As we attempt to close the gap on Bug 968696, we have to make sure we are
headed forward in a path that won't get us stuck.
It seems that many people use Admin-every accounts for many things that
they are not really meant for. Such as performing Operations that should
be scoped to a project,
On Fri, Mar 9, 2018 at 2:42 AM, Adrian Turjak
wrote:
> Sooo to follow up from the discussion last night partly with Lance and
> Adam, I'm still not exactly sure what difference, if any, there is
> between a domain scoped role assignment, and a project scoped role
>
Bug 968696 and System Roles. Needs to be addressed across the Service
catalog.
On Mon, Jan 29, 2018 at 7:38 AM, Luke Hinds wrote:
> Just a reminder as we have not had many uptakes yet..
>
> Are there any projects (new and old) that would like to make use of the
> security
There has been a lot of talk about Policy this past summit and release.
Based on feedback, we've come up with the following spec to address it.
https://review.openstack.org/#/c/391624/
The idea is that we are going to split the role check off from the
existing policy checks. The role check
On 10/09/2016 10:57 PM, Ton Ngo wrote:
Hi Keystone team,
We have a scenario that involves securing services for container and
this has
turned out to be rather difficult to solve, so we would like to bring
to the larger team for
ideas.
Examples of this scenario:
1. Kubernetes cluster:
To
On 09/28/2016 11:06 PM, Adrian Turjak wrote:
Hello Keystone Devs,
Just curious as to the choice to have the project name be only 64
characters:
https://github.com/openstack/keystone/blob/master/keystone/resource/backends/sql.py#L241
Seems short, and an odd choice when the user.name field is
On 10/17/2016 09:53 AM, Chris Dent wrote:
It turns out that summit this year will be just down the road from
Chris Sharma's relatively new indoor climbing gym in Barcelona:
http://www.sharmaclimbingbcn.com/
If the fun, frisson and frustration of summit sessions leaves you with
the energy
On 08/11/2016 06:25 AM, Steven Hardy wrote:
On Wed, Aug 10, 2016 at 11:31:29AM -0400, Zane Bitter wrote:
On 09/08/16 21:21, Adam Young wrote:
On 08/09/2016 06:00 PM, Zane Bitter wrote:
In either case a good mechanism might be to use a Heat Software
Deployment via the Heat API directly (i.e
https://review.openstack.org/#/c/368530/
This change is for Python >2.7 only, as python2.7 already supports the
latest version of these libraraies. Back in the "just get pythoin3 to
work" days we cut our losses on Kerberos support, but now it is
working. Getting this restriction removed
On 09/01/2016 08:48 PM, Michael Still wrote:
On Thu, Sep 1, 2016 at 11:58 AM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
On 08/31/2016 07:56 AM, Michael Still wrote:
There is a quick sketch of what a service account might look like
On 09/01/2016 10:44 AM, Steve Martinelli wrote:
I want to welcome Ron De Rose (rderose) to the Keystone core team. In
a short time Ron has shown a very positive impact. Ron has contributed
feature work for shadowing LDAP and federated users, as well as
enhancing password support for SQL users.
:46 PM, Adam Young
<ayo...@redhat.com <mailto:ayo...@redhat.com>
<mailto:ayo...@redhat.com <mailto:ayo...@redhat.com>>> wrote:
On 08/22/2016 11:11 AM, Rob Crittenden wrote:
Adam Young wrote:
On 08/15
.
Michael
On Fri, Aug 26, 2016 at 12:46 PM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
On 08/22/2016 11:11 AM, Rob Crittenden wrote:
Adam Young wrote:
On 08/15/2016 05:10 PM, Rob Crittenden wrote:
Review https://review.o
On 08/22/2016 11:11 AM, Rob Crittenden wrote:
Adam Young wrote:
On 08/15/2016 05:10 PM, Rob Crittenden wrote:
Review https://review.openstack.org/#/c/317739/ added a new dynamic
metadata handler to nova. The basic jist is that rather than serving
metadata statically, it can be done dyamically
These changes are necessary so policy files can in include the check
"is_admin_project:True" which allows us to Scope what is meant by "Admin"
Use from_environ to load context
Use to_policy_values for enforcing policy
Use context from_environ to load contexts
Use from_dict to load context
On 08/15/2016 05:10 PM, Rob Crittenden wrote:
Review https://review.openstack.org/#/c/317739/ added a new dynamic
metadata handler to nova. The basic jist is that rather than serving
metadata statically, it can be done dyamically, so that certain values
aren't provided until they are needed,
http://adam.younglogic.com/2016/08/ooo-ha-fed-poc/
It is painful, sloppy, Mitaka based. Have at it, and lets make
Federation a reality for Newton based deployments. Feedback eagerly sought.
Thanks for all the people that helped get me through this. Won't list
you all, as it would start
On 08/09/2016 05:11 PM, Adam Young wrote:
The Fernet token format uses a symmetric key to sign tokens. In order
to check the signature, these keys need to be synchronized across all
of the Keystone servers.
I don't want to pass around nake symmetric keys. The right way to do
On 08/09/2016 09:21 PM, Adam Young wrote:
On 08/09/2016 06:00 PM, Zane Bitter wrote:
In either case a good mechanism might be to use a Heat Software
Deployment via the Heat API directly (i.e. not as part of a stack) to
push changes to the servers. (I say 'push' but it's more a case
On 08/09/2016 06:00 PM, Zane Bitter wrote:
In either case a good mechanism might be to use a Heat Software
Deployment via the Heat API directly (i.e. not as part of a stack) to
push changes to the servers. (I say 'push' but it's more a case of
making the data available for os-collect-config
The Fernet token format uses a symmetric key to sign tokens. In order
to check the signature, these keys need to be synchronized across all of
the Keystone servers.
I don't want to pass around nake symmetric keys. The right way to do
this is to put them into a PKCS 11 Envelope. Roughly,
On 08/06/2016 08:44 AM, John Dennis wrote:
On 08/05/2016 06:06 PM, Adam Young wrote:
Ah...just noticed the redirect is to :5000, not port :13000 which is
the HA Proxy port.
OK, this is due to the SAML request:
https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml
On 08/06/2016 03:20 PM, Dan Prince wrote:
On Sat, 2016-08-06 at 13:21 -0400, Adam Young wrote:
As I try to debug Federaion problems, I am often finding I have to
check
three nodes to see where the actual requrest was processed. However,
If
I close down to of the controller nodes in Nova
As I try to debug Federaion problems, I am often finding I have to check
three nodes to see where the actual requrest was processed. However, If
I close down to of the controller nodes in Nova, the whole thing just fails.
So, while that in it self is a problem, what I would like to be able to
On 08/05/2016 06:40 PM, Fox, Kevin M wrote:
*From:* Adam Young [ayo...@redhat.com]
*Sent:* Friday, August 05, 2016 3:06 PM
*To:* openstack-dev@lists.openstack.org
*Subject:* Re: [openstack-dev] [keystone][tripleo
On 08/05/2016 04:54 PM, Adam Young wrote:
On 08/05/2016 04:52 PM, Adam Young wrote:
Today I discovered that we need to modify the HA proxy config to tell
it to rewrite redirects. Otherwise, I get a link to
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse
Which should
On 08/05/2016 04:52 PM, Adam Young wrote:
Today I discovered that we need to modify the HA proxy config to tell
it to rewrite redirects. Otherwise, I get a link to
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse
Which should be https, not http.
I mimicked the lines
Today I discovered that we need to modify the HA proxy config to tell it
to rewrite redirects. Otherwise, I get a link to
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse
Which should be https, not http.
I mimicked the lines in the horizon config so that the keystone
On 07/28/2016 10:05 PM, Tim Hinrichs wrote:
I've never worked on the authentication details, so this may be off
track, but that error message indicates the failure is happening
inside Congress's oslo_policy.
Error message shows up here as a Python exception class.
On 07/27/2016 06:04 AM, Steven Hardy wrote:
On Tue, Jul 26, 2016 at 05:23:21PM -0400, Adam Young wrote:
I worked through how to do a complete clone of the templates to do a
deploy and change a couple values here:
http://adam.younglogic.com/2016/06/custom-overcloud-deploys
I worked through how to do a complete clone of the templates to do a
deploy and change a couple values here:
http://adam.younglogic.com/2016/06/custom-overcloud-deploys/
However, all I want to do is to set two config options in Keystone. Is
there a simple way to just modify the two values
lt;mailto:sigmaviru...@gmail.com>> wrote:
-----Original Message-
From: Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>>
Reply: OpenStack Development Mailing List (not for usage
questions)
<openst
On 06/28/2016 11:13 PM, Tom Fifield wrote:
Quick answers in-line
On 29/06/16 05:44, Adam Young wrote:
It seems to me that keystone Core should be able to moderate Keystone
questions on the site. That means that they should be able to remove
old dead ones, remove things tagged as Keystone
o it again, I'll double check all these. Thanks
Cheers,
Dr. Pavlo Shchelokovskyy
Senior Software Engineer
Mirantis Inc
www.mirantis.com <http://www.mirantis.com>
On Tue, Jun 28, 2016 at 1:29 AM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
On 06/2
Recently, the Keystone team started brainstormin a troubleshooting
document. While we could, eventually put this into the Keystone repo,
it makes sense to also be gathering troubleshooting ideas from the
community at large. How do we do this?
I think we've had a long enough run with the
have that. First thing we checked. I assume "available" is the
most important part of that?
On 25/06/16 09:27, Adam Young wrote:
A coworker and I have both had trouble recovering from failed
overcloud deploys. I've wiped out whatever data I can, but, even
with nothing i
A coworker and I have both had trouble recovering from failed overcloud
deploys. I've wiped out whatever data I can, but, even with nothing in
the Heat Database, doing an
openstack overcloud deploy
seems to be looking for a specific Nova server by UUID:
heat resource-show
of the service's profiles (the puppet manifests) I'm
setting up the tracking of the certificates with the certmonger's
puppet manifest.
BR
On Tue, Jun 21, 2016 at 5:39 PM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
When deploying the overcloud with TLS,
On 06/21/2016 08:43 AM, Markus Zoeller wrote:
A reminder that this will happen in ~2 weeks.
Please note that you can spare bug reports if you leave a comment there
which says one of these (case-sensitive flags):
* CONFIRMED FOR: NEWTON
* CONFIRMED FOR: MITAKA
* CONFIRMED FOR: LIBERTY
On
On 06/21/2016 11:26 AM, John Dennis wrote:
On 06/21/2016 10:55 AM, Ian Cordasco wrote:
-Original Message-
From: Adam Young <ayo...@redhat.com>
Reply: OpenStack Development Mailing List (not for usage questions)
<openstack-dev@lists.openstack.org>
Date: June 21, 2016
When deploying the overcloud with TLS, the current "no additional
technology" approach is to use opensssl and self signed. While this
works for a Proof of concept, it does not make sense if the users need
to access the resources from remote systems.
It seems to me that the undercloud, as the
ec as there
will be a lot of details to figure out if we go forward. It is also
fairly rough but it should convey the point.
Thanks
Jamie
On 3 June 2016 at 03:06, Shawn McKinney <smckin...@symas.com
<mailto:smckin...@symas.com>> wrote:
> On Jun 2, 2016, at 10:58 AM, Adam
On 06/07/2016 10:28 AM, Gyorgy Szombathelyi wrote:
Hi!
As an OIDC user, tried to play with Heat and Murano recently. They usually fail
with a trust creation error, noticing that keystone cannot find the _member_
role while creating the trust.
Hmmm...that should not be the case. The user in
On 06/02/2016 07:22 PM, Henry Nash wrote:
Hi
As you know, I have been working on specs that change the way we
handle the uniqueness of project names in Newton. The goal of this is
to better support project hierarchies, which as they stand today are
restrictive in that all project names
On 06/02/2016 11:36 AM, Shawn McKinney wrote:
On Jun 2, 2016, at 10:03 AM, Adam Young <ayo...@redhat.com> wrote:
To do all of this right, however, requires a degree of introspection that we do not have
in OpenStack. Trove needs to ask Nova "I want to do X, what rol
On 06/02/2016 01:23 AM, Jamie Lennox wrote:
Hi All,
I'd like to bring to the attention of the wider security groups and
OpenStack users the Service Users Permissions [1] spec currently
proposed against keystonemiddleware.
To summarize quickly OpenStack has long had the problem of token
6 at 5:48 PM, Steve Martinelli
<s.martine...@gmail.com <mailto:s.martine...@gmail.com>> wrote:
On Thu, May 26, 2016 at 12:59 PM, Adam Young
<ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote:
On 05/26/2016 11:36 AM, Morgan Fainberg wrote:
On 05/26/2016 11:36 AM, Morgan Fainberg wrote:
On Thu, May 26, 2016 at 7:55 AM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
Some mix of these three tests is almost always failing:
gate-keystone-dsvm-functional-nv FAILURE in 20m 04s (non-voti
On 05/26/2016 11:20 AM, Shtilman, Tomer (Nokia - IL) wrote:
Hi
Does keystone has any plugin/extension for oauth2 authentication
(keycloak in our case)
We would like to integrate keystone with an external oauth2 system in
this way:
1/ Credentials / being sent to keystone
2/ Keystone will
Some mix of these three tests is almost always failing:
gate-keystone-dsvm-functional-nv FAILURE in 20m 04s (non-voting)
gate-keystone-dsvm-functional-v3-only-nv FAILURE in 32m 45s (non-voting)
gate-tempest-dsvm-keystone-uwsgi-full-nv FAILURE in 1h 07m 53s (non-voting)
Are we going to keep
On 05/25/2016 07:26 AM, OpenStack Mailing List Archive wrote:
Link: https://openstack.nimeyo.com/85057/?show=85707#c85707
From: imocha
I am trying to follow the steps. I am able to install ADFS and would
like to proceed further.
However, I am having issues with setting up
On 05/24/2016 10:30 PM, Adam Young wrote:
On 05/24/2016 01:55 PM, Alexander Makarov wrote:
Colleagues,
here is an actual use case for shadow users assignments, let's
discuss possible solutions: all suggestions are appreciated.
-- Forwarded message --
From: *Andrey
On 05/24/2016 01:55 PM, Alexander Makarov wrote:
Colleagues,
here is an actual use case for shadow users assignments, let's discuss
possible solutions: all suggestions are appreciated.
-- Forwarded message --
From: *Andrey Grebennikov*
On 05/20/2016 08:48 AM, Dean Troyer wrote:
On Fri, May 20, 2016 at 5:42 AM, Thomas Goirand > wrote:
I am *NOT* buying that doing static linking is a progress. We're
back 30
years in the past, before the .so format. It is amazing that some
On 05/19/2016 07:40 AM, Rodrigo Duarte wrote:
Hi,
So you are trying to use keystone to authorize your users, but want to
avoid having to authenticate via keystone, right?
Check if the Federated Identity feature [1] covers your use case.
[1]
On 05/16/2016 05:23 AM, Dmitry Tantsur wrote:
On 05/14/2016 03:00 AM, Adam Young wrote:
On 05/13/2016 08:21 PM, Dieterly, Deklan wrote:
If we allow Go, then we should also consider allowing JVM based
languages.
Nope. Don't get me wrong, I've written more than my fair share of Java
in my
On 05/13/2016 08:21 PM, Dieterly, Deklan wrote:
If we allow Go, then we should also consider allowing JVM based languages.
Nope. Don't get me wrong, I've written more than my fair share of Java
in my career, and I like it, and I miss automated refactoring and real
threads. I have nothing
On 05/13/2016 12:52 PM, Monty Taylor wrote:
On 05/13/2016 11:38 AM, Eric Larson wrote:
Monty Taylor writes:
On 05/13/2016 08:23 AM, Mehdi Abaakouk wrote:
On Fri, May 13, 2016 at 02:58:08PM +0200, Julien Danjou wrote:
What's wrong with pymemcache, that we picked for tooz and are using
for 2
Can we just up and support Go, please? I'm a C++ and C buff, but I
would not inflict either of those on other people, nor would I want to
support their code. Go is designed to be native but readable/writable.
There is nothing perfect in this world.
Python for most things.
Javascript for web
On 05/12/2016 06:39 PM, gordon chung wrote:
On 12/05/2016 1:47 PM, Morgan Fainberg wrote:
On Thu, May 12, 2016 at 10:42 AM, Sean Dague > wrote:
We just had to revert another v3 "fix" because it wasn't verified to
work correctly in the gate -
On 05/12/2016 01:47 PM, Morgan Fainberg wrote:
On Thu, May 12, 2016 at 10:42 AM, Sean Dague > wrote:
We just had to revert another v3 "fix" because it wasn't verified to
work correctly in the gate - https://review.openstack.org/#/c/315631/
On 05/12/2016 02:20 PM, Emilien Macchi wrote:
Hi,
During the recent weeks, we've noticed that some features would have a
common challenge to solve:
How to share informations or files between nodes, during a multi-node
deployment.
A few use-cases:
* Deploying Keystone using Fernet tokens
Adam
On 05/12/2016 09:07 AM, Edmund Rhudy (BLOOMBERG/ 120 PARK) wrote:
+1 on desiring OAuth-style tokens in Keystone. The use cases that come
up here are people wanting to be able to execute jobs that use the
APIs (Jenkins, Terraform, Vagrant, etc.) without having to save their
personal credentials
On 05/10/2016 07:08 PM, Flavio Percoco wrote:
On 10/05/16 13:52 -0400, Adam Young wrote:
Forget package management for a moment; we can figure it out if we
need to. The question is "Why Go" which I've pondered for a while.
If you need to write a multithreaded app, Python's GIL mak
Forget package management for a moment; we can figure it out if we need
to. The question is "Why Go" which I've pondered for a while.
If you need to write a multithreaded app, Python's GIL makes it very
hard to do. It is one reason why I pushed for HTTPD as the Keystone
front end.
On 05/09/2016 02:14 PM, Hayes, Graham wrote:
On 09/05/2016 19:09, Fox, Kevin M wrote:
I think you'll find that being able to embed a higher performance language
inside python will be much easier to do for optimizing a function or two rather
then deal with having a separate server have to be
On 05/05/2016 05:54 PM, Dolph Mathews wrote:
My understanding from the summit session was that we should have a
specific role defined in keystone's policy.json here:
https://github.com/openstack/keystone/blob/a16287af5b7761c8453b2a8e278d78652497377c/etc/policy.json#L37
Which grants access to
On 05/03/2016 09:55 AM, Clint Byrum wrote:
Excerpts from Steve Martinelli's message of 2016-05-02 19:56:15 -0700:
Comments inline...
On Mon, May 2, 2016 at 7:39 PM, Matt Fischer wrote:
On Mon, May 2, 2016 at 5:26 PM, Clint Byrum wrote:
Hello! I
On 05/02/2016 08:07 PM, Rochelle Grober wrote:
But, the original spelling of the landing site is Plimoth Rock. There were still highway
signs up in the 70's directing folks to "Plimoth Rock"
--Rocky
Who should know about rocks ;-)
-Original Message-
From: Brian Haley
On 05/01/2016 05:03 PM, Steven Dake (stdake) wrote:
Ryan had rightly pointed out that when we made the original proposal
9am morning we had asked folks if they wanted to participate in a
separate repository.
In Keystone, we are going to more and more repositories all the time.
We started
On 04/26/2016 08:28 AM, Guangyu Suo wrote:
Hello, oslo team
For now, some sensitive options like password or token are configured
as plaintext, anyone who has the priviledge to read the configure file
can get the real password, this may be a security problem that can't
be unacceptable for
On 04/20/2016 09:10 PM, Dmitry Sutyagin wrote:
Another correction - the issue is observed in Kilo, not Liberty, sorry
for messing this up. (though this part of the code is identical in L)
On Wed, Apr 20, 2016 at 5:50 PM, Dmitry Sutyagin
>
On 04/20/2016 11:44 AM, Dan Prince wrote:
We've had a run of really spotty CI in TripleO. This is making it
really hard to land patches if reviewers aren't online. Specifically we
seem to get better CI results when the queue is less full (nights and
weekends)... often when core reviewers aren't
On 04/19/2016 11:03 PM, Dean Troyer wrote:
On Tue, Apr 19, 2016 at 8:17 PM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
Maybe it is time to revamp Devstack. Is there some way that,
without a major rewrite, it could take better advantage of the
C
On 04/19/2016 07:24 PM, Jamie Lennox wrote:
Rather than ditching python for something like go, I'd rather put
together a CLI with no plugins and that only depended on keystoneauth
and os-client-config as libraries. No?
Let me add that if you are doing anything non trivial withe the CLI, you
On 04/18/2016 09:19 AM, Daniel P. Berrange wrote:
There have been threads in the past about the slowness of the "openstack"
client tool such as this one by Sean last year:
http://lists.openstack.org/pipermail/openstack-dev/2015-April/061317.html
Sean mentioned a 1.5s fixed overhead on
On 04/18/2016 12:34 PM, Martin Millnert wrote:
Hi,
we're deploying Liberty (soon Mitaka) with heavy reliance on the SAML2
Federation system by Keystone where we're a Service Provider (SP).
The problem in this situation is getting a token for direct API
access.(*)
There are conceptually two
On 04/18/2016 10:29 AM, Brant Knudson wrote:
On Fri, Apr 15, 2016 at 9:04 PM, Adam Young <ayo...@redhat.com
<mailto:ayo...@redhat.com>> wrote:
We all want Fernet to be a reality. We ain't there yet (Except
for mfish who has no patience) but we are getting closer.
..@mattfischer.com>> wrote:
On Mon, Apr 18, 2016 at 8:29 AM, Brant Knudson <b...@acm.org
<mailto:b...@acm.org>> wrote:
On Fri, Apr 15, 2016 at 9:04 PM, Adam Young
<ayo...@redhat.com <mailto:ayo...@redhat.com>> wrote:
We all want Fernet to be a reality. We ain't there yet (Except for
mfish who has no patience) but we are getting closer. The goal is to
get Fernet as the default token provider as soon as possible. The review
to do this has uncovered a few details that need to be fixed before we
can do this.
On 04/13/2016 10:07 PM, Morgan Fainberg wrote:
It is that time again, the time to plan the Keystone midcycle! Looking
at the schedule [1] for Newton, the weeks that make the most sense
look to be (not in preferential order):
R-14 June 27-01
Might be interesting having one this early in the
On 04/12/2016 03:43 PM, Hongbin Lu wrote:
Hi all,
In short, some Magnum team members proposed to store TLS certificates
in Keystone credential store. As Magnum PTL, I want to get agreements
(or non-disagreement) from OpenStack community in general, Keystone
community in particular, before
From: Adam Young [ayo...@redhat.com]
Sent: Wednesday, April 06, 2016 2:09 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [nova] Minimal secure identification of a new VM
On 04/06/2016 05:42 AM, Daniel P. Berrange wrote:
On Tue, Apr 05, 2016 at 06:00:55PM -0400
On 04/06/2016 04:56 PM, Dolph Mathews wrote:
For some historical perspective, that's basically how v2 was designed.
The "public" service (port 5000) did nothing but the auth flow. The
"admin" service (port 35357) was identity management.
Unfortunately, there are (perhaps uncommon)
On 04/06/2016 05:42 AM, Daniel P. Berrange wrote:
On Tue, Apr 05, 2016 at 06:00:55PM -0400, Adam Young wrote:
We have a use case where we want to register a newly spawned Virtual machine
with an identity provider.
Heat also has a need to provide some form of Identity for a new VM.
Looking
On 04/06/2016 10:44 AM, Dan Prince wrote:
On Tue, 2016-04-05 at 19:19 -0600, Rich Megginson wrote:
On 04/05/2016 07:06 PM, Dan Prince wrote:
On Sat, 2016-04-02 at 17:28 -0400, Adam Young wrote:
I finally have enough understanding of what is going on with
Tripleo
to
reasonably discuss how
On 04/06/2016 03:20 PM, Brad Pokorny wrote:
The last I heard, oauth is likely to be deprecated in Keystone [1].
If you're interested in having it stay around, please let the Keystone
team know. It would only make sense to add it to Horizon if it's going
to stay.
[1]
On 04/05/2016 09:06 PM, Dan Prince wrote:
On Sat, 2016-04-02 at 17:28 -0400, Adam Young wrote:
I finally have enough understanding of what is going on with Tripleo
to
reasonably discuss how to implement solutions for some of the main
security needs of a deployment.
FreeIPA is an identity
On 04/05/2016 08:02 AM, Hayes, Graham wrote:
On 02/04/2016 22:33, Adam Young wrote:
I finally have enough understanding of what is going on with Tripleo to
reasonably discuss how to implement solutions for some of the main
security needs of a deployment.
FreeIPA is an identity management
On 04/05/2016 11:42 AM, Fox, Kevin M wrote:
Yeah, and they just deprecated vendor data plugins too, which
eliminates my other workaround. :/
We need to really discuss this problem at the summit and get a viable
path forward. Its just getting worse. :/
Thanks,
Kevin
On 04/05/2016 09:01 AM, Steven Hardy wrote:
On Tue, Apr 05, 2016 at 02:07:06PM +0300, Juan Antonio Osorio wrote:
On Tue, Apr 5, 2016 at 11:36 AM, Steven Hardy <sha...@redhat.com> wrote:
On Sat, Apr 02, 2016 at 05:28:57PM -0400, Adam Young wrote:
> I finally ha
We have a use case where we want to register a newly spawned Virtual
machine with an identity provider.
Heat also has a need to provide some form of Identity for a new VM.
Looking at the set of utilities right now, there does not seem to be a
secure way to do this. Injecting files does not
I finally have enough understanding of what is going on with Tripleo to
reasonably discuss how to implement solutions for some of the main
security needs of a deployment.
FreeIPA is an identity management solution that can provide support for:
1. TLS on all network communications:
A.
On 03/30/2016 04:16 PM, Andrew Laski wrote:
On Wed, Mar 30, 2016, at 03:54 PM, Matt Riedemann wrote:
On 3/30/2016 2:42 PM, Andrew Laski wrote:
On Wed, Mar 30, 2016, at 03:26 PM, Sean Dague wrote:
During the Nova API meeting we had some conversations about priorities,
but this feels like
On 03/29/2016 06:21 PM, Rich Megginson wrote:
On 03/29/2016 04:19 PM, Adam Young wrote:
Somewhere in here:
http://git.openstack.org/cgit/openstack/puppet-keystone/tree/spec/classes/keystone_spec.rb
spec is for the rspec unit testing. Do you mean
http://git.openstack.org/cgit/openstack
On 03/29/2016 07:43 PM, Emilien Macchi wrote:
On Tue, Mar 29, 2016 at 6:19 PM, Adam Young <ayo...@redhat.com> wrote:
Somewhere in here:
http://git.openstack.org/cgit/openstack/puppet-keystone/tree/spec/classes/keystone_spec.rb
I need to set these options:
admin_projec
Somewhere in here:
http://git.openstack.org/cgit/openstack/puppet-keystone/tree/spec/classes/keystone_spec.rb
I need to set these options:
admin_project_name
admin_project_domain_name
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n450
Keystone has a policy API, but no one uses it. It allows us to associate a
policy file with an endpoint. Upload a json blob, it gets a uuid. Associate
the UUID with the endpoint. It could also be associated with a service, and
then it is associated with all endpoint for that service unless
On 03/26/2016 12:27 PM, Steven Dake (stdake) wrote:
Hey fellow PTLs and core reviewers of those projects,
Kolla at present deploys the compute kit, and some other services
that folks have added over time including other projects like Ironic,
Heat, Mistral, Murano, Magnum, Manilla, and
On 03/25/2016 08:43 AM, nidhi.h...@wipro.com wrote:
Hi All,
A gentle reminder..
Could you please share your thoughts on the approach proposed here ..
https://etherpad.openstack.org/p/access_group_nidhimittalhada
Thanks
Nidhi
*From:* Nidhi Mittal Hada (Product Engineering Service)
*Sent:*
1 - 100 of 560 matches
Mail list logo