Re: [openstack-dev] [oslo][nova] Anyone interested in writing a policy generator sphinx extension?

2016-09-22 Thread Alexander Makarov
Andrew, the idea is to shift existing RBAC implementation: currently policy is enforced in the service (Nova, for instance) against the result of token validation, which is, in general, an access check; I'm thinking about performing policy enforcement along with access check in a single

Re: [openstack-dev] [oslo][nova] Anyone interested in writing a policy generator sphinx extension?

2016-09-21 Thread Alexander Makarov
What if policy will be manageable using RESTful API? I'd like to validate the idea to handle policies in keystone or affiliated service: https://review.openstack.org/#/c/325326/ On 21.09.2016 17:49, Matt Riedemann wrote: Nova has policy defaults in code now and we can generate the sample

Re: [openstack-dev] [Keystone] Why not OAuth 2.0 provider?

2016-09-14 Thread Alexander Makarov
Sorry - lost some links :) Unified delegation spec: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html About OAuth2: https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ On Wed, Sep 14, 2016 at 10:58 AM, Alexander Makarov <am

Re: [openstack-dev] [Keystone] Why not OAuth 2.0 provider?

2016-09-14 Thread Alexander Makarov
Actually OAuth support is my next step in "unified delegations" effort [0], so it's a good time to think about what version of it should be supported. Along with that I have some concerns about OAuth v2, as IIRC authors themselves abandoned the spec. I'll check if something changed since

Re: [openstack-dev] what permission is required to create a Keystone trust

2016-09-01 Thread Alexander Makarov
Hi, Matt! The issue is most probably in the absence of roles being trusted, which are required to create a trust. On 01.09.2016 06:54, Matt Jia wrote: Hi, I am experimenting the Keystone Trusts feature with a script which creates a trust between two users. import keystoneclient.v3 as

[openstack-dev] Fwd: keystone federation user story

2016-05-24 Thread Alexander Makarov
ration user story To: Alexander Makarov <amaka...@mirantis.com> Main production usecase: As a system administrator I need to create assignments for federated users into the projects when the user has not authenticated for the first time. Two different approaches. 1. A user has to be assig

[openstack-dev] [keystone] Does anybody need OAuth1 API in keystone?

2016-03-19 Thread Alexander Makarov
worth the attention? ​[0]​ https://blueprints.launchpad.net/keystone/+spec/unified-delegation [1] https://github.com/openstack/keystone/tree/master/keystone/oauth1 -- Kind Regards, Alexander Makarov, Senior Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel

Re: [openstack-dev] [all][tc] Proposal: Separate design summits from OpenStack conferences

2016-02-07 Thread Alexander Makarov
and Expo event really should be held once a year, in > my opinion, and continue to be run by the OpenStack Foundation. > > I, for one, would welcome events that have no conference check-in area, no > evening parties with 2000 people, no keynote and powerpoint-as-a-service > sessions, and no getting pulled into sales meetings. > &g

Re: [openstack-dev] Apache2 vs uWSGI vs ...

2015-09-18 Thread Alexander Makarov
> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Yours Faithfully, > Vladimir Kuklin,

Re: [openstack-dev] [fuel] FF Exception request for Fernet tokens support.

2015-07-27 Thread Alexander Makarov
focus on stability and quality. -- Best regards, Sergii Golovatiuk, Skype #golserge IRC #holser On Mon, Jul 27, 2015 at 1:52 PM, Alexander Makarov amaka...@mirantis.com wrote: I've filed a ticket to test Fernet token on the scale lab: https://mirantis.jira.com/browse/MOSS-235

Re: [openstack-dev] [fuel] FF Exception request for Fernet tokens support.

2015-07-27 Thread Alexander Makarov
would it be? If we get answers for all of this, and decide that we still want the feature, then it would be great to have it. I just don't feel that it's right timing anymore - we entered FF. Thanks, On Thu, Jul 23, 2015 at 11:53 AM Alexander Makarov amaka...@mirantis.com wrote

[openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

2015-07-27 Thread Alexander Makarov
cluster. OTOH, making SQL highly available is considered easier than that for a filesystem. -- Kind Regards, Alexander Makarov, Senior Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel.: +7 (495) 640-49-04 Tel.: +7 (926) 204-50-60 Skype

[openstack-dev] [fuel] FF Exception request for Fernet tokens support.

2015-07-23 Thread Alexander Makarov
. Please, respond if you have any questions or concerns related to this request. Thanks in advance. -- Kind Regards, Alexander Makarov, Senior Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel.: +7 (495) 640-49-04 Tel.: +7 (926) 204-50-60 Skype

[openstack-dev] Fwd: [MOS] [fuel-library] [keystone] [FFE] FF Exception request for Fernet tokens support.

2015-07-23 Thread Alexander Makarov
-- Forwarded message -- From: Alexander Makarov amaka...@mirantis.com Date: Thu, Jul 23, 2015 at 5:30 PM Subject: [MOS] [fuel-library] [keystone] [FFE] FF Exception request for Fernet tokens support. To: Vitaly Sedelnik vsedel...@mirantis.com, Eugene Bogdanov ebogda

Re: [openstack-dev] [keystone] [trusts] [all] How trusts should work by design?

2015-02-19 Thread Alexander Makarov
List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kind Regards, Alexander Makarov, Senoir Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow

Re: [openstack-dev] [keystone] [trusts] [all] How trusts should work by design?

2015-02-19 Thread Alexander Makarov
: On 19 Feb 2015, at 18:32, Alexander Makarov amaka...@mirantis.com wrote: @Renat, They are conceptually different: - regular tokens are created for the owner of addressed resource - trust scoped tokens are for trustees and have some security restrictions. The case is about disallowing a trustee

Re: [openstack-dev] [keystone] [trusts] [all] How trusts should work by design?

2015-02-16 Thread Alexander Makarov
...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kind Regards, Alexander Makarov, Senoir Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel.: +7 (495) 640-49-04 Tel.: +7 (926) 204-50-60 Skype

Re: [openstack-dev] [keystone] [trusts] [all] How trusts should work by design?

2015-02-16 Thread Alexander Makarov
https://blueprints.launchpad.net/keystone/+spec/trust-scoped-re-authentication On Mon, Feb 16, 2015 at 7:57 PM, Alexander Makarov amaka...@mirantis.com wrote: We could soften this limitation a little by returning token client tries to authenticate with. I think we need to discuss

Re: [openstack-dev] [keystone] [nova]

2015-02-13 Thread Alexander Makarov
Adam, Nova client does it for some reason during a call to nova.servers.list() On Thu, Feb 12, 2015 at 10:03 PM, Adam Young ayo...@redhat.com wrote: On 02/12/2015 10:40 AM, Alexander Makarov wrote: A trust token cannot be used to get another token: https://github.com/openstack/keystone

Re: [openstack-dev] [keystone] [nova]

2015-02-12 Thread Alexander Makarov
-- Kind Regards, Alexander Makarov, Senoir Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel.: +7 (495) 640-49-04 Tel.: +7 (926) 204-50-60 Skype: MAKAPOB.AJIEKCAHDP __ OpenStack