[openstack-dev] Replacing Keystone Admin Accounts

As we attempt to close the gap on Bug 968696, we have to make sure we are headed forward in a path that won't get us stuck. It seems that many people use Admin-every accounts for many things that they are not really meant for. Such as performing Operations that should be scoped to a project,

Re: [openstack-dev] [Keystone] Weirdness around domain/project scope in role assignments

On Fri, Mar 9, 2018 at 2:42 AM, Adrian Turjak wrote: > Sooo to follow up from the discussion last night partly with Lance and > Adam, I'm still not exactly sure what difference, if any, there is > between a domain scoped role assignment, and a project scoped role >

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

Bug 968696 and System Roles. Needs to be addressed across the Service catalog. On Mon, Jan 29, 2018 at 7:38 AM, Luke Hinds wrote: > Just a reminder as we have not had many uptakes yet.. > > Are there any projects (new and old) that would like to make use of the > security

[openstack-dev] [Keystone] Token Verify Role Check

There has been a lot of talk about Policy this past summit and release. Based on feedback, we've come up with the following spec to address it. https://review.openstack.org/#/c/391624/ The idea is that we are going to split the role check off from the existing policy checks. The role check

Re: [openstack-dev] [Magnum][Kuryr][Keystone] Securing services in container orchestration

On 10/09/2016 10:57 PM, Ton Ngo wrote: Hi Keystone team, We have a scenario that involves securing services for container and this has turned out to be rather difficult to solve, so we would like to bring to the larger team for ideas. Examples of this scenario: 1. Kubernetes cluster: To

Re: [openstack-dev] [Keystone] Project name DB length

On 09/28/2016 11:06 PM, Adrian Turjak wrote: Hello Keystone Devs, Just curious as to the choice to have the project name be only 64 characters: https://github.com/openstack/keystone/blob/master/keystone/resource/backends/sql.py#L241 Seems short, and an odd choice when the user.name field is

Re: [openstack-dev] [all] indoor climbing break at summit?

On 10/17/2016 09:53 AM, Chris Dent wrote: It turns out that summit this year will be just down the road from Chris Sharma's relatively new indoor climbing gym in Barcelona: http://www.sharmaclimbingbcn.com/ If the fun, frisson and frustration of summit sessions leaves you with the energy

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/11/2016 06:25 AM, Steven Hardy wrote: On Wed, Aug 10, 2016 at 11:31:29AM -0400, Zane Bitter wrote: On 09/08/16 21:21, Adam Young wrote: On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e

[openstack-dev] [keystone][oslo][release][requirements][FFE] global-requirements update for requests-kerberos

https://review.openstack.org/#/c/368530/ This change is for Python >2.7 only, as python2.7 already supports the latest version of these libraraies. Back in the "just get pythoin3 to work" days we cut our losses on Kerberos support, but now it is working. Getting this restriction removed

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 09/01/2016 08:48 PM, Michael Still wrote: On Thu, Sep 1, 2016 at 11:58 AM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 08/31/2016 07:56 AM, Michael Still wrote: There is a quick sketch of what a service account might look like

Re: [openstack-dev] [keystone] new core reviewer (rderose)

On 09/01/2016 10:44 AM, Steve Martinelli wrote: I want to welcome Ron De Rose (rderose) to the Keystone core team. In a short time Ron has shown a very positive impact. Ron has contributed feature work for shadowing LDAP and federated users, as well as enhancing password support for SQL users.

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

:46 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com> <mailto:ayo...@redhat.com <mailto:ayo...@redhat.com>>> wrote: On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

. Michael On Fri, Aug 26, 2016 at 12:46 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.o

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 08/22/2016 11:11 AM, Rob Crittenden wrote: Adam Young wrote: On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.openstack.org/#/c/317739/ added a new dynamic metadata handler to nova. The basic jist is that rather than serving metadata statically, it can be done dyamically

[openstack-dev] [Cross-Project] [Cinder][Neutron][Cue]

These changes are necessary so policy files can in include the check "is_admin_project:True" which allows us to Scope what is meant by "Admin" Use from_environ to load context Use to_policy_values for enforcing policy Use context from_environ to load contexts Use from_dict to load context

Re: [openstack-dev] [nova][keystone] auth for new metadata plugins

On 08/15/2016 05:10 PM, Rob Crittenden wrote: Review https://review.openstack.org/#/c/317739/ added a new dynamic metadata handler to nova. The basic jist is that rather than serving metadata statically, it can be done dyamically, so that certain values aren't provided until they are needed,

[openstack-dev] [Tripleo] Tripleo HA Federation Proof-of-Concept

http://adam.younglogic.com/2016/08/ooo-ha-fed-poc/ It is painful, sloppy, Mitaka based. Have at it, and lets make Federation a reality for Newton based deployments. Feedback eagerly sought. Thanks for all the people that helped get me through this. Won't list you all, as it would start

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 05:11 PM, Adam Young wrote: The Fernet token format uses a symmetric key to sign tokens. In order to check the signature, these keys need to be synchronized across all of the Keystone servers. I don't want to pass around nake symmetric keys. The right way to do

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 09:21 PM, Adam Young wrote: On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e. not as part of a stack) to push changes to the servers. (I say 'push' but it's more a case

Re: [openstack-dev] [tripleo] Fernet Key rotation

On 08/09/2016 06:00 PM, Zane Bitter wrote: In either case a good mechanism might be to use a Heat Software Deployment via the Heat API directly (i.e. not as part of a stack) to push changes to the servers. (I say 'push' but it's more a case of making the data available for os-collect-config

[openstack-dev] [tripleo] Fernet Key rotation

The Fernet token format uses a symmetric key to sign tokens. In order to check the signature, these keys need to be synchronized across all of the Keystone servers. I don't want to pass around nake symmetric keys. The right way to do this is to put them into a PKCS 11 Envelope. Roughly,

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml

Re: [openstack-dev] [tripleo] HA with only one node.

On 08/06/2016 03:20 PM, Dan Prince wrote: On Sat, 2016-08-06 at 13:21 -0400, Adam Young wrote: As I try to debug Federaion problems, I am often finding I have to check three nodes to see where the actual requrest was processed. However, If I close down to of the controller nodes in Nova

[openstack-dev] [tripleo] HA with only one node.

As I try to debug Federaion problems, I am often finding I have to check three nodes to see where the actual requrest was processed. However, If I close down to of the controller nodes in Nova, the whole thing just fails. So, while that in it self is a problem, what I would like to be able to

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 06:40 PM, Fox, Kevin M wrote: *From:* Adam Young [ayo...@redhat.com] *Sent:* Friday, August 05, 2016 3:06 PM *To:* openstack-dev@lists.openstack.org *Subject:* Re: [openstack-dev] [keystone][tripleo

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:54 PM, Adam Young wrote: On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines

[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

On 07/28/2016 10:05 PM, Tim Hinrichs wrote: I've never worked on the authentication details, so this may be off track, but that error message indicates the failure is happening inside Congress's oslo_policy. Error message shows up here as a Python exception class.

Re: [openstack-dev] [tripleo] Modifying just a few values on overcloud redeploy

On 07/27/2016 06:04 AM, Steven Hardy wrote: On Tue, Jul 26, 2016 at 05:23:21PM -0400, Adam Young wrote: I worked through how to do a complete clone of the templates to do a deploy and change a couple values here: http://adam.younglogic.com/2016/06/custom-overcloud-deploys

[openstack-dev] [tripleo] Modifying just a few values on overcloud redeploy

I worked through how to do a complete clone of the templates to do a deploy and change a couple values here: http://adam.younglogic.com/2016/06/custom-overcloud-deploys/ However, all I want to do is to set two config options in Keystone. Is there a simple way to just modify the two values

Re: [openstack-dev] Troubleshooting and ask.openstack.org

lt;mailto:sigmaviru...@gmail.com>> wrote: -----Original Message- From: Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> Reply: OpenStack Development Mailing List (not for usage questions) <openst

Re: [openstack-dev] Troubleshooting and ask.openstack.org

On 06/28/2016 11:13 PM, Tom Fifield wrote: Quick answers in-line On 29/06/16 05:44, Adam Young wrote: It seems to me that keystone Core should be able to moderate Keystone questions on the site. That means that they should be able to remove old dead ones, remove things tagged as Keystone

Re: [openstack-dev] [Heat][tripleo] Tripleo holding on to old, bad data

o it again, I'll double check all these. Thanks Cheers, Dr. Pavlo Shchelokovskyy Senior Software Engineer Mirantis Inc www.mirantis.com <http://www.mirantis.com> On Tue, Jun 28, 2016 at 1:29 AM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 06/2

[openstack-dev] Troubleshooting and ask.openstack.org

Recently, the Keystone team started brainstormin a troubleshooting document. While we could, eventually put this into the Keystone repo, it makes sense to also be gathering troubleshooting ideas from the community at large. How do we do this? I think we've had a long enough run with the

Re: [openstack-dev] [Heat][tripleo] Tripleo holding on to old, bad data

have that. First thing we checked. I assume "available" is the most important part of that? On 25/06/16 09:27, Adam Young wrote: A coworker and I have both had trouble recovering from failed overcloud deploys. I've wiped out whatever data I can, but, even with nothing i

[openstack-dev] [Heat] Tripleo holding on to old, bad data

A coworker and I have both had trouble recovering from failed overcloud deploys. I've wiped out whatever data I can, but, even with nothing in the Heat Database, doing an openstack overcloud deploy seems to be looking for a specific Nova server by UUID: heat resource-show

Re: [openstack-dev] [Tripleo] X509 Management

of the service's profiles (the puppet manifests) I'm setting up the tracking of the certificates with the certmonger's puppet manifest. BR On Tue, Jun 21, 2016 at 5:39 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: When deploying the overcloud with TLS,

Re: [openstack-dev] [nova] I'm going to expire open bug reports older than 18 months.

On 06/21/2016 08:43 AM, Markus Zoeller wrote: A reminder that this will happen in ~2 weeks. Please note that you can spare bug reports if you leave a comment there which says one of these (case-sensitive flags): * CONFIRMED FOR: NEWTON * CONFIRMED FOR: MITAKA * CONFIRMED FOR: LIBERTY On

Re: [openstack-dev] [Tripleo] X509 Management

On 06/21/2016 11:26 AM, John Dennis wrote: On 06/21/2016 10:55 AM, Ian Cordasco wrote: -Original Message- From: Adam Young <ayo...@redhat.com> Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Date: June 21, 2016

[openstack-dev] [Tripleo] X509 Management

When deploying the overcloud with TLS, the current "no additional technology" approach is to use opensssl and self signed. While this works for a Proof of concept, it does not make sense if the users need to access the resources from remote systems. It seems to me that the undercloud, as the

Re: [openstack-dev] [keystone][security] Service User Permissions

ec as there will be a lot of details to figure out if we go forward. It is also fairly rough but it should convey the point. Thanks Jamie On 3 June 2016 at 03:06, Shawn McKinney <smckin...@symas.com <mailto:smckin...@symas.com>> wrote: > On Jun 2, 2016, at 10:58 AM, Adam

Re: [openstack-dev] [keystone]trusts with federated users

On 06/07/2016 10:28 AM, Gyorgy Szombathelyi wrote: Hi! As an OIDC user, tried to play with Heat and Murano recently. They usually fail with a trust creation error, noticing that keystone cannot find the _member_ role while creating the trust. Hmmm...that should not be the case. The user in

Re: [openstack-dev] [keystone] Changing the project name uniqueness constraint

On 06/02/2016 07:22 PM, Henry Nash wrote: Hi As you know, I have been working on specs that change the way we handle the uniqueness of project names in Newton. The goal of this is to better support project hierarchies, which as they stand today are restrictive in that all project names

Re: [openstack-dev] [keystone][security] Service User Permissions

On 06/02/2016 11:36 AM, Shawn McKinney wrote: On Jun 2, 2016, at 10:03 AM, Adam Young <ayo...@redhat.com> wrote: To do all of this right, however, requires a degree of introspection that we do not have in OpenStack. Trove needs to ask Nova "I want to do X, what rol

Re: [openstack-dev] [keystone][security] Service User Permissions

On 06/02/2016 01:23 AM, Jamie Lennox wrote: Hi All, I'd like to bring to the attention of the wider security groups and OpenStack users the Service Users Permissions [1] spec currently proposed against keystonemiddleware. To summarize quickly OpenStack has long had the problem of token

Re: [openstack-dev] [keystone] Who is going to fix the broken non-voting tests?

6 at 5:48 PM, Steve Martinelli <s.martine...@gmail.com <mailto:s.martine...@gmail.com>> wrote: On Thu, May 26, 2016 at 12:59 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: On 05/26/2016 11:36 AM, Morgan Fainberg wrote:

Re: [openstack-dev] [keystone] Who is going to fix the broken non-voting tests?

On 05/26/2016 11:36 AM, Morgan Fainberg wrote: On Thu, May 26, 2016 at 7:55 AM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: Some mix of these three tests is almost always failing: gate-keystone-dsvm-functional-nv FAILURE in 20m 04s (non-voti

Re: [openstack-dev] [keystone] integrating keystone with oauth2 (keycloak)

On 05/26/2016 11:20 AM, Shtilman, Tomer (Nokia - IL) wrote: Hi Does keystone has any plugin/extension for oauth2 authentication (keycloak in our case) We would like to integrate keystone with an external oauth2 system in this way: 1/ Credentials / being sent to keystone 2/ Keystone will

[openstack-dev] [keystone] Who is going to fix the broken non-voting tests?

Some mix of these three tests is almost always failing: gate-keystone-dsvm-functional-nv FAILURE in 20m 04s (non-voting) gate-keystone-dsvm-functional-v3-only-nv FAILURE in 32m 45s (non-voting) gate-tempest-dsvm-keystone-uwsgi-full-nv FAILURE in 1h 07m 53s (non-voting) Are we going to keep

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

On 05/25/2016 07:26 AM, OpenStack Mailing List Archive wrote: Link: https://openstack.nimeyo.com/85057/?show=85707#c85707 From: imocha I am trying to follow the steps. I am able to install ADFS and would like to proceed further. However, I am having issues with setting up

Re: [openstack-dev] Fwd: keystone federation user story

On 05/24/2016 10:30 PM, Adam Young wrote: On 05/24/2016 01:55 PM, Alexander Makarov wrote: Colleagues, here is an actual use case for shadow users assignments, let's discuss possible solutions: all suggestions are appreciated. -- Forwarded message -- From: *Andrey

Re: [openstack-dev] Fwd: keystone federation user story

On 05/24/2016 01:55 PM, Alexander Makarov wrote: Colleagues, here is an actual use case for shadow users assignments, let's discuss possible solutions: all suggestions are appreciated. -- Forwarded message -- From: *Andrey Grebennikov*

Re: [openstack-dev] [tc] supporting Go

On 05/20/2016 08:48 AM, Dean Troyer wrote: On Fri, May 20, 2016 at 5:42 AM, Thomas Goirand > wrote: I am *NOT* buying that doing static linking is a progress. We're back 30 years in the past, before the .so format. It is amazing that some

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

On 05/19/2016 07:40 AM, Rodrigo Duarte wrote: Hi, So you are trying to use keystone to authorize your users, but want to avoid having to authenticate via keystone, right? Check if the Federated Identity feature [1] covers your use case. [1]

Re: [openstack-dev] [tc] supporting Go

On 05/16/2016 05:23 AM, Dmitry Tantsur wrote: On 05/14/2016 03:00 AM, Adam Young wrote: On 05/13/2016 08:21 PM, Dieterly, Deklan wrote: If we allow Go, then we should also consider allowing JVM based languages. Nope. Don't get me wrong, I've written more than my fair share of Java in my

Re: [openstack-dev] [tc] supporting Go

On 05/13/2016 08:21 PM, Dieterly, Deklan wrote: If we allow Go, then we should also consider allowing JVM based languages. Nope. Don't get me wrong, I've written more than my fair share of Java in my career, and I like it, and I miss automated refactoring and real threads. I have nothing

Re: [openstack-dev] [keystone][oslo][designate][zaqar][nova][swift] using pylibmc instead of python-memcached

On 05/13/2016 12:52 PM, Monty Taylor wrote: On 05/13/2016 11:38 AM, Eric Larson wrote: Monty Taylor writes: On 05/13/2016 08:23 AM, Mehdi Abaakouk wrote: On Fri, May 13, 2016 at 02:58:08PM +0200, Julien Danjou wrote: What's wrong with pymemcache, that we picked for tooz and are using for 2

Re: [openstack-dev] [tc] supporting Go

Can we just up and support Go, please? I'm a C++ and C buff, but I would not inflict either of those on other people, nor would I want to support their code. Go is designed to be native but readable/writable. There is nothing perfect in this world. Python for most things. Javascript for web

Re: [openstack-dev] [cross-project][infra][keystone] Moving towards a Identity v3-only on Devstack - Next Steps

On 05/12/2016 06:39 PM, gordon chung wrote: On 12/05/2016 1:47 PM, Morgan Fainberg wrote: On Thu, May 12, 2016 at 10:42 AM, Sean Dague > wrote: We just had to revert another v3 "fix" because it wasn't verified to work correctly in the gate -

Re: [openstack-dev] [cross-project][infra][keystone] Moving towards a Identity v3-only on Devstack - Next Steps

On 05/12/2016 01:47 PM, Morgan Fainberg wrote: On Thu, May 12, 2016 at 10:42 AM, Sean Dague > wrote: We just had to revert another v3 "fix" because it wasn't verified to work correctly in the gate - https://review.openstack.org/#/c/315631/

Re: [openstack-dev] [tripleo] sharing bits between nodes during deployment

On 05/12/2016 02:20 PM, Emilien Macchi wrote: Hi, During the recent weeks, we've noticed that some features would have a common challenge to solve: How to share informations or files between nodes, during a multi-node deployment. A few use-cases: * Deploying Keystone using Fernet tokens Adam

Re: [openstack-dev] [horizon][keystone] Getting Auth Token from Horizon when using Federation

On 05/12/2016 09:07 AM, Edmund Rhudy (BLOOMBERG/ 120 PARK) wrote: +1 on desiring OAuth-style tokens in Keystone. The use cases that come up here are people wanting to be able to execute jobs that use the APIs (Jenkins, Terraform, Vagrant, etc.) without having to save their personal credentials

Re: [openstack-dev] [tc] supporting Go

On 05/10/2016 07:08 PM, Flavio Percoco wrote: On 10/05/16 13:52 -0400, Adam Young wrote: Forget package management for a moment; we can figure it out if we need to. The question is "Why Go" which I've pondered for a while. If you need to write a multithreaded app, Python's GIL mak

Re: [openstack-dev] [tc] supporting Go

Forget package management for a moment; we can figure it out if we need to. The question is "Why Go" which I've pondered for a while. If you need to write a multithreaded app, Python's GIL makes it very hard to do. It is one reason why I pushed for HTTPD as the Keystone front end.

Re: [openstack-dev] [tc] supporting Go

On 05/09/2016 02:14 PM, Hayes, Graham wrote: On 09/05/2016 19:09, Fox, Kevin M wrote: I think you'll find that being able to embed a higher performance language inside python will be much easier to do for optimizing a function or two rather then deal with having a separate server have to be

Re: [openstack-dev] [Keystone][Nova] Any Code Examples of Other Services Using Keystone Policy?

On 05/05/2016 05:54 PM, Dolph Mathews wrote: My understanding from the summit session was that we should have a specific role defined in keystone's policy.json here: https://github.com/openstack/keystone/blob/a16287af5b7761c8453b2a8e278d78652497377c/etc/policy.json#L37 Which grants access to

Re: [openstack-dev] [keystone] Token providers and Fernet as the default

On 05/03/2016 09:55 AM, Clint Byrum wrote: Excerpts from Steve Martinelli's message of 2016-05-02 19:56:15 -0700: Comments inline... On Mon, May 2, 2016 at 7:39 PM, Matt Fischer wrote: On Mon, May 2, 2016 at 5:26 PM, Clint Byrum wrote: Hello! I

Re: [openstack-dev] Timeframe for naming the P release?

On 05/02/2016 08:07 PM, Rochelle Grober wrote: But, the original spelling of the landing site is Plimoth Rock. There were still highway signs up in the 70's directing folks to "Plimoth Rock" --Rocky Who should know about rocks ;-) -Original Message- From: Brian Haley

Re: [openstack-dev] [kolla][kubernetes] One repo vs two

On 05/01/2016 05:03 PM, Steven Dake (stdake) wrote: Ryan had rightly pointed out that when we made the original proposal 9am morning we had asked folks if they wanted to participate in a separate repository. In Keystone, we are going to more and more repositories all the time. We started

Re: [openstack-dev] [oslo.config] Encrypt the sensitive options

On 04/26/2016 08:28 AM, Guangyu Suo wrote: Hello, oslo team For now, some sensitive options like password or token are configured as plaintext, anyone who has the priviledge to read the configure file can get the real password, this may be a security problem that can't be unacceptable for

Re: [openstack-dev] [keystone] Liberty - problem with assignment LDAP backend - Groups

On 04/20/2016 09:10 PM, Dmitry Sutyagin wrote: Another correction - the issue is observed in Kilo, not Liberty, sorry for messing this up. (though this part of the code is identical in L) On Wed, Apr 20, 2016 at 5:50 PM, Dmitry Sutyagin >

Re: [openstack-dev] [TripleO]: landing code faster

On 04/20/2016 11:44 AM, Dan Prince wrote: We've had a run of really spotty CI in TripleO. This is making it really hard to land patches if reviewers aren't online. Specifically we seem to get better CI results when the queue is less full (nights and weekends)... often when core reviewers aren't

Re: [openstack-dev] [devstack] openstack client slowness / client-as-a-service

On 04/19/2016 11:03 PM, Dean Troyer wrote: On Tue, Apr 19, 2016 at 8:17 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: Maybe it is time to revamp Devstack. Is there some way that, without a major rewrite, it could take better advantage of the C

Re: [openstack-dev] [devstack] openstack client slowness / client-as-a-service

On 04/19/2016 07:24 PM, Jamie Lennox wrote: Rather than ditching python for something like go, I'd rather put together a CLI with no plugins and that only depended on keystoneauth and os-client-config as libraries. No? Let me add that if you are doing anything non trivial withe the CLI, you

Re: [openstack-dev] [devstack] openstack client slowness / client-as-a-service

On 04/18/2016 09:19 AM, Daniel P. Berrange wrote: There have been threads in the past about the slowness of the "openstack" client tool such as this one by Sean last year: http://lists.openstack.org/pipermail/openstack-dev/2015-April/061317.html Sean mentioned a 1.5s fixed overhead on

Re: [openstack-dev] [horizon][keystone] Getting Auth Token from Horizon when using Federation

On 04/18/2016 12:34 PM, Martin Millnert wrote: Hi, we're deploying Liberty (soon Mitaka) with heavy reliance on the SAML2 Federation system by Keystone where we're a Service Provider (SP). The problem in this situation is getting a token for direct API access.(*) There are conceptually two

Re: [openstack-dev] [Keystone] State of Fernet Token deployment

On 04/18/2016 10:29 AM, Brant Knudson wrote: On Fri, Apr 15, 2016 at 9:04 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote: We all want Fernet to be a reality. We ain't there yet (Except for mfish who has no patience) but we are getting closer.

Re: [openstack-dev] [Keystone] State of Fernet Token deployment

..@mattfischer.com>> wrote: On Mon, Apr 18, 2016 at 8:29 AM, Brant Knudson <b...@acm.org <mailto:b...@acm.org>> wrote: On Fri, Apr 15, 2016 at 9:04 PM, Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote:

[openstack-dev] [Keystone] State of Fernet Token deployment

We all want Fernet to be a reality. We ain't there yet (Except for mfish who has no patience) but we are getting closer. The goal is to get Fernet as the default token provider as soon as possible. The review to do this has uncovered a few details that need to be fixed before we can do this.

Re: [openstack-dev] [keystone] Newton midycle planning

On 04/13/2016 10:07 PM, Morgan Fainberg wrote: It is that time again, the time to plan the Keystone midcycle! Looking at the schedule [1] for Newton, the weeks that make the most sense look to be (not in preferential order): R-14 June 27-01 Might be interesting having one this early in the

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

On 04/12/2016 03:43 PM, Hongbin Lu wrote: Hi all, In short, some Magnum team members proposed to store TLS certificates in Keystone credential store. As Magnum PTL, I want to get agreements (or non-disagreement) from OpenStack community in general, Keystone community in particular, before

Re: [openstack-dev] [nova] Minimal secure identification of a new VM

From: Adam Young [ayo...@redhat.com] Sent: Wednesday, April 06, 2016 2:09 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [nova] Minimal secure identification of a new VM On 04/06/2016 05:42 AM, Daniel P. Berrange wrote: On Tue, Apr 05, 2016 at 06:00:55PM -0400

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

On 04/06/2016 04:56 PM, Dolph Mathews wrote: For some historical perspective, that's basically how v2 was designed. The "public" service (port 5000) did nothing but the auth flow. The "admin" service (port 35357) was identity management. Unfortunately, there are (perhaps uncommon)

Re: [openstack-dev] [nova] Minimal secure identification of a new VM

On 04/06/2016 05:42 AM, Daniel P. Berrange wrote: On Tue, Apr 05, 2016 at 06:00:55PM -0400, Adam Young wrote: We have a use case where we want to register a newly spawned Virtual machine with an identity provider. Heat also has a need to provide some form of Identity for a new VM. Looking

Re: [openstack-dev] [TripleO] FreeIPA integration

On 04/06/2016 10:44 AM, Dan Prince wrote: On Tue, 2016-04-05 at 19:19 -0600, Rich Megginson wrote: On 04/05/2016 07:06 PM, Dan Prince wrote: On Sat, 2016-04-02 at 17:28 -0400, Adam Young wrote: I finally have enough understanding of what is going on with Tripleo to reasonably discuss how

Re: [openstack-dev] [horizon] - oAuth tab proposal

On 04/06/2016 03:20 PM, Brad Pokorny wrote: The last I heard, oauth is likely to be deprecated in Keystone [1]. If you're interested in having it stay around, please let the Keystone team know. It would only make sense to add it to Horizon if it's going to stay. [1]

Re: [openstack-dev] [TripleO] FreeIPA integration

On 04/05/2016 09:06 PM, Dan Prince wrote: On Sat, 2016-04-02 at 17:28 -0400, Adam Young wrote: I finally have enough understanding of what is going on with Tripleo to reasonably discuss how to implement solutions for some of the main security needs of a deployment. FreeIPA is an identity

Re: [openstack-dev] [TripleO] FreeIPA integration

On 04/05/2016 08:02 AM, Hayes, Graham wrote: On 02/04/2016 22:33, Adam Young wrote: I finally have enough understanding of what is going on with Tripleo to reasonably discuss how to implement solutions for some of the main security needs of a deployment. FreeIPA is an identity management

Re: [openstack-dev] [TripleO] FreeIPA integration

On 04/05/2016 11:42 AM, Fox, Kevin M wrote: Yeah, and they just deprecated vendor data plugins too, which eliminates my other workaround. :/ We need to really discuss this problem at the summit and get a viable path forward. Its just getting worse. :/ Thanks, Kevin

Re: [openstack-dev] [TripleO] FreeIPA integration

On 04/05/2016 09:01 AM, Steven Hardy wrote: On Tue, Apr 05, 2016 at 02:07:06PM +0300, Juan Antonio Osorio wrote: On Tue, Apr 5, 2016 at 11:36 AM, Steven Hardy <sha...@redhat.com> wrote: On Sat, Apr 02, 2016 at 05:28:57PM -0400, Adam Young wrote: > I finally ha

[openstack-dev] [nova] Minimal secure identification of a new VM

We have a use case where we want to register a newly spawned Virtual machine with an identity provider. Heat also has a need to provide some form of Identity for a new VM. Looking at the set of utilities right now, there does not seem to be a secure way to do this. Injecting files does not

[openstack-dev] [TripleO] FreeIPA integration

I finally have enough understanding of what is going on with Tripleo to reasonably discuss how to implement solutions for some of the main security needs of a deployment. FreeIPA is an identity management solution that can provide support for: 1. TLS on all network communications: A.

Re: [openstack-dev] [nova] API priorities in Newton

On 03/30/2016 04:16 PM, Andrew Laski wrote: On Wed, Mar 30, 2016, at 03:54 PM, Matt Riedemann wrote: On 3/30/2016 2:42 PM, Andrew Laski wrote: On Wed, Mar 30, 2016, at 03:26 PM, Sean Dague wrote: During the Nova API meeting we had some conversations about priorities, but this feels like

Re: [openstack-dev] [puppet-keystone] Setting additional config options:

On 03/29/2016 06:21 PM, Rich Megginson wrote: On 03/29/2016 04:19 PM, Adam Young wrote: Somewhere in here: http://git.openstack.org/cgit/openstack/puppet-keystone/tree/spec/classes/keystone_spec.rb spec is for the rspec unit testing. Do you mean http://git.openstack.org/cgit/openstack

Re: [openstack-dev] [puppet-keystone] Setting additional config options:

On 03/29/2016 07:43 PM, Emilien Macchi wrote: On Tue, Mar 29, 2016 at 6:19 PM, Adam Young <ayo...@redhat.com> wrote: Somewhere in here: http://git.openstack.org/cgit/openstack/puppet-keystone/tree/spec/classes/keystone_spec.rb I need to set these options: admin_projec

[openstack-dev] [puppet-keystone] Setting additional config options:

Somewhere in here: http://git.openstack.org/cgit/openstack/puppet-keystone/tree/spec/classes/keystone_spec.rb I need to set these options: admin_project_name admin_project_domain_name http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n450

[openstack-dev] [tripleo] Policy Managment and distribution.

Keystone has a policy API, but no one uses it. It allows us to associate a policy file with an endpoint. Upload a json blob, it gets a uuid. Associate the UUID with the endpoint. It could also be associated with a service, and then it is associated with all endpoint for that service unless

Re: [openstack-dev] [ptl][kolla][release] Deploying the big tent

On 03/26/2016 12:27 PM, Steven Dake (stdake) wrote: Hey fellow PTLs and core reviewers of those projects, Kolla at present deploys the compute kit, and some other services that folks have added over time including other projects like Ironic, Heat, Mistral, Murano, Magnum, Manilla, and

Re: [openstack-dev] [OpenStack-Dev][Manila] BP https://blueprints.launchpad.net/manila/+spec/access-group

On 03/25/2016 08:43 AM, nidhi.h...@wipro.com wrote: Hi All, A gentle reminder.. Could you please share your thoughts on the approach proposed here .. https://etherpad.openstack.org/p/access_group_nidhimittalhada Thanks Nidhi *From:* Nidhi Mittal Hada (Product Engineering Service) *Sent:*

  1   2   3   4   5   6   >