Re: [openstack-dev] Introduction: Rich Megginson - Designate project

On 01/15/2014 08:24 PM, Rich Megginson wrote: Hello. My name is Rich Megginson. I am a Red Hat employee interested in working on Designate (DNSaaS), primarily in the areas of integration with IPA DNS, DNSSEC, and authentication (Keystone). I've signed up for the

Re: [openstack-dev] a common client library

Keeping them separate is awesome for *us* but really, really, really sucks for users trying to use the system. I agree. Keeping them separate trades user usability for developer usability, I think user usability is a better thing to strive for. I don't understand how multiple independent

Re: [openstack-dev] [Neutron] Representing PEM Format file as string

On 01/26/2014 05:36 PM, rajesh_moh...@dell.com wrote: I am working on SSL VPN BP. CA certificate is one of the resources. We decided to use PEM formatted certificates. It is multi-line string 1 -BEGIN CERTIFICATE- 2

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

On 02/19/2014 08:58 PM, Adam Young wrote: Can you give more detail here? I can see arguments for both ways of doing this but continuing to use ids for ownership is an easier choice. Here is my thinking: 1. all of the projects use ids for ownership currently so it is a smaller change That

Re: [openstack-dev] [nova] 'if foo' vs 'if foo is not None'

On 03/03/2014 10:00 AM, Matthew Booth wrote: PEP 8, under 'Programming Recommendations' recommends against implicit comparison to None. This isn't just stylistic, either: we were actually bitten by it in the VMware driver (https://bugs.launchpad.net/nova/+bug/1262288). The bug was hard to

[openstack-dev] testr help

I've read the following documents as well as the doc for subunit and testtools but I'm still missing some big picture usage. https://wiki.openstack.org/wiki/Testr https://testrepository.readthedocs.org/en/latest/index.html The biggest problem seems to be whenever tests are listed I get thousands

Re: [openstack-dev] testr help

On 03/07/2014 04:33 PM, Steve Kowalik wrote: On 07/03/14 12:56, John Dennis wrote: Question: How do you list just the failing tests? I don't want to see the contents of the logging data stored under the pythonlogging: key. Ideally I'd like to see the name of the test, what the failure

Re: [openstack-dev] testr help

On 03/10/2014 02:31 PM, Zane Bitter wrote: Fewer logs is hardly ever what you want when debugging a unit test. I think what John is looking for is a report at the end of each test run that just lists the tests that failed instead of all the details (like `testr failing --list`), or perhaps

Re: [openstack-dev] [keystone] 5 unicode unit test failures when building Debian package

On 03/13/2014 12:31 AM, Thomas Goirand wrote: Hi, Since Havana, I've been ignoring the 5 unit test failures that I always get. Though I think it'd be nice to have them fixed. The log file is available over here: https://icehouse.dev-debian.pkgs.enovance.com/job/keystone/59/console Does

[openstack-dev] Multiple patches in one review

When a change is complex good practice is to break the change into a series of smaller individual patches that show the individual incremental steps needed to get to the final goal. When partitioned into small steps each change is easier to review and hopefully illustrates the progression. In

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

On 04/01/2014 04:40 AM, victor stinner wrote: Hi, I will organize a sprint to Port OpenStack to Python 3 during 4 days at Montreal (Canada) during Pycon Montreal 2014, between April, 14 (Monday) and April, 17 (Thursday). The goal of the sprint is to port OpenStack components and OpenStack

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

On 04/01/2014 04:40 AM, victor stinner wrote: Hi, I will organize a sprint to Port OpenStack to Python 3 during 4 days at Montreal (Canada) during Pycon Montreal 2014, between April, 14 (Monday) and April, 17 (Thursday). The goal of the sprint is to port OpenStack components and OpenStack

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

On 04/01/2014 09:44 AM, John Dennis wrote: FWIW projects that deal with web services, wire protocols, external datastores, etc. who have already started porting to Py3 have encountered significant pain points with Py3, some of which is just being resolved and which have caused on-going changes

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

On 04/01/2014 12:15 PM, Victor Stinner wrote: Hi, Le mardi 1 avril 2014, 09:11:52 John Dennis a écrit : What are the plans for python-ldap? Only a small part of python-ldap is pure python, are you also planning on tackling the CPython code? Oh, python-ldap was just an example, I don't

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

On 04/01/2014 12:28 PM, Victor Stinner wrote: Le mardi 1 avril 2014, 09:44:11 John Dennis a écrit : The goal of the sprint is to port OpenStack components and OpenStack dependencies to Python 3, This is a great goal, thank you! But I'm concerned it might be premature. The portage

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

On 04/01/2014 02:08 PM, John Dennis wrote: My concern is this. The singled biggest change in Py2 - Py3 is string handling, especially with regards to str vs. unicode. We have a significant number of bugs in the current code base with regards to encoding exceptions, I just got done fixing

Re: [openstack-dev] [oslo] i18n Message improvements

On 10/17/2013 12:22 PM, Luis A. Garcia wrote: On 10/16/2013 1:11 PM, Doug Hellmann wrote: [snip] Option 3 is closer to the new plan for Icehouse, which is to have _() return a Message, allow Message to work in a few contexts like a string (so that, for example, log calls and exceptions can

Re: [openstack-dev] [oslo] i18n Message improvements

On 10/18/2013 12:57 PM, Doug Hellmann wrote: On Thu, Oct 17, 2013 at 2:24 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 10/17/2013 12:22 PM, Luis A. Garcia wrote: On 10/16/2013 1:11 PM, Doug Hellmann wrote: [snip] Option 3 is closer

Re: [openstack-dev] Remove vim modelines?

On 10/25/2013 03:43 PM, Robert Collins wrote: On 26 October 2013 08:40, Dolph Mathews dolph.math...@gmail.com wrote: On Thu, Oct 24, 2013 at 1:48 PM, Robert Collins robe...@robertcollins.net wrote: *) They help casual contributors *more* than long time core contributors : and those are the

Re: [openstack-dev] Re : welcoming new committers (was Re: When is it okay for submitters to say 'I don't want to add tests' ?)

On 10/31/2013 10:36 PM, Jeremy Stanley wrote: As has been said many times already, OpenStack does not lack developers... it lacks reviewers. In regards to reviews in general and in particular for welcoming new committers I think we need to be careful about reviewers NAK'ing a submission for

Re: [openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates

On 06/27/2014 12:21 AM, Carlos Garza wrote: I don't know where we can check in experimental code so I have a demonstration of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on I plan to use the OpenSSL libraries to verify certs coming from barbican

Re: [openstack-dev] [barbican] Nominating Ade Lee for barbican-core

On 07/10/2014 12:55 PM, Douglas Mendizabal wrote: Hi Everyone, I would like to nominate Ade Lee for the barbican-core team. I'm not a member of the barbican core team but I'd like to endorse Ade anyway with a +1. I've worked with Ade for years and consider him an exceptional engineer whose

Re: [openstack-dev] Add a hacking check to not use Python Source Code Encodings (PEP0263)

On 07/21/2014 04:45 AM, Christian Berendt wrote: Hello. There are some files using the Python source code encodings as the first line. That's normally not necessary and I want propose to introduce a hacking check to check for the absence of the source code encodings. I assume you mean you

Re: [openstack-dev] Issues when running unit tests in OpenStack

You may want to take a peek at this recent thread, there may be information in it you'll find useful. http://lists.openstack.org/pipermail/openstack-dev/2014-March/029408.html -- John ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org

Re: [openstack-dev] Security audit of OpenStack projects

On 04/07/2014 12:06 PM, Nathan Kinder wrote: Hi, We don't currently collect high-level security related information about the projects for OpenStack releases. Things like the crypto algorithms that are used or how we handle sensitive data aren't documented anywhere that I could see. I did

Re: [openstack-dev] [nova] Timestamp formats in the REST API

On 04/29/2014 09:48 AM, Mark McLoughlin wrote: What appeared to be unusual was that the timestamp had both sub-second time resolution and timezone information. It was felt that this wasn't a valid timestamp format and then some debate about how to 'fix' it: My conclusions from all that:

Re: [openstack-dev] [oslo] Logging exceptions and Python 3

On 05/16/2014 09:11 AM, Johannes Erdfelt wrote: six.text_type(exc) is the recommended solution. +1 -- John ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [oslo] strutils: enhance safe_decode() and safe_encode()

On 05/15/2014 11:41 AM, Victor Stinner wrote: Hi, The functions safe_decode() and safe_encode() have been ported to Python 3, and changed more than once. IMO we can still improve these functions to make them more reliable and easier to use. (1) My first concern is that these functions

Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication

Using standard formats such as PEM and PKCS12 (most people don't use PKCS8 directly) is a good approach. Be mindful that some cryptographic services do not provide *any* direct access to private keys (makes sense, right?). Private keys are shielded in some hardened container and the only way to

Re: [openstack-dev] [Keystone][Oslo] User mapping and X509 for signing

On 10/08/2014 04:58 PM, Adam Young wrote: When gyee posted his X509 server-side auth plugin patch, the feedback we gave was that it should be using the mapping code from Federation to transform the environment variables set by the web server to the Keystone userid, username, domain name,

[openstack-dev] [Keystone] Alternative federation mapping

While working on federated authentication for a different project (OpenDaylight) we discovered we needed to map from the assertion provided by an external federated IdP to local values. This is essentially the same requirement which exists in Keystone's federated support. It was hoped we could

Re: [openstack-dev] [Keystone] Alternative federation mapping

On 11/02/2014 03:55 PM, Marek Denis wrote: Hi John, It indeed looks interesting and enhancing the mapping engine is on ours to-do list for a long time. I'd be happy to talk this through during the summit. Do you think you will be able to come for a Keystone websso/federation Design Session

Re: [openstack-dev] [Keystone] Alternative federation mapping

On 11/03/2014 08:50 AM, John Dennis wrote: I had a bunch of notes but I can't find them at the moment so I'm going from memory here (always a bit risky). I found my notes, attached is an reStructured text document that summarizes the issues I found with the current Keystone mapping, the basic

Re: [openstack-dev] [Keystone] Alternative federation mapping

On 11/04/2014 02:46 AM, David Chadwick wrote: Hi John Good morning David. I hope you're enjoying Paris and the summit is both productive and enjoyable. Wish I was there :-) Its seems like your objective is somewhat different to what was intended with the current mapping rules. You seem to

Re: [openstack-dev] [Keystone] Alternative federation mapping

On 11/04/2014 04:19 PM, David Stanek wrote: There are probably a few other assumptions, but the main one is that the mapper expects the incoming data to be a dictionary where the value is a string. If there are multiple values we expect them to be delimited with a semicolon in the string. and

Re: [openstack-dev] [DevStack] Python dependencies: PyPI vs distro packages

On 08/06/2013 11:19 AM, Dean Troyer wrote: And that is the crux of the problem. When both can be installed side-by-side and sys.path is in control of the order, things work. This is such a fundamental problem in the distro that I am beginning to thing that we need to address it ourselves.

Re: [openstack-dev] [Keystone] Bug in federation

Can't this be solved with a couple of environment variables? The two keys pieces of information needed are: 1) who authenticated the subject? 2) what authentication method was used? There is already precedence for AUTH_TYPE, it's used in AJP to initialize the authType property in a Java

Re: [openstack-dev] [nova][all] Architecture Diagrams in ascii art?

On 05/12/2015 08:47 AM, Clint Byrum wrote: I agree with all the things above, and I want to add that I think SVG is probably the most appropriate candidate as a W3C approved drawing format. We can even enforce style rules and use a reformatter so that diffs make sense. +1 for SVG As already

Re: [openstack-dev] [all][python3] use of six.iteritems()

On 06/11/2015 01:46 PM, Mike Bayer wrote: I am firmly in the let's use items() camp. A 100 ms difference for a totally not-real-world case of a dictionary 1M items in size is no kind of rationale for the Openstack project - if someone has a dictionary that's 1M objects in size, or even 100K,

Re: [openstack-dev] [Fuel] SSL keys saving

On 08/21/2015 05:10 AM, Stanislaw Bogatkin wrote: Hi folks. Today I want to discuss the way we save SSL keys for Fuel environments. As you maybe know we have 2 ways to get a key: a. Generate it by Fuel (self-signed certificate will be created in this case). In this case we will generate private

Re: [openstack-dev] [keystone federation] some questions about keystone IDP with SAML supported

On 10/14/2015 07:10 AM, wyw wrote: hello, keystoners. please help me Here is my use case: 1. use keystone as IDP , supported with SAML 2. keystone integrates with LDAP 3. we use a java application as Service Provider, and to integrate it with keystone IDP. 4. we use a keystone as Service

Re: [openstack-dev] [keystone federation] some questions about keystone IDP with SAML supported

On 10/14/2015 11:58 AM, Marek Denis wrote: pretty much - yes! Luckily for you the reference libraries (shibboleth) are written in Java so it should be easier to integrate with your application. Only the Shibboleth IdP is written in Java. Shibboleth the SP is written in C++. If you're trying

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

On 09/01/2015 10:57 AM, Clark, Robert Graham wrote: The reason that is compelling is that you can have Barbican generate, sign, and store a keypair without transmitting the private key over the network to the client that originates the signing request. It can be directly stored, and made

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

On 09/01/2015 02:49 AM, Tim Bell wrote: Will it also be possible to use a different CA ? In some environments, there is already a corporate certificate authority server. This would ensure compliance with site security standards. A configurable CA was one of the original design goals when the

Re: [openstack-dev] [Tripleo] X509 Management

On 06/21/2016 10:55 AM, Ian Cordasco wrote: -Original Message- From: Adam Young Reply: OpenStack Development Mailing List (not for usage questions) Date: June 21, 2016 at 09:40:39 To: OpenStack Development Mailing List

Re: [openstack-dev] [horizon][keystone] Getting Auth Token from Horizon when using Federation

On 04/18/2016 12:34 PM, Martin Millnert wrote: (** ECP is a new feature, not supported by all IdP's, that at (second) best requires reconfiguration of core authentication services at each customer, and at worst requires customers to change IdP software completely. This is a varying degree of

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/07/2016 11:16 PM, Adam Young wrote: On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml;

[openstack-dev] [keystone] Additional documentation for mod_auth_mellon

The existing documentation on setting up mod_auth_mellon (https://docs.openstack.org/keystone/latest/advanced-topics/federation/mellon.html) is sparse. Our experience with using mod_auth_mellon either in the context of OpenStack federation or simply as a SAML SP working in conjunction with

Re: [openstack-dev] [keystone][zuul] A Sad Farewell

On 10/02/2017 10:13 PM, Jamie Lennox wrote: Hi All, I'm really sad to announce that I'll be leaving the OpenStack community (at least for a while), I've accepted a new position unrelated to OpenStack that'll begin in a few weeks, and am going to be mostly on holiday until then. It's a

Re: [openstack-dev] [tc][all] A culture change (nitpicking)

consistent for those that follow than it is to coddle in the near term. -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http:/

Re: [openstack-dev] [oslo] proposing Moisés Guimarães for oslo.config core

addition to the oslo.config review team. Please indicate your approval or concerns with +1/-1. +1 -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ

Re: [openstack-dev] [oslo] Proposing Zane Bitter as oslo.service core

an understanding of the code. Please respond with +1 or any concerns you may have.  Thanks. +1 -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ

Re: [openstack-dev] [keystone] Could keystone to keystone federation be deployed on Centos?

On 04/04/2018 02:52 AM, 何健乐 wrote: Hi all， Could keystone to keystone  federation be deployed on Centos. I have notice all the document was deployment on Ubuntu. If could, is there some documents that is about deploying k2k on centos. Yes k2k should work on centos, there is nothing OS

Re: [openstack-dev] [keystone] Domain-namespaced user attributes in SAML assertions from Keystone IdPs

mapping rules documentation). The receiver (our mapping engine) has hard-coded logic to look for a list of names. [2] We might want to prepend a format specifier to string containing complex data, e.g. "JSON:{json object}". Our parser could then look for a leading format tag and if if finds one strip it off and pass the rest of the string into the proper parser. -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev