Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
On Tue, Oct 8, 2013 at 3:20 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, I am attempting to test the Havana v3 OS-EP-FILTER extension with the latest RC1 bits and I get a 404 error response. The documentation actually shows 2 different URIs for this API: - GET /OS-EP-FILTER/projects/{project_id}/endpoints and http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints I have tried both OS-EP-FILTER and OS-FILTER with the same result. Does anyone have information as to what I am missing? Apologies for being late to the party, but it looks like you've already got this worked out. On behalf of people from the future, thanks for following up :) Regarding the self-contradicting documentation, a fix merged last night (thanks Steve!) to get that straightened out as OS-EP-FILTER: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md Regards, Mark Miller - From the online documentation: List Associations for Project: GET /OS-EP-FILTER/projects/{project_id}/endpoints Returns all the endpoints that are currently associated with a specific project. Response: Status: 200 OK { endpoints: [ { id: --endpoint-id--, interface: public, url: http://identity:35357/;, region: north, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- }, { id: --endpoint-id--, interface: internal, region: south, url: http://identity:35357/;, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- } ], links: { self: http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints;, previous: null, next: null } } ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Adam, Thank you for the reply. The extension document is pretty good. The configuration instructions on the other hand need some help and I had to combine information from multiple sources to get OS-EP-FILTERing up and running. Following are the final steps that I used. Mark --- To enable the endpoint filter extension: 1. Add the new filter driver to the catalog section to keystone.conf. Example: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog 2. Add the new [endpoint_filter] section to ``keystone.conf``. Example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: uncomment and set ``return_all_endpoints_if_no_filter`` 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. Example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 4. Create the endpoint filter extension tables if using the provided sql backend. Example:: ./bin/keystone-manage db_sync --extension endpoint_filter 5. Once you have done the changes restart the keystone-server to apply the changes. -Original Message- From: Adam Young [mailto:ayo...@redhat.com] Sent: Wednesday, October 09, 2013 1:35 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy We have imporved the extension enumeration in Keystone. If you got to http://hostname:35357/v3 you should see a listing of the extensions that are enabled for that Keystone server On 10/08/2013 07:07 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) wrote: Sorry to send this out again, but I wrote too soon. I was missing one driver entry in keystone.conf. Here are my working settings: File keystone.conf: [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) #driver = keystone.catalog.backends.sql.Catalog driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa talog # static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog template_file = default_catalog.templates [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter return_all_endpoints_if_no_filter = False File keystone-paste.ini: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.facto ry and [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension oauth1_extension endpoint_filter_extension service_v3 Updated Installation instructions: To enable the endpoint filter extension: 1. Add the new filter driver to the catalog section to keystone.conf. Example: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa talog 2. Add the new [endpoint_filter] section to ``keystone.conf``. Example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: uncomment and set ``return_all_endpoints_if_no_filter`` 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. Example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.facto ry [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 4. Create the endpoint filter extension tables if using the provided sql backend. Example:: ./bin/keystone-manage db_sync --extension endpoint_filter 5. Once you have done the changes restart the keystone-server to apply the changes. -Original Message- From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Tuesday, October 08, 2013 1:51 PM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Keystone OS-EP-FILTER
[openstack-dev] Keystone OS-EP-FILTER descrepancy
Hello, I am attempting to test the Havana v3 OS-EP-FILTER extension with the latest RC1 bits and I get a 404 error response. The documentation actually shows 2 different URIs for this API: - GET /OS-EP-FILTER/projects/{project_id}/endpoints and http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints I have tried both OS-EP-FILTER and OS-FILTER with the same result. Does anyone have information as to what I am missing? Regards, Mark Miller - From the online documentation: List Associations for Project: GET /OS-EP-FILTER/projects/{project_id}/endpoints Returns all the endpoints that are currently associated with a specific project. Response: Status: 200 OK { endpoints: [ { id: --endpoint-id--, interface: public, url: http://identity:35357/;, region: north, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- }, { id: --endpoint-id--, interface: internal, region: south, url: http://identity:35357/;, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- } ], links: { self: http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints;, previous: null, next: null } } ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Here is the response from Fabio: Mark, Please have a look at the configuration.rst in the contrib/endpoint-filter folder. I pasted here for your convenience: == Enabling Endpoint Filter Extension ==To enable the endpoint filter extension: 1. add the endpoint filter extension catalog driver to the ``[catalog]`` section in ``keystone.conf``. example:: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog 2. add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. example:: [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 3. create the endpoint filter extension tables if using the provided sql backend. example:: ./bin/keystone-manage db_sync --extension endpoint_filter 4. optional: change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section in ``keystone.conf`` to return an empty catalog if no associations are made. example:: [endpoint_filter] return_all_endpoints_if_no_filter = False Steps 1-3 are mandatory. Once you have done the changes restart the keystone-server to apply the changes. The /v3/auth/tokens?nocatalog is to remove the catalog from the token creation. It is different from the filtering because it won't return any endpoint in the service catalog. The endpoint filter will return only the ones that you have associated with a particular project. Please bear in mind that this works only with scoped token (meaning where you pass a project id). -Original Message- From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Tuesday, October 08, 2013 1:21 PM To: OpenStack Development Mailing List Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy Hello, I am attempting to test the Havana v3 OS-EP-FILTER extension with the latest RC1 bits and I get a 404 error response. The documentation actually shows 2 different URIs for this API: - GET /OS-EP-FILTER/projects/{project_id}/endpoints and http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints I have tried both OS-EP-FILTER and OS-FILTER with the same result. Does anyone have information as to what I am missing? Regards, Mark Miller - From the online documentation: List Associations for Project: GET /OS-EP- FILTER/projects/{project_id}/endpoints Returns all the endpoints that are currently associated with a specific project. Response: Status: 200 OK { endpoints: [ { id: --endpoint-id--, interface: public, url: http://identity:35357/;, region: north, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- }, { id: --endpoint-id--, interface: internal, region: south, url: http://identity:35357/;, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- } ], links: { self: http://identity:35357/v3/OS- FILTER/projects/{project_id}/endpoints, previous: null, next: null } } ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Slightly adjusted instructions after testing: To enable the endpoint filter extension: 1. Add the new [endpoin_ filter] section ton ``keystone.conf``. example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 3. Create the endpoint filter extension tables if using the provided sql backend. example:: ./bin/keystone-manage db_sync --extension endpoint_filter 4. Once you have done the changes restart the keystone-server to apply the changes. -Original Message- From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Tuesday, October 08, 2013 1:30 PM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy Here is the response from Fabio: Mark, Please have a look at the configuration.rst in the contrib/endpoint-filter folder. I pasted here for your convenience: == Enabling Endpoint Filter Extension ==To enable the endpoint filter extension: 1. add the endpoint filter extension catalog driver to the ``[catalog]`` section in ``keystone.conf``. example:: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog 2. add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. example:: [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 3. create the endpoint filter extension tables if using the provided sql backend. example:: ./bin/keystone-manage db_sync --extension endpoint_filter 4. optional: change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section in ``keystone.conf`` to return an empty catalog if no associations are made. example:: [endpoint_filter] return_all_endpoints_if_no_filter = False Steps 1-3 are mandatory. Once you have done the changes restart the keystone-server to apply the changes. The /v3/auth/tokens?nocatalog is to remove the catalog from the token creation. It is different from the filtering because it won't return any endpoint in the service catalog. The endpoint filter will return only the ones that you have associated with a particular project. Please bear in mind that this works only with scoped token (meaning where you pass a project id). -Original Message- From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Tuesday, October 08, 2013 1:21 PM To: OpenStack Development Mailing List Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy Hello, I am attempting to test the Havana v3 OS-EP-FILTER extension with the latest RC1 bits and I get a 404 error response. The documentation actually shows 2 different URIs for this API: - GET /OS-EP-FILTER/projects/{project_id}/endpoints and http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints I have tried both OS-EP-FILTER and OS-FILTER with the same result. Does anyone have information as to what I am missing? Regards, Mark Miller - From the online documentation: List Associations for Project: GET /OS-EP- FILTER/projects/{project_id}/endpoints Returns all the endpoints that are currently associated with a specific project. Response: Status: 200 OK { endpoints: [ { id: --endpoint-id--, interface: public, url: http://identity:35357/;, region: north, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- }, { id: --endpoint-id--, interface: internal, region: south, url: http://identity:35357/;, links: { self: http://identity:35357/v3/endpoints/--endpoint-id--; }, service_id: --service-id-- } ], links: { self: http://identity:35357/v3/OS- FILTER/projects/{project_id}/endpoints, previous: null
Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Sorry to send this out again, but I wrote too soon. I was missing one driver entry in keystone.conf. Here are my working settings: File keystone.conf: [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) #driver = keystone.catalog.backends.sql.Catalog driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog # static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog template_file = default_catalog.templates [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter return_all_endpoints_if_no_filter = False File keystone-paste.ini: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory and [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension oauth1_extension endpoint_filter_extension service_v3 Updated Installation instructions: To enable the endpoint filter extension: 1. Add the new filter driver to the catalog section to keystone.conf. Example: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog 2. Add the new [endpoint_filter] section to ``keystone.conf``. Example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: uncomment and set ``return_all_endpoints_if_no_filter`` 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. Example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 4. Create the endpoint filter extension tables if using the provided sql backend. Example:: ./bin/keystone-manage db_sync --extension endpoint_filter 5. Once you have done the changes restart the keystone-server to apply the changes. -Original Message- From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Tuesday, October 08, 2013 1:51 PM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy Slightly adjusted instructions after testing: To enable the endpoint filter extension: 1. Add the new [endpoin_ filter] section ton ``keystone.conf``. example: [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True optional: change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. example: [filter:endpoint_filter_extension] paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3 3. Create the endpoint filter extension tables if using the provided sql backend. example:: ./bin/keystone-manage db_sync --extension endpoint_filter 4. Once you have done the changes restart the keystone-server to apply the changes. -Original Message- From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: Tuesday, October 08, 2013 1:30 PM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy Here is the response from Fabio: Mark, Please have a look at the configuration.rst in the contrib/endpoint-filter folder. I pasted here for your convenience: == Enabling Endpoint Filter Extension ==To enable the endpoint filter extension: 1. add the endpoint filter extension catalog driver to the ``[catalog]`` section in ``keystone.conf``. example:: [catalog] driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa talog 2. add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. example:: [pipeline:api_v3] pipeline = access_log sizelimit url_normalize token_auth