/event_notifications.html On Thu, Feb 20, 2014 at 10:54 AM, Nader Lahouti nader.laho...@gmail.com

Re: [openstack-dev] [all][keystone] Increase of USER_ID length maximum from 64 to 255

external facing requirements for storage of user and group IDs (above and beyond what is true today). Henry On 27 Feb 2014, at 03:46, Adam Young ayo...@redhat.com wrote: On 02/26/2014 08:25 AM, Dolph Mathews wrote: On Tue, Feb 25, 2014 at 2:38 PM, Jay Pipes jaypi...@gmail.com

Re: [openstack-dev] [all][keystone] Increase of USER_ID length maximum from 64 to 255

On Wed, Feb 26, 2014 at 4:23 AM, Marco Fargetta marco.farge...@ct.infn.itwrote: Hi Morgan, On Tue, Feb 25, 2014 at 11:47:43AM -0800, Morgan Fainberg wrote: For purposes of supporting multiple backends for Identity (multiple LDAP, mix of LDAP and SQL, federation, etc) Keystone is planning

Re: [openstack-dev] [all][keystone] Increase of USER_ID length maximum from 64 to 255

On Tue, Feb 25, 2014 at 2:38 PM, Jay Pipes jaypi...@gmail.com wrote: On Tue, 2014-02-25 at 11:47 -0800, Morgan Fainberg wrote: For purposes of supporting multiple backends for Identity (multiple LDAP, mix of LDAP and SQL, federation, etc) Keystone is planning to increase the maximum size

Re: [openstack-dev] [keystone] Notification When Creating/Deleting a Tenant in openstack

Yes, see: http://docs.openstack.org/developer/keystone/event_notifications.html On Thu, Feb 20, 2014 at 10:54 AM, Nader Lahouti nader.laho...@gmail.comwrote: Hi All, I have a question regarding creating/deleting a tenant in openstack (using horizon or CLI). Is there any notification

Re: [openstack-dev] [keystone] SAML consumption Blueprints

On Thu, Feb 20, 2014 at 4:18 AM, Marco Fargetta marco.farge...@ct.infn.itwrote: Dear all, I am interested to the integration of SAML with keystone and I am analysing the following blueprint and its implementation: https://blueprints.launchpad.net/keystone/+spec/saml-id

Re: [openstack-dev] Keystone working with V3

On Wed, Feb 19, 2014 at 10:21 AM, Vinod Kumar Boppanna vinod.kumar.boppa...@cern.ch wrote: Dear All, I am doing some development in Nova and in this regard, i have to write a code where Nova requests some date through V3 API of keystone. But the keystoneclient is always falling back to V2

Re: [openstack-dev] Gerrit co-authors and ticket stealing

On Wed, Feb 19, 2014 at 12:33 PM, Dan Prince dpri...@redhat.com wrote: Perhaps one of the lesser know Gerrit features is the ability to overwrite someone else's patchset/review with a new revision. This can be a handy thing for collaboration, or perhaps to make minor edits (spelling fixes for

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

:35 AM, Yongsheng Gong gong...@unitedstack.comwrote: It is not easy to enhance it. If we check the tenant_id on creation, if should we also to do some job when keystone delete tenant? On Mon, Feb 17, 2014 at 6:41 AM, Dolph Mathews dolph.math...@gmail.comwrote

Re: [openstack-dev] Sent the first batch of invitations to Atlanta's Summit

I just noticed the subject of this email referred to the first batch of invitations -- are there going to be subsequent batches of invites? If so, who was not included in the first batch that will be in subsequent batches? On Tue, Jan 28, 2014 at 2:45 PM, Stefano Maffulli

Re: [openstack-dev] [keystone][all] Keystone V2 and V3 support in icehouse

On Mon, Feb 10, 2014 at 5:23 PM, Frittoli, Andrea (Cloud Services) fritt...@hp.com wrote: Hi, I’m working on a tempest blueprint to make tempest able to run 100% on keystone v3 (or later versions) – the auth version to be used will be available via a configuration switch. The

Re: [openstack-dev] [keystone][all] Keystone V2 and V3 support in icehouse

binding is targeted for icehouse or juno? Clients are tracked against the same release milestones of the services, so the integration can happen whenever someone wants to tackle it and we can release them when they're ready. andrea *From:* Dolph Mathews [mailto:dolph.math...@gmail.com

Re: [openstack-dev] [Neutron]Do you think tanent_id should be verified

keystoneclient.middlware.auth_token passes a project ID (and name, for convenience) to the underlying application through the WSGI environment, and already ensures that this value can not be manipulated by the end user. Project ID's (redundantly) passed through other means, such as URLs, are up

Re: [openstack-dev] Interested in attracting new contributors?

On Wed, Feb 12, 2014 at 8:30 AM, Julie Pichon jpic...@redhat.com wrote: I can definitely sympathise with the comment in Stefano's article that there are not enough easy tasks / simple issues for newcomers. There's a lot to learn already when you're starting out (git, gerrit, python,

Re: [openstack-dev] [keystone] Integrating with 3rd party DB

Sent: Friday, 7 February, 2014 7:13:20 PM Subject: Re: [openstack-dev] [keystone] Integrating with 3rd party DB Jamie Lennox jamielen...@redhat.com writes: - Original Message - From: Noorul Islam K M noo...@noorul.com To: Dolph Mathews dolph.math...@gmail.com Cc

Re: [openstack-dev] [PTL] Designating required use upstream code

On Wed, Feb 5, 2014 at 10:22 AM, Thierry Carrez thie...@openstack.orgwrote: (This email is mostly directed to PTLs for programs that include one integrated project) The DefCore subcommittee from the OpenStack board of directors asked the Technical Committee yesterday about which code

Re: [openstack-dev] [keystone] Integrating with 3rd party DB

On Thu, Feb 6, 2014 at 6:38 AM, Noorul Islam Kamal Malmiyoda noo...@noorul.com wrote: Hello stackers, We have a database with tables users, projects, roles, etc. Is there any reference implementation or best practices to make keystone use this DB instead of its own? What's the problem

Re: [openstack-dev] keystone-manage db_sync doesn't work if [database] connection points to IPv6 address

Can you open a bug for this at https://bugs.launchpad.net/keystone ? Thanks! On Sun, Feb 2, 2014 at 9:15 AM, Martinx - ジェームズ thiagocmarti...@gmail.comwrote: Guys, I'm trying to install IceHouse-2 in a dual-stacked environment (Ubuntu 14.04) but, keystone-manage db_sync doesn't work if db

Re: [openstack-dev] [keystone][heat] Migration to keystone v3 API questions

On Sat, Feb 1, 2014 at 12:33 PM, Anne Gentle a...@openstack.org wrote: On Thu, Jan 23, 2014 at 5:21 AM, Steven Hardy sha...@redhat.com wrote: Hi all, I've recently been working on migrating the heat internal interfaces to use the keystone v3 API exclusively[1]. This work has mostly

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

CC'd Adam Young Several of us were very much in favor of this around the Folsom release, but we settled on domains as a solution to the most immediate use case (isolation between flat collections of tenants, without impacting the rest of openstack). I don't think it has been discussed much in the

Re: [openstack-dev] extending keystone identity

On Tue, Jan 28, 2014 at 12:54 PM, Simon Perfer simon.per...@hotmail.comwrote: Thanks again, Dolph. First, is there some good documentation on how to write a custom driver? I'm wondering specifically about how a keystone user-list is mapped to a specific function in

Re: [openstack-dev] extending keystone identity

_check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this: def authenticate(self, user_id, password, domain_scope=None): if user_id in SPECIAL_LIST_OF_USERS: #

Re: [openstack-dev] extending keystone identity

From your original email, it sounds like you want to extend the existing LDAP identity driver implementation, rather than writing a custom driver from scratch, which is what you've written. The TemplatedCatalog driver sort of follows that pattern with the KVS catalog driver, although it's not a

Re: [openstack-dev] [All] Code proposal deadline for Icehouse

On Thu, Jan 23, 2014 at 4:02 PM, Russell Bryant rbry...@redhat.com wrote: Greetings, Last cycle we had A feature proposal deadline across some projects. This was the date that code associated with blueprints had to be posted for review to make the release. This was in advance of the

Re: [openstack-dev] new keystone developer

First of all, welcome! As Steve suggested, feel free to ask questions in #openstack-dev ... it seems there's almost always someone online with deep knowledge of keystone. On Wed, Jan 22, 2014 at 8:28 PM, Mario Adessi mario.ade...@live.com wrote: I'd like to begin contributing to the keystone

Re: [openstack-dev] [Keystone] bp proposal: quotas on users and projects per domain

, Florent Flament -- *From: *Dolph Mathews dolph.math...@gmail.com *To: *OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org *Sent: *Thursday, January 23, 2014 3:09:51 PM *Subject: *Re: [openstack-dev] [Keystone] bp proposal

Re: [openstack-dev] [keystoneclient] old keystone-client package on pypi

Ooh, I meant to get this done last week as I agree that keystoneclient needed to see a new release, but it totally slipped my mind. python-keystoneclient 0.4.2 is now available on pypi! https://pypi.python.org/pypi/python-keystoneclient/0.4.2 What's included in the milestone:

Re: [openstack-dev] Keystone Hashing MD5 to SHA256

On Tue, Jan 7, 2014 at 11:01 AM, Adam Young ayo...@redhat.com wrote: On 01/06/2014 01:10 PM, Jeremy Stanley wrote: On 2014-01-06 10:19:39 -0500 (-0500), Adam Young wrote: If it were as easy as just replaceing hteh hash algorithm, we would have done it a year + ago. I'm guessing you figured

[openstack-dev] [keystone] Changes to keystone-core!

Hello everyone! We've been talking this for a long while, and we finally have a bunch of changes to make to keystone-core all at once. A few people have moved on, the project has grown a bit, and our review queue grows ever longer. As ayoung phrased it in today's keystone meeting, with entirely

[openstack-dev] Process for proposing patches attached to launchpad bugs?

In the past, I've been able to get authors of bug fixes attached to Launchpad bugs to sign the CLA and submit the patch through gerrit... although, in one case it took quite a bit of time (and thankfully it wasn't a critical fix or anything). This scenario just came up again (example: [1]), so

Re: [openstack-dev] Incubation Request for Barbican

On Thu, Dec 12, 2013 at 4:48 PM, Morgan Fainberg m...@metacloud.com wrote: On December 12, 2013 at 14:32:36, Dolph Mathews (dolph.math...@gmail.com//dolph.math...@gmail.com) wrote: On Thu, Dec 12, 2013 at 2:58 PM, Adam Young ayo...@redhat.com wrote: On 12/04/2013 08:58 AM, Jarret Raim

Re: [openstack-dev] API spec for OS-NS-ROLES extension

Services already own their own policy enforcement, and therefore own their own definitions of roles. A service deployment can already require roles that are prefixed by a specific string (compute-*), and can already map actual capabilities onto those roles ({compute-create: role:compute-manager}).

Re: [openstack-dev] [keystone] domain admin role query

into the policy file. Henry On 12 Dec 2013, at 03:11, Paul Belanger paul.belan...@polybeacon.com wrote: On 13-12-11 11:18 AM, Lyle, David wrote: +1 on moving the domain admin role rules to the default policy.json -David Lyle From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent

Re: [openstack-dev] [keystone] domain admin role query

On Thu, Dec 12, 2013 at 8:50 AM, Adam Young ayo...@redhat.com wrote: On 12/11/2013 10:11 PM, Paul Belanger wrote: On 13-12-11 11:18 AM, Lyle, David wrote: +1 on moving the domain admin role rules to the default policy.json -David Lyle From: Dolph Mathews [mailto:dolph.math...@gmail.com

Re: [openstack-dev] [Keystone] policy has no effect because of hard coded assert_admin?

The policy file is protecting v3 API calls at the controller layer, but you're calling the v2 API. The policy decorators should be moved to the manager layer to protect both APIs equally... but we'd have to be very careful not to break deployments depending on the trivial assert_admin behavior

Re: [openstack-dev] How to best make User Experience a priority in every project

On Wed, Dec 11, 2013 at 4:25 PM, Stefano Maffulli stef...@openstack.orgwrote: On 12/06/2013 02:19 AM, Jaromir Coufal wrote: We are growing. At the moment we are 4 core members and others are coming in. But honestly, contributors are not coming to specific projects - they go to reach UX

Re: [openstack-dev] Incubation Request for Barbican

On Thu, Dec 12, 2013 at 2:58 PM, Adam Young ayo...@redhat.com wrote: On 12/04/2013 08:58 AM, Jarret Raim wrote: While I am all for adding a new program, I think we should only add one if we rule out all existing programs as a home. With that in mind why not add this to the keystone

Re: [openstack-dev] [bugs] definition of triaged

On Thu, Dec 12, 2013 at 3:46 PM, Robert Collins robe...@robertcollins.netwrote: Hi, I'm trying to overhaul the bug triage process for nova (initially) to make it much lighter and more effective. I'll be sending a more comprehensive mail shortly but one thing that has been giving me pause is

Re: [openstack-dev] [Keystone] policy has no effect because of hard coded assert_admin?

gone, it would be a more interesting, more approachable discussion. Cheers, Morgan Fainberg On December 12, 2013 at 10:32:40, Dolph Mathews (dolph.math...@gmail.com//dolph.math...@gmail.com) wrote: The policy file is protecting v3 API calls at the controller layer, but you're calling

Re: [openstack-dev] [keystone] domain admin role query

On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox jamielen...@redhat.comwrote: Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry about. A

Re: [openstack-dev] [keystone][heat] ec2tokens, v3 credentials and request signing

On Mon, Dec 9, 2013 at 9:08 PM, Adam Young ayo...@redhat.com wrote: On 12/09/2013 05:34 PM, Steven Hardy wrote: Hi all, I have some queries about what the future of the ec2tokens API is for keystone, context as we're looking to move Heat from a horrible mixture of v2/v3 keystone to just

Re: [openstack-dev] [qa][keystone] Keystoneclient tests to tempest

On Sun, Dec 8, 2013 at 5:20 PM, Monty Taylor mord...@inaugust.com wrote: Hi! Thanks - I've been wanting to kill this for a long time. Thanks for starting the discussion... On 12/08/2013 07:26 PM, Brant Knudson wrote: We'd like to get the keystoneclient tests out of keystone. They're

Re: [openstack-dev] [Keystoneclient] [Keystone] [Solum] Last released version of keystoneclient does not work with python33

On Wed, Dec 4, 2013 at 7:48 PM, David Stanek dsta...@dstanek.com wrote: On Wed, Dec 4, 2013 at 6:44 PM, Adrian Otto adrian.o...@rackspace.comwrote: Jamie, Thanks for the guidance here. I am checking to see if any of our developers might take an interest in helping with the upstream work. At

Re: [openstack-dev] [Keystone][Marconi][Oslo] Discoverable home document for APIs (Was: Re: [Nova][Glance] Support of v1 and v2 glance APIs in Nova)

On Mon, Nov 25, 2013 at 4:25 PM, Jamie Lennox jamielen...@redhat.comwrote: To most of your questions i don't know the answer as the format was in place before i started with the project. I know that it is similar (though not exactly the same) as nova's but not where they are documented (as

Re: [openstack-dev] Multidomain User Ids

On Sun, Nov 24, 2013 at 9:39 PM, Adam Young ayo...@redhat.com wrote: The #1 pain point I hear from people in the field is that they need to consume read only LDAP but have service users in something Keystone specific. We are close to having this, but we have not closed the loop. This was

Re: [openstack-dev] [keystone][py3] Usage of httpretty

. --Morgan On Wed, Nov 20, 2013 at 2:08 PM, Dolph Mathews dolph.math...@gmail.com wrote: I don't have a great answer -- do any projects depend on it other than python-keystoneclient? I'm happy to see it removed -- I see the immediate benefit but it's obviously

Re: [openstack-dev] Tool for detecting commonly misspelled words

On Tue, Dec 3, 2013 at 12:46 PM, John Griffith john.griff...@solidfire.comwrote: On Tue, Dec 3, 2013 at 11:38 AM, Russell Bryant rbry...@redhat.com wrote: On 12/03/2013 09:22 AM, Joe Gordon wrote: HI all, Recently I have seen a few patches fixing a few typos. I would like to point

Re: [openstack-dev] [openstack-tc] Incubation Request for Barbican

On Mon, Dec 2, 2013 at 11:55 AM, Russell Bryant rbry...@redhat.com wrote: On 12/02/2013 12:46 PM, Monty Taylor wrote: On 12/02/2013 11:53 AM, Russell Bryant wrote: * Scope ** Project must have a clear and defined scope This is missing ** Project should not inadvertently

Re: [openstack-dev] tenant or project

On Wed, Nov 27, 2013 at 8:12 AM, Steven Hardy sha...@redhat.com wrote: On Tue, Nov 26, 2013 at 10:17:56PM +1030, Christopher Yeoh wrote: On Mon, Nov 25, 2013 at 7:50 PM, Flavio Percoco fla...@redhat.com wrote: On 24/11/13 12:47 -0500, Doug Hellmann wrote: On Sun, Nov 24, 2013 at

Re: [openstack-dev] [all project] Treating recently seen recheck bugs as critical across the board

On Tue, Nov 26, 2013 at 5:23 AM, Thierry Carrez thie...@openstack.orgwrote: Dolph Mathews wrote: On Mon, Nov 25, 2013 at 8:12 PM, Robert Collins robe...@robertcollins.net mailto:robe...@robertcollins.net wrote: So my proposal is that we make it part of the base hygiene

Re: [openstack-dev] [Keystone][Marconi][Oslo] Discoverable home document for APIs (Was: Re: [Nova][Glance] Support of v1 and v2 glance APIs in Nova)

On Tue, Nov 26, 2013 at 2:47 AM, Flavio Percoco fla...@redhat.com wrote: On 25/11/13 16:50 -0600, Dolph Mathews wrote: On Mon, Nov 25, 2013 at 2:41 AM, Flavio Percoco fla...@redhat.com wrote: On 25/11/13 09:28 +1000, Jamie Lennox wrote: So the way we have this in keystone

Re: [openstack-dev] [Keystone][Marconi][Oslo] Discoverable home document for APIs (Was: Re: [Nova][Glance] Support of v1 and v2 glance APIs in Nova)

On Mon, Nov 25, 2013 at 2:41 AM, Flavio Percoco fla...@redhat.com wrote: On 25/11/13 09:28 +1000, Jamie Lennox wrote: So the way we have this in keystone at least is that querying GET / will return all available API versions and querying /v2.0 for example is a similar result with just the v2

Re: [openstack-dev] [all project] Treating recently seen recheck bugs as critical across the board

On Mon, Nov 25, 2013 at 8:12 PM, Robert Collins robe...@robertcollins.netwrote: This has been mentioned in other threads, but I thought I'd call it out and make it an explicit topic. We have over 100 recheck bugs open on http://status.openstack.org/rechecks/ - there is quite a bit of

Re: [openstack-dev] tenant or project

+1 for using the term project across all services. Projects provide multi-tenant isolation for resources across the cloud. Part of the reason we prefer projects in keystone is that domains conceptually provide multi-tenant isolation within keystone itself, so the overloaded tenant terminology gets

Re: [openstack-dev] tenant or project

On Sat, Nov 23, 2013 at 2:27 PM, Caitlin Bestler caitlin.best...@nexenta.com wrote: On November 23, 2013 4:09:49 AM Christopher Yeoh cbky...@gmail.com wrote: Hi, So in the past we've used both tenant and project to refer to the same thing and I think its been a source of confusion for

Re: [openstack-dev] How to stage client major releases in Gerrit?

On Fri, Nov 22, 2013 at 3:31 AM, Thierry Carrez thie...@openstack.orgwrote: Robert Collins wrote: I don't understand why branches would be needed here *if* the breaking changes don't impact any supported release of OpenStack. Right -- the trick is what does supported mean in that case.

Re: [openstack-dev] How to best make User Experience a priority in every project

On Wed, Nov 20, 2013 at 9:09 AM, Thierry Carrez thie...@openstack.orgwrote: Hi everyone, How should we proceed to make sure UX (user experience) is properly taken into account into OpenStack development ? Historically it was hard for UX sessions (especially the ones that affect multiple

Re: [openstack-dev] [Climate] How we agree to determine that an user has admin rights ?

On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday yorik@gmail.com wrote: On Wed, Nov 20, 2013 at 3:21 PM, Sylvain Bauza sylvain.ba...@bull.netwrote: Yes indeed, that's something coming into my mind. Looking at Nova, I found a context_is_admin policy in policy.json allowing you to say which

Re: [openstack-dev] [Climate] How we agree to determine that an user has admin rights ?

On Wed, Nov 20, 2013 at 10:52 AM, Yuriy Taraday yorik@gmail.com wrote: Hello, Dolph. On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews dolph.math...@gmail.comwrote: On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday yorik@gmail.comwrote: context.is_admin should not be checked directly

Re: [openstack-dev] [keystone][py3] Usage of httpretty

I don't have a great answer -- do any projects depend on it other than python-keystoneclient? I'm happy to see it removed -- I see the immediate benefit but it's obviously not significant relative to python 3 support. BTW, this exact issue is being tracked here-

Re: [openstack-dev] Search Project - summit follow up

On Wed, Nov 20, 2013 at 1:06 PM, Dmitri Zimin(e) | StackStorm d...@stackstorm.com wrote: Thanks Terry for highlighting this: Yes, tenant isolation is the must. It's not reflected in the prototype - it queries Solr directly; but the proper implementation will go through the query API

Re: [openstack-dev] Propose project story wiki idea

Hmm, I was sort of thinking along the same lines after writing my post-summit summary for keystone: https://gist.github.com/dolph/7366031 Granted this is the first time I've written such a document, I could see this evolving into a regularly updated document on the long term direction that

Re: [openstack-dev] [nova][heat][[keystone] RFC: introducing request identification

Related BP: Create a unified request identifier https://blueprints.launchpad.net/nova/+spec/cross-service-request-id On Tue, Nov 19, 2013 at 5:04 AM, haruka tanizawa harube...@gmail.comwrote: Hi stackers!! I'd like to ask for your opinions about my idea of identifying request.

Re: [openstack-dev] [Keystone] Blob in keystone v3 certificate API

It sounds like you're looking for barbican :) https://github.com/stackforge/barbican On Thu, Nov 14, 2013 at 8:55 PM, Nachi Ueno na...@ntti3.com wrote: Hi Keystone guys I'm going to use keystone credentials API to store SSL-VPN certificate. However I have a concern about blob attribute.

Re: [openstack-dev] [style] () vs \ continuations

On Wed, Nov 13, 2013 at 6:46 PM, Robert Collins robe...@robertcollins.netwrote: Hi so - in http://docs.openstack.org/developer/hacking/ it has as bullet point 4: Long lines should be wrapped in parentheses in preference to using a backslash for line continuation. I'm seeing in some reviews

Re: [openstack-dev] Using AD for keystone authentication only

so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.comwrote: Yes, that's the preferred approach in Havana: Users and Groups via

Re: [openstack-dev] [heat][keystone] APIs, roles, request scope and admin-ness

On Sat, Nov 2, 2013 at 11:06 AM, Steven Hardy sha...@redhat.com wrote: Hi all, Looking to start a wider discussion, prompted by: https://review.openstack.org/#/c/54651/ https://blueprints.launchpad.net/heat/+spec/management-api https://etherpad.openstack.org/p/heat-management-api Summary

Re: [openstack-dev] sqlalchemy-migrate needs a new release

On Thu, Nov 14, 2013 at 2:55 PM, Matt Riedemann mrie...@linux.vnet.ibm.comwrote: On 11/14/2013 2:43 PM, David Ripton wrote: On 11/11/2013 03:35 PM, David Ripton wrote: I'll volunteer to do this release. I'll wait 24 hours from the timestamp of this email for input first. So, if anyone

Re: [openstack-dev] [heat][keystone] APIs, roles, request scope and admin-ness

On Thu, Nov 14, 2013 at 11:43 AM, Steven Hardy sha...@redhat.com wrote: On Thu, Nov 14, 2013 at 10:20:02AM -0600, Dolph Mathews wrote: On Sat, Nov 2, 2013 at 11:06 AM, Steven Hardy sha...@redhat.com wrote: Hi all, Looking to start a wider discussion, prompted by: https

Re: [openstack-dev] sqlalchemy-migrate needs a new release

On Thursday, November 14, 2013, David Ripton wrote: On 11/14/2013 03:55 PM, Matt Riedemann wrote: On 11/14/2013 2:43 PM, David Ripton wrote: On 11/11/2013 03:35 PM, David Ripton wrote: I'll volunteer to do this release. I'll wait 24 hours from the timestamp of this email for input

[openstack-dev] [keystone] design summit outcomes

I guarantee there's a few things I'm forgetting, but this is my collection of things we discussed at the summit and determined to be good things to pursue during the icehouse timeframe. The contents represent a high level mix of etherpad conclusions and hallway meetings.

Re: [openstack-dev] [ALL] Removing generate_uuid() from uuidutils

On Wed, Nov 13, 2013 at 9:47 AM, John Griffith john.griff...@solidfire.comwrote: On Wed, Nov 13, 2013 at 7:21 AM, Andrew Laski andrew.la...@rackspace.com wrote: On 11/13/13 at 05:48am, Gary Kotton wrote: I recall a few cycles ago having str(uuid.uuid4()) replaced by generate_uuid().

Re: [openstack-dev] [keystone] design summit outcomes

UserID: id of user this attribute is assigned to AttributeID: id of attribute from above table Value: the value of the assigned attribute you dont need to change the existing APIs and procedure calls, as they can be re-written to access the new tables. regards David On 13/11/2013 16:04, Dolph

Re: [openstack-dev] [PTL] Proposed Icehouse release schedule

On Wed, Nov 13, 2013 at 7:58 AM, Russell Bryant rbry...@redhat.com wrote: On 11/13/2013 08:15 AM, Thierry Carrez wrote: Two options are possible for that off week: * Week of April 21 - this one is just after release, and some people still have a lot to do during that week. On the plus

Re: [openstack-dev] Using AD for keystone authentication only

Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also

Re: [openstack-dev] Horizon PTL candidacy

On Fri, Nov 8, 2013 at 2:38 AM, Matthias Runge mru...@redhat.com wrote: Those are my primary targets I'd like to see addressed in Horizon during the cycle. Another thing I'd like to see addressed is the lack of listening to a notification service. That's probably an integration point with

Re: [openstack-dev] RFC: reverse the default Gerrit sort order

On Sun, Nov 10, 2013 at 3:06 PM, Monty Taylor mord...@inaugust.com wrote: https://review.openstack.org/#/mine/important/ Shows me old changes at the top of the reviewable section. Do you use that view at all? That shows me all my own reviews merged abandoned first, which are just noise

Re: [openstack-dev] [horizon] User registrations

So, there's a bunch of use case questions here where I suspect there are no correct answers (so preferences will vary per deployment). The first ones that come to mind- Are the users accessing this web form trusted or untrusted? Do they need to be verified, somehow? Are they going to be billed

Re: [openstack-dev] [horizon / keystone] Marker could not be found?

On Thu, Oct 31, 2013 at 8:38 AM, Sebastian Porombka porom...@uni-paderborn.de wrote: Hello Folks. I have a problem after grizzly-havana migration where i’m unable to rescue myself. When I open the Admin - Resource-Usage View i get no results – only a red error box with the message

Re: [openstack-dev] distibuted caching system in front of mysql server for openstack transactions

On Mon, Oct 28, 2013 at 5:46 PM, Qing He qing...@radisys.com wrote: In my hard drive-less use case, I need an in-core-db/cache that can be in the same db cluster with real db (with hard drive) with the same sql api so that the current openstack code do not need to be changed, instead, just a

Re: [openstack-dev] Keystone Concurrency Races in SQL Assignment Backend

On Wed, Oct 30, 2013 at 5:08 PM, Peter Feiner pe...@gridcentric.ca wrote: Hi Brant, In addition to the race you've fixed in https://review.openstack.org/#/c/50767/, it looks like there are quite a few more races in the SQL backend of keystone.assignment. I filed a bug to this effect:

Re: [openstack-dev] RFC: Filtering boring commit subjects from ChangeLog

On Mon, Oct 28, 2013 at 3:18 AM, Mark McLoughlin mar...@redhat.com wrote: On Sun, 2013-10-27 at 21:50 -0400, Monty Taylor wrote: Hey all! We're adding a little bit of code to pbr to make the auto-generated ChangeLog files a bit more useful. Currently, they are just the git changelog,

Re: [openstack-dev] distibuted caching system in front of mysql server for openstack transactions

It's not specific to mysql (or sql at all), but keystone is using dogpile.cache around driver calls to a similar effect. http://dogpilecache.readthedocs.org/en/latest/ It can persist to memcache, redis, etc. https://github.com/openstack/keystone/blob/master/keystone/common/cache/core.py On

Re: [openstack-dev] Remove vim modelines?

On Thu, Oct 24, 2013 at 1:48 PM, Robert Collins robe...@robertcollins.netwrote: *) They help casual contributors *more* than long time core contributors : and those are the folk that are most likely to give up and walk away. Keeping barriers to entry low is an important part of making

Re: [openstack-dev] Remove vim modelines?

On Fri, Oct 25, 2013 at 2:43 PM, Robert Collins robe...@robertcollins.netwrote: On 26 October 2013 08:40, Dolph Mathews dolph.math...@gmail.com wrote: On Thu, Oct 24, 2013 at 1:48 PM, Robert Collins robe...@robertcollins.net wrote: *) They help casual contributors *more* than long

Re: [openstack-dev] [keystone] updating password user_crud vs credentials

On Wed, Oct 23, 2013 at 8:14 AM, Chmouel Boudjnah chmo...@enovance.comwrote: Hello, If i understand correctly (and I may be wrong) we are moving away from user_crud to use /credentials for updating password including ec2. The credentials facility was implemented in this blueprint :

Re: [openstack-dev] RFC - Icehouse logging harmonization

On Wed, Oct 23, 2013 at 1:20 PM, Sean Dague s...@dague.net wrote: One of the efforts that we're working on from the QA team is tooling that ensures we aren't stack tracing into our test logs during normal tempest runs. Random stack traces are scary to cloud admins consuming OpenStack logs,

<    1   2   3   4   >