Re: [openstack-dev] [Horizon][Keystone] Steps toward Kerberos and Federation

2014-09-04 Thread Jamie Lennox
On Thu, 2014-09-04 at 17:37 -0400, Adam Young wrote: While the Keystone team has made pretty good strides toward Federation for getting a Keystone token, we do not yet have a complete story for Horizon. The same is true about Kerberos. I've been working on this, and I want to inform the

Re: [openstack-dev] [all] [clients] [keystone] lack of retrying tokens leads to overall OpenStack fragility

2014-09-10 Thread Jamie Lennox
- Original Message - From: Steven Hardy sha...@redhat.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Thursday, September 11, 2014 1:55:49 AM Subject: Re: [openstack-dev] [all] [clients] [keystone] lack of retrying

Re: [openstack-dev] [all] [clients] [keystone] lack of retrying tokens leads to overall OpenStack fragility

2014-09-11 Thread Jamie Lennox
, Jamie Lennox wrote: - Original Message - From: Steven Hardy sha...@redhat.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Thursday, September 11, 2014 1:55:49 AM Subject: Re: [openstack-dev] [all] [clients] [keystone

Re: [openstack-dev] [all] [clients] [keystone] lack of retrying tokens leads to overall OpenStack fragility

2014-09-11 Thread Jamie Lennox
tokens leads to overall OpenStack fragility On Wed, Sep 10, 2014 at 08:46:45PM -0400, Jamie Lennox wrote: - Original Message - From: Steven Hardy sha...@redhat.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Thursday

Re: [openstack-dev] masking X-Auth-Token in debug output - proposed consistency

2014-09-11 Thread Jamie Lennox
- Original Message - From: Travis S Tripp travis.tr...@hp.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Friday, 12 September, 2014 10:30:53 AM Subject: [openstack-dev] masking X-Auth-Token in debug output - proposed

Re: [openstack-dev] [keystone] domain admin role query

2013-12-10 Thread Jamie Lennox
Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry about. A better example of policies are in the file etc/policy.v3cloudsample.json. In

Re: [openstack-dev] [Nova] Support for Pecan in Nova

2013-12-18 Thread Jamie Lennox
I attempted this in keystone as part of a very simple extension [1]. I understand that it is a much simpler case but nesting the Pecan within the existing routing infrastructure, rather than have a single Pecan app was fairly simple (though there are some limiting situations). Any reason you

[openstack-dev] [wsme] Undefined attributes in WSME

2014-01-08 Thread Jamie Lennox
Is there any way to have WSME pass through arbitrary attributes to the created object? There is nothing that i can see in the documentation or code that would seem to support this. In keystone we have the situation where arbitrary data was able to be attached to our resources. For example

Re: [openstack-dev] [wsme] Undefined attributes in WSME

2014-01-09 Thread Jamie Lennox
On Thu, 2014-01-09 at 11:16 +0100, Julien Danjou wrote: On Thu, Jan 09 2014, Jamie Lennox wrote: Is there any way to have WSME pass through arbitrary attributes to the created object? There is nothing that i can see in the documentation or code that would seem to support

Re: [openstack-dev] [wsme] Undefined attributes in WSME

2014-01-12 Thread Jamie Lennox
On Fri, 2014-01-10 at 10:23 -0500, Doug Hellmann wrote: On Thu, Jan 9, 2014 at 12:02 AM, Jamie Lennox jamielen...@redhat.com wrote: Is there any way to have WSME pass through arbitrary attributes to the created object? There is nothing that i can see

Re: [openstack-dev] [wsme] Undefined attributes in WSME

2014-01-13 Thread Jamie Lennox
On Mon, 2014-01-13 at 10:05 -0500, Doug Hellmann wrote: On Sun, Jan 12, 2014 at 6:33 PM, Jamie Lennox jamielen...@redhat.com wrote: On Fri, 2014-01-10 at 10:23 -0500, Doug Hellmann wrote: On Thu, Jan 9, 2014 at 12:02 AM, Jamie

Re: [openstack-dev] a common client library

2014-01-17 Thread Jamie Lennox
I can't see any reason that all of these situations can't be met. We can finally take the openstack pypi namespace, move keystoneclient - openstack.keystone and similar for the other projects. Have them all based upon openstack.base and probably an openstack.transport for transport. For the

Re: [openstack-dev] a common client library

2014-01-19 Thread Jamie Lennox
with a team responsible for managing consistency in the UI. Doug This *is* the approach Dean took with the CLI. Have a package that provides the CLI but then have the actual work handed off to the individual clients (with quite a lot of glue). On Sat, Jan 18, 2014 at 1:00 AM, Jamie Lennox jamielen

Re: [openstack-dev] a common client library

2014-01-21 Thread Jamie Lennox
don't do this here - the thread is way too deep already. If we get into discussing individual points let's do one question per thread and prefix the emails with [client] or something to tie it all together - Original Message - From: Alexei Kornienko alexei.kornie...@gmail.com To:

Re: [openstack-dev] [keystone][heat] Migration to keystone v3 API questions

2014-01-27 Thread Jamie Lennox
- Original Message - From: Steven Hardy sha...@redhat.com To: openstack-dev@lists.openstack.org Sent: Thursday, 23 January, 2014 9:21:47 PM Subject: [openstack-dev] [keystone][heat] Migration to keystone v3 API questions Hi all, I've recently been working on migrating

Re: [openstack-dev] Ugly Hack to deal with multiple versions

2014-02-04 Thread Jamie Lennox
- Original Message - From: Dean Troyer dtro...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, February 4, 2014 9:31:57 AM Subject: Re: [openstack-dev] Ugly Hack to deal with multiple versions On Mon,

Re: [openstack-dev] Ugly Hack to deal with multiple versions

2014-02-04 Thread Jamie Lennox
- Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Wednesday, February 5, 2014 2:29:18 AM Subject: Re: [openstack-dev] Ugly Hack to deal with multiple versions On 02/04/2014 11:09 AM, Dean Troyer wrote: On Tue, Feb 4, 2014 at 9:00

Re: [openstack-dev] [keystone] Integrating with 3rd party DB

2014-02-07 Thread Jamie Lennox
- Original Message - From: Noorul Islam K M noo...@noorul.com To: Dolph Mathews dolph.math...@gmail.com Cc: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Friday, 7 February, 2014 2:00:34 PM Subject: Re: [openstack-dev]

Re: [openstack-dev] [keystone] Integrating with 3rd party DB

2014-02-07 Thread Jamie Lennox
- Original Message - From: Noorul Islam K M noo...@noorul.com To: Jamie Lennox jamielen...@redhat.com Cc: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Friday, 7 February, 2014 7:13:20 PM Subject: Re: [openstack-dev] [keystone

[openstack-dev] Version Discovery Standardization

2014-02-13 Thread Jamie Lennox
Hi all, I am one of i think a number of efforts trying to make clients be interoperable between different versions of an API. What i would like to talk about specifically here are the inconsistencies in the version listing of the different servers when you query the root GET '/' and GET '/vX'

Re: [openstack-dev] Version Discovery Standardization

2014-02-16 Thread Jamie Lennox
On Thu, 2014-02-13 at 19:35 -0700, Christopher Yeoh wrote: On Thu, 13 Feb 2014 21:10:01 -0500 Sean Dague s...@dague.net wrote: On 02/13/2014 08:28 PM, Christopher Yeoh wrote: On Thu, 13 Feb 2014 15:54:23 -0500 Sean Dague s...@dague.net wrote: So one question I have around a

Re: [openstack-dev] Version Discovery Standardization

2014-02-16 Thread Jamie Lennox
, but I've been using it as a sanity check for the discovery bits in OSC. Yes, i've seen that one. It's more client side how we should work with it though. If we can standardize the server side response then the client side becomes much more reusable. On Thu, Feb 13, 2014 at 6:50 AM, Jamie Lennox

Re: [openstack-dev] Version Discovery Standardization

2014-02-16 Thread Jamie Lennox
On Thu, 2014-02-13 at 08:37 -0500, Sean Dague wrote: On 02/13/2014 07:50 AM, Jamie Lennox wrote: Hi all, I am one of i think a number of efforts trying to make clients be interoperable between different versions of an API. What i would like to talk about specifically here

Re: [openstack-dev] Version Discovery Standardization

2014-02-16 Thread Jamie Lennox
On Mon, 2014-02-17 at 16:09 +1000, Jamie Lennox wrote: On Thu, 2014-02-13 at 08:37 -0500, Sean Dague wrote: On 02/13/2014 07:50 AM, Jamie Lennox wrote: Hi all, I am one of i think a number of efforts trying to make clients be interoperable between different versions of an API

[openstack-dev] [python-openstacksdk] Sessions and keystoneclient

2014-02-23 Thread Jamie Lennox
I promised Jesse after the openstack-sdk meeting that I would do a write up of the direction of keystoneclient's auth plugins and Sessions. Have a look here: http://www.jamielennox.net/blog/2014/02/24/client-session-objects/ I know that this is different to the way Dean was looking at using

Re: [openstack-dev] [Keystone] python-keystoneclient v3 functionality

2014-03-31 Thread Jamie Lennox
On Tue, 2014-04-01 at 11:53 +0800, Yaguang Tang wrote: Hi all, I am sorry if this has been discussed before, the question is will we support keystone v3 operation in python-keystoneclient? I know most of the v3 functionality have been implemented in python-openstackclient, but from the

Re: [openstack-dev] [Keystone] python-keystoneclient v3 functionality

2014-04-02 Thread Jamie Lennox
that the clients will move (at there own pace) to using openstackclient for there CLI, but openstackclient will still rely on the various libraries to do the actual communication with services. Jamie 2014-04-01 12:08 GMT+08:00 Jamie Lennox jamielen...@redhat.com : On Tue, 2014-04-01

Re: [openstack-dev] [keystoneclient] self-signed keystone not accessible from other services

2013-10-14 Thread Jamie Lennox
On Mon, 2013-10-14 at 18:36 -0700, Bhuvan Arumugam wrote: Just making sure i'm not the only one facing this problem. https://bugs.launchpad.net/nova/+bug/1239894 Yep, we thought this may raise some issues but insecure by default was just not acceptable. keystoneclient v0.4.0 was released

Re: [openstack-dev] Keystone TLS Question

2013-10-25 Thread Jamie Lennox
Yes keystone can run under SSL using the eventlet server. Look for the ssl section in keystone.conf https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L296 You'll want to set enabled, certfile and keyfile, from memory ca_certs is to do with client side certs. Jamie

Re: [openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

2013-10-30 Thread Jamie Lennox
to keystone client. There was some movement to port this to [2] but the change was abandoned in favour of a more complex solutions: one that never came in (oslo [3]) and another from Jamie Lennox in [4] that is still a WIP. [1] https://review.openstack.org/#/c/23820/ [2] https://review.openstack.org

Re: [openstack-dev] [heat][keystone] APIs, roles, request scope and admin-ness

2013-11-06 Thread Jamie Lennox
On Wed, 2013-11-06 at 06:16 +0800, Clint Byrum wrote: Excerpts from Steven Hardy's message of 2013-11-03 00:06:39 +0800: Hi all, Looking to start a wider discussion, prompted by: https://review.openstack.org/#/c/54651/ https://blueprints.launchpad.net/heat/+spec/management-api

Re: [openstack-dev] How to stage client major releases in Gerrit?

2013-11-20 Thread Jamie Lennox
On Wed, 2013-11-20 at 15:17 -0800, Clint Byrum wrote: Excerpts from Mark Washenberger's message of 2013-11-20 10:14:42 -0800: Hi folks, The project python-glanceclient is getting close to needing a major release in order to finally remove some long-deprecated features, and to make some

Re: [openstack-dev] [Swift] Server Side Encryption

2013-11-20 Thread Jamie Lennox
On Wed, 2013-11-20 at 13:26 +0200, David Hadas wrote: Hi all, We created a wiki page discussing the addition of software side encryption to Swift: The general scheme is to create a swift proxy middleware that will encrypt and sign the object data during PUT and check the signature + decrypt

Re: [openstack-dev] [keystone][py3] Usage of httpretty

2013-11-20 Thread Jamie Lennox
for requests or some other transport to make HTTP requests to we don't need to refactor every one of the mock/mox subouts to match the exact set of parameters to be passed. Httpretty makes managing this significantly easier (hence was the reasoning to move towards it). Though, I'm sure Jamie Lennox

Re: [openstack-dev] [Keystone][Oslo] Future of Key Distribution Server, Trusted Messaging

2013-11-21 Thread Jamie Lennox
So i've a feeling that this was proposed and dismissed once before. I don't remember why. So my concern with barbican is that i'm under the impression that barbican was going to be an 'overcloud' service. That's a really bad way of putting it, but it is service and user facing and discovered via

Re: [openstack-dev] [Nova][Glance] Support of v1 and v2 glance APIs in Nova

2013-11-24 Thread Jamie Lennox
On Fri, 2013-11-22 at 20:07 -0600, Matt Riedemann wrote: On Friday, November 22, 2013 5:52:17 PM, Russell Bryant wrote: On 11/22/2013 06:01 PM, Christopher Yeoh wrote: On Sat, Nov 23, 2013 at 8:33 AM, Matt Riedemann mrie...@linux.vnet.ibm.com mailto:mrie...@linux.vnet.ibm.com wrote:

Re: [openstack-dev] [Keystone][Marconi][Oslo] Discoverable home document for APIs (Was: Re: [Nova][Glance] Support of v1 and v2 glance APIs in Nova)

2013-11-25 Thread Jamie Lennox
/13 09:28 +1000, Jamie Lennox wrote: So the way we have this in keystone at least is that querying GET / will return all available API versions and querying /v2.0 for example is a similar result with just the v2 endpoint. So you can hard pin a version by using the versioned URL. I spoke

Re: [openstack-dev] [Keystoneclient] [Keystone] Last released version of keystoneclient does not work with python33

2013-12-04 Thread Jamie Lennox
Adrian, The main blocker for the time being with keystoneclient and py3 is our use of a library called HTTPretty in our testing - on which there is a very recent thread. There is upstream work to make this py3 compatible but i'm not sure how quickly it's moving. Any code in keystoneclient

Re: [openstack-dev] [Keystoneclient] [Keystone] [Solum] Last released version of keystoneclient does not work with python33

2013-12-04 Thread Jamie Lennox
with the upstream work. At the very least, it might be nice to have some understanding of how much work there is to be done in HTTPretty. Cheers, Adrian On Dec 4, 2013, at 3:29 PM, Jamie Lennox jamielen...@redhat.com wrote: Adrian, The main blocker for the time being

Re: [openstack-dev] [Keystoneclient] [Keystone] [Solum] Last released version of keystoneclient does not work with python33

2013-12-04 Thread Jamie Lennox
On Wed, 2013-12-04 at 20:48 -0500, David Stanek wrote: On Wed, Dec 4, 2013 at 6:44 PM, Adrian Otto adrian.o...@rackspace.com wrote: Jamie, Thanks for the guidance here. I am checking to see if any of our developers might take an interest in helping with the

Re: [openstack-dev] [Keystoneclient] [Keystone] [Solum] Last released version of keystoneclient does not work with python33

2013-12-05 Thread Jamie Lennox
:17 PM (GMT-08:00) To: Jamie Lennox ,OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Keystoneclient] [Keystone] [Solum] Last released version of keystoneclient does not work with python33 On December 4, 2013 at 18:05:07, Jamie Lennox (jamielen

Re: [openstack-dev] [nova][cinder][ceilometer][glance][all] Loading clients from a CONF object

2014-06-11 Thread Jamie Lennox
On Thu, 2014-06-12 at 09:13 +1200, Steve Baker wrote: On 12/06/14 08:18, Mark McLoughlin wrote: On Wed, 2014-06-11 at 16:57 +1200, Steve Baker wrote: On 11/06/14 15:07, Jamie Lennox wrote: Among the problems cause by the inconsistencies in the clients is that all the options

Re: [openstack-dev] [nova][cinder][ceilometer][glance][all] Loading clients from a CONF object

2014-06-11 Thread Jamie Lennox
On Wed, 2014-06-11 at 04:43 +, Angus Salkeld wrote: On 11/06/14 13:10, Jamie Lennox wrote: Among the problems cause by the inconsistencies in the clients is that all the options that are required to create a client need to go into the config file of the service. This is a pain

Re: [openstack-dev] [nova][cinder][ceilometer][glance][all] Loading clients from a CONF object

2014-06-12 Thread Jamie Lennox
On Wed, 2014-06-11 at 19:52 -0400, Sean Dague wrote: On 06/11/2014 07:47 PM, Jamie Lennox wrote: On Thu, 2014-06-12 at 09:13 +1200, Steve Baker wrote: On 12/06/14 08:18, Mark McLoughlin wrote: On Wed, 2014-06-11 at 16:57 +1200, Steve Baker wrote: On 11/06/14 15:07, Jamie Lennox wrote

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

2014-06-12 Thread Jamie Lennox
On Thu, 2014-06-12 at 16:29 -0700, Valerie Anne Fenwick wrote: Hi FOlks I haven't seen anymore on this. Is this happening? If so, are there more details? (location, agenda, etc). Thanks! Details: http://dolphm.com/openstack-keystone-hackathon-for-juno/ I think the agenda will be pushing

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

2014-06-12 Thread Jamie Lennox
- Original Message - From: Jamie Lennox jamielen...@redhat.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Friday, June 13, 2014 12:28:25 PM Subject: Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone

Re: [openstack-dev] Creating new python-new_project_nameclient

2014-06-26 Thread Jamie Lennox
On Wed, 2014-06-25 at 22:42 -0500, Dean Troyer wrote: On Wed, Jun 25, 2014 at 10:18 PM, Aaron Rosen aaronoro...@gmail.com wrote: I'm looking at creating a new python-new_project_nameclient and I was wondering if there was any on going effort to share code between the

Re: [openstack-dev] [Keystone] Removed admin role from admin user/tenant, can't add back

2014-07-24 Thread Jamie Lennox
On Thu, 2014-07-24 at 22:44 +, Pendergrass, Eric wrote: In an effort to test ceilometer roles I removed the admin role from the admin tenant and user. Now I can’t add it back since I don’t have a user/tenant combo with the admin role: keystone user-role-add --role

Re: [openstack-dev] [infra]Requesting consideration of httmock package for test-requirements in Juno

2014-04-08 Thread Jamie Lennox
- Original Message - From: Paul Michali (pcm) p...@cisco.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Cc: jamielen...@gmail.com Sent: Wednesday, April 9, 2014 12:09:58 AM Subject: [openstack-dev] [infra]Requesting

Re: [openstack-dev] [infra]Requesting consideration of httmock package for test-requirements in Juno

2014-04-09 Thread Jamie Lennox
package for test-requirements in Juno On Apr 8, 2014, at 3:04 PM, Jamie Lennox jamielen...@redhat.com wrote: - Original Message - From: Paul Michali (pcm) p...@cisco.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org

Re: [openstack-dev] [infra]Requesting consideration of httmock package for test-requirements in Juno

2014-04-14 Thread Jamie Lennox
On Fri, 2014-04-11 at 13:29 +, Paul Michali (pcm) wrote: See inline @PCM… On Apr 9, 2014, at 5:56 PM, Jamie Lennox jamielen...@redhat.com wrote: - Original Message - From: Paul Michali (pcm) p...@cisco.com To: OpenStack Development Mailing List (not for usage

Re: [openstack-dev] [Keystone] keystoneclient and project-less v3 tokens

2014-04-27 Thread Jamie Lennox
On Thu, 2014-04-17 at 19:58 +0300, Roman Bodnarchuk wrote: Hello, I am trying to make sure that a user can't do anything useful with an unscoped token, and got to the following code in keystoneclient.middleware.auth_token: if _token_is_v2(token_info) and not

[openstack-dev] [nova] Consuming keystoneclient's Session object in novaclient

2014-05-06 Thread Jamie Lennox
All, TL;DR: novaclient should be able to use the common transport/auth layers of keystoneclient. If it does there are going to be functions like client.authenticate() that won't operate the same way when a session object is passed. For most users who just use the CRUD operations there will be

Re: [openstack-dev] [nova] Consuming keystoneclient's Session object in novaclient

2014-05-07 Thread Jamie Lennox
: On Tue, May 6, 2014 at 3:22 PM, Jamie Lennox jamielen...@redhat.com mailto:jamielen...@redhat.com wrote: All, TL;DR: novaclient should be able to use the common transport/auth layers of keystoneclient. If it does there are going to be functions like client.authenticate

Re: [openstack-dev] [nova] Consuming keystoneclient's Session object in novaclient

2014-05-14 Thread Jamie Lennox
in novaclient On Wed, May 7, 2014 at 7:54 PM, Jamie Lennox jamielen...@redhat.com wrote: - Original Message - From: Monty Taylor mord...@inaugust.com To: openstack-dev@lists.openstack.org Sent: Thursday, May 8, 2014 8:22:21 AM Subject: Re: [openstack-dev] [nova

[openstack-dev] [Keystone] ARBAC Resources

2014-05-19 Thread Jamie Lennox
These are the ARBAC documents that came up in our meeting with Shawn McKinney at Summit: 1. OpenStack RBAC proposal slide deck http://people.redhat.com/jlennox/OpenStackRbacProposal2014.pdf 2. ANSI RBAC (INCITS 359-2004) Specification document:

[openstack-dev] [nova][cinder][ceilometer][glance][all] Loading clients from a CONF object

2014-06-10 Thread Jamie Lennox
Among the problems cause by the inconsistencies in the clients is that all the options that are required to create a client need to go into the config file of the service. This is a pain to configure from the server side and can result in missing options as servers fail to keep up. With the

Re: [openstack-dev] Horizon and Keystone: API Versions and Discovery

2014-10-20 Thread Jamie Lennox
- Original Message - From: Dolph Mathews dolph.math...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, October 7, 2014 6:56:15 PM Subject: Re: [openstack-dev] Horizon and Keystone: API Versions and

Re: [openstack-dev] [Keystone] Question regarding Service Catalog and Identity entries...

2014-10-20 Thread Jamie Lennox
- Original Message - From: Ben Meyer ben.me...@rackspace.com To: openstack-dev@lists.openstack.org Cc: Jamie Painter jamie.pain...@rackspace.com Sent: Tuesday, October 7, 2014 4:31:16 PM Subject: [openstack-dev] [Keystone] Question regarding Service Catalog and Identity

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-20 Thread Jamie Lennox
- Original Message - From: Nathan Kinder nkin...@redhat.com To: openstack-dev@lists.openstack.org Sent: Tuesday, October 14, 2014 2:25:35 AM Subject: Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites On 10/13/2014 01:17 PM, Morgan

Re: [openstack-dev] Horizon and Keystone: API Versions and Discovery

2014-10-21 Thread Jamie Lennox
and Discovery On Mon, Oct 20, 2014 at 7:04 AM, Jamie Lennox jamielen...@redhat.com wrote: - Original Message - From: Dolph Mathews dolph.math...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday

Re: [openstack-dev] [Keystone] Question regarding Service Catalog and Identity entries...

2014-10-21 Thread Jamie Lennox
- Original Message - From: Ben Meyer ben.me...@rackspace.com To: openstack-dev@lists.openstack.org Sent: Monday, October 20, 2014 3:53:39 PM Subject: Re: [openstack-dev] [Keystone] Question regarding Service Catalog andIdentity entries... On 10/20/2014 08:12 AM, Jamie

[openstack-dev] [oslo][kite] oslo.messaging changes for message security

2014-11-13 Thread Jamie Lennox
Hi all, To implement kite we need the ability to sign and encrypt the message and the message data. This needs to happen at a very low level in the oslo.messaging stack. The existing message security review (https://review.openstack.org/#/c/109806/) isn't going to be sufficient. It allows us to

[openstack-dev] [keystone][oslo] Handling contexts and policy enforcement in services

2014-11-30 Thread Jamie Lennox
TL;DR: I think we can handle most of oslo.context with some additions to auth_token middleware and simplify policy enforcement (from a service perspective) at the same time. There is currently a push to release oslo.context as a library, for reference:

Re: [openstack-dev] swift keystone failing in devstack

2013-06-25 Thread Jamie Lennox
On Tue, 2013-06-25 at 09:30 -0600, Pete Zaitcev wrote: On Tue, 25 Jun 2013 08:50:49 +0100 Michael Kerrin michael.ker...@hp.com wrote: we raised a bug https://bugs.launchpad.net/devstack/+bug/1193112 where the $ /opt/stack/swift/bin/swift-proxy-server /etc/swift/proxy-server.conf -v

Re: [openstack-dev] Http library usage by clients

2013-06-27 Thread Jamie Lennox
On Fri, 2013-06-28 at 07:01 +1200, Robert Collins wrote: On 27 June 2013 04:55, Adam Young ayo...@redhat.com wrote: Right now Keystone provides so called bearer tokens: This means that whoever has a token can do whatever the token entitles him to do. If I manage to get somebody's token I

Re: [openstack-dev] Http library usage by clients

2013-06-27 Thread Jamie Lennox
On Thu, 2013-06-27 at 16:35 +0200, Thierry Carrez wrote: Adam Young wrote: Right now Keystone provides so called bearer tokens: This means that whoever has a token can do whatever the token entitles him to do. If I manage to get somebody's token I can do whatever this person is able to do.

Re: [openstack-dev] [Openstack] Keystone store-quota-data blueprint

2013-07-01 Thread Jamie Lennox
On Tue, 2013-07-02 at 02:03 +, Everett Toews wrote: This topic came up at the last summit in Portland at [1] and [2]. Yehia and another colleague of his from HP had a design that was discussed and it seemed like they were going to start work on it. Another developer from CERN expressed

Re: [openstack-dev] [Keystone] Best way to do something MySQL-specific?

2013-07-08 Thread Jamie Lennox
On Mon, 2013-07-08 at 21:55 -0400, Adam Young wrote: Tokens are, for the most part, immutable. Once they are written, they don't change except if they get revoked. This is a fairly rare occurance, but it does happen. Deleting tokens based on age should be fairly straight forward, and

Re: [openstack-dev] Proposal for API version discovery

2013-07-23 Thread Jamie Lennox
On Thu, 2013-05-02 at 00:46 +, Gabriel Hurley wrote: Based on input from several of the PTLs (and others), I'd like to propose the following outline for how version discovery should be handled across heterogeneous clouds: https://etherpad.openstack.org/api-version-discovery-proposal

Re: [openstack-dev] Proposal for API version discovery

2013-07-27 Thread Jamie Lennox
, Jamie Lennox jlen...@redhat.com wrote: On Thu, 2013-05-02 at 00:46 +, Gabriel Hurley wrote: Based on input from several of the PTLs (and others), I'd like to propose the following outline for how version discovery should be handled across heterogeneous clouds: https

Re: [openstack-dev] [Keystone] Alembic support

2013-07-28 Thread Jamie Lennox
- Original Message - From: Doug Hellmann doug.hellm...@dreamhost.com To: OpenStack Development Mailing List openstack-dev@lists.openstack.org Sent: Saturday, 27 July, 2013 4:15:53 AM Subject: Re: [openstack-dev] [Keystone] Alembic support On Fri, Jul 26, 2013 at 2:04 PM,

[openstack-dev] [Keystone] V3 Extensions Discoverability

2013-08-05 Thread Jamie Lennox
Hi all, Partially in response to the trusts API review in keystoneclient (https://review.openstack.org/#/c/39899/ ) and my work on keystone API version discoverability (spell-check disagrees but I'm going to assume that's a word - https://review.openstack.org/#/c/38414/ ) I was thinking about

Re: [openstack-dev] Proposing Morgan Fainberg for keystone-core

2013-08-06 Thread Jamie Lennox
+1 On Tue, 2013-08-06 at 14:20 -0500, Dolph Mathews wrote: Through feedback on code reviews and blueprints, Morgan clearly has the best interests of the project itself in mind. I'd love for his votes to carry a bit more weight! https://review.openstack.org/#/dashboard/2903 Respond

Re: [openstack-dev] [Keystone] V3 Extensions Discoverability

2013-08-06 Thread Jamie Lennox
:19 AM, Jamie Lennox wrote: Hi all, Partially in response to the trusts API review in keystoneclient (https://review.openstack.org/#/c/39899/ ) and my work on keystone API version discoverability (spell-check disagrees but I'm

Re: [openstack-dev] [keystone] Pagination

2013-08-12 Thread Jamie Lennox
I'm not sure where it would make sense within the API to return the name of the page/per_page variables to the client that doesn't involve having already issued the call (ie returning the names within the links box means you've already issued the query). If we standardize on the page/per_page

[openstack-dev] [Keystone] Enforcing cert validation in auth_token middleware

2013-09-11 Thread Jamie Lennox
With the aim of replacing httplib and cert validation with requests[1] I've put forward the following review to use the requests library for auth_token middleware. https://review.openstack.org/#/c/34161/ This adds 2 new config options. - The ability to provide CAs to validate https connections

Re: [openstack-dev] Client and Policy

2013-09-20 Thread Jamie Lennox
(Resend this as i realize it didn't get to the list) I just want to clarify where some of this discussion came from. I actually think that oslo does a great job at keeping so many project up to date with common code without the restrictions that going to a library straight away. The problem is

[openstack-dev] [Keystone] Client Auth Plugins and changes in how clients communicate.

2013-10-01 Thread Jamie Lennox
All, So I wrote out an article the other day on the background to the keystoneclient changes that I've been trying to get through. Please take a look: http://www.jamielennox.net/blog/2013/09/27/apiclient-communications/ I'm hoping that it gives a better understanding of the concepts and

Re: [openstack-dev] [python-cinderclient] Return request ID to caller

2014-12-17 Thread Jamie Lennox
- Original Message - From: Abhijeet Malawade abhijeet.malaw...@nttdata.com To: openstack-dev@lists.openstack.org Sent: Friday, 12 December, 2014 3:54:04 PM Subject: [openstack-dev] [python-cinderclient] Return request ID to caller HI, I want your thoughts on blueprint

Re: [openstack-dev] [all] Lets not assume everyone is using the global `CONF` object (zaqar broken by latest keystoneclient release 1.0)

2014-12-21 Thread Jamie Lennox
- Original Message - From: Doug Hellmann d...@doughellmann.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Saturday, 20 December, 2014 12:07:59 AM Subject: Re: [openstack-dev] [all] Lets not assume everyone is using the

Re: [openstack-dev] [Keystone] Nominating Brad Topol for Keystone-Spec core

2015-01-18 Thread Jamie Lennox
+1 - Original Message - From: Morgan Fainberg morgan.fainb...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Monday, 19 January, 2015 5:11:02 AM Subject: [openstack-dev] [Keystone] Nominating Brad Topol for

Re: [openstack-dev] [keystone] [trusts] [all] How trusts should work by design?

2015-02-16 Thread Jamie Lennox
- Original Message - From: Alexander Makarov amaka...@mirantis.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, 17 February, 2015 4:00:05 AM Subject: Re: [openstack-dev] [keystone] [trusts] [all] How trusts should

Re: [openstack-dev] [Keystone] [devstack] About _member_ role

2015-02-17 Thread Jamie Lennox
- Original Message - From: Pasquale Porreca pasquale.porr...@dektech.com.au To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, 17 February, 2015 9:07:14 PM Subject: [openstack-dev] [Keystone] [devstack] About _member_

Re: [openstack-dev] [Keystone] Proposing Marek Denis for the Keystone Core Team

2015-02-10 Thread Jamie Lennox
+1 - Original Message - From: Guang Yee guang@hp.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Wednesday, 11 February, 2015 10:45:07 AM Subject: Re: [openstack-dev] [Keystone] Proposing Marek Denis for the Keystone

Re: [openstack-dev] [keystone][congress][group-policy] Fetching policy from a remote source

2015-03-16 Thread Jamie Lennox
- Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Tuesday, March 17, 2015 8:59:17 AM Subject: Re: [openstack-dev] [keystone][congress][group-policy] Fetching policy from a remote source On 03/16/2015 03:24 PM, Doug Hellmann

[openstack-dev] [Horizon][DOA] Extending OpenStack Auth for new mechanisms (websso, kerberos, k2k etc)

2015-03-15 Thread Jamie Lennox
Hi All, Please note when reading this that I have no real knowledge of django so it is very possible I'm overlooking something obvious. ### Issue Django OpenStack Auth (DOA) has always been tightly coupled to the notion of a username and password. As keystone progresses and new authentication

Re: [openstack-dev] [Horizon][DOA] Extending OpenStack Auth for new mechanisms (websso, kerberos, k2k etc)

2015-03-17 Thread Jamie Lennox
, and could easily be tweaked to use a token plugin (when it's ready). I think the same can be said for our k2k issue, but I'm not sure. Thanks, Steve Martinelli OpenStack Keystone Core Jamie Lennox jamielen...@redhat.com wrote on 03/15/2015 10:52:31 PM: From: Jamie Lennox jamielen

Re: [openstack-dev] [Keystone] [devstack] About _member_ role

2015-02-26 Thread Jamie Lennox
On 02/17/15 21:01, Jamie Lennox wrote: - Original Message - From: Pasquale Porreca pasquale.porr...@dektech.com.au To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Tuesday, 17 February, 2015 9:07:14 PM Subject: [openstack

Re: [openstack-dev] Kerberos in OpenStack

2015-02-24 Thread Jamie Lennox
I replied to almost exactly this email off-list and so thought i would copy my reply to -dev. - Original Message - From: Jamie Lennox jamielen...@redhat.com To: Sanket Lawangare sanket.lawang...@gmail.com Sent: Wednesday, February 25, 2015 6:39:14 AM Subject: Re: Kerberos

Re: [openstack-dev] ERROR: openstackclient.shell Exception raised: python-keystoneclient 1.4.0

2015-04-26 Thread Jamie Lennox
Rick, This is a problem of dependency resolution rather than an issue of keystoneclient specifically. You can see that glanceclient has a cap on keystoneclient that the installed version doesn't meet. Dependency resolution has always been a problem but is raising its head again recently. If

Re: [openstack-dev] [Neutron][Keystone] [Nova] How to validate teanant-id for admin operation

2015-04-26 Thread Jamie Lennox
- Original Message - From: German Eichberger german.eichber...@hp.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Saturday, 25 April, 2015 8:55:23 AM Subject: Re: [openstack-dev] [Neutron][Keystone] [Nova] How to validate

[openstack-dev] [TC][Keystone] Rehashing the Pecan/Falcon/other WSGI debate

2015-05-01 Thread Jamie Lennox
Hi all, At around the time Barbican was applying for incubation there was a discussion about supported WSGI frameworks. From memory the decision at the time was that Pecan was to be the only supported framework and that for incubation Barbican had to convert to Pecan (from Falcon). Keystone is

Re: [openstack-dev] [heat][python-heatclient] Does python-heatclient works with keystone sessions?

2015-05-08 Thread Jamie Lennox
- Original Message - From: Jay Reslock jresl...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Friday, May 8, 2015 7:42:50 AM Subject: Re: [openstack-dev] [heat][python-heatclient] Does python-heatclient works

Re: [openstack-dev] [keystone][clients] - Should we implement project to endpoint group?

2015-05-10 Thread Jamie Lennox
- Original Message - From: Enrique Garcia garcianava...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Sent: Monday, May 11, 2015 2:19:43 AM Subject: Re: [openstack-dev] [keystone][clients] - Should we implement

Re: [openstack-dev] [heat][python-heatclient] Does python-heatclient works with keystone sessions?

2015-05-09 Thread Jamie Lennox
will be hidden because it's part of the token exchange. On Fri, May 8, 2015 at 4:22 PM Jay Reslock jresl...@gmail.com wrote: Hi Jamie, How do I see the service catalog that I am getting back? On Fri, May 8, 2015 at 3:25 AM Jamie Lennox jamielen...@redhat.com wrote: - Original

Re: [openstack-dev] [Keystone] Domain and Project naming

2015-06-04 Thread Jamie Lennox
- Original Message - From: Adam Young ayo...@redhat.com To: OpenStack Development Mailing List openstack-dev@lists.openstack.org Sent: Thursday, 4 June, 2015 2:25:52 PM Subject: [openstack-dev] [Keystone] Domain and Project naming With Hierarchical Multitenantcy, we have the issue

Re: [openstack-dev] [keystone][reseller] New way to get a project scoped token by name

2015-06-08 Thread Jamie Lennox
- Original Message - From: David Chadwick d.w.chadw...@kent.ac.uk To: openstack-dev@lists.openstack.org Sent: Saturday, 6 June, 2015 6:01:10 PM Subject: Re: [openstack-dev] [keystone][reseller] New way to get a project scoped token by name On 06/06/2015 00:24, Adam Young

Re: [openstack-dev] [glance] V3 Authentication for swift store

2015-06-18 Thread Jamie Lennox
- Original Message - From: stuart mclaren stuart.mcla...@hp.com To: openstack-dev@lists.openstack.org Sent: Thursday, 18 June, 2015 7:06:12 PM Subject: Re: [openstack-dev] [glance] V3 Authentication for swift store Hi Jamie, Glance has another way of specifying the swift

Re: [openstack-dev] V3 Authentication for swift store

2015-06-18 Thread Jamie Lennox
-Original Message- From: Jamie Lennox [mailto:jamielen...@redhat.com] Sent: 18 June 2015 07:02 To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [glance] V3 Authentication for swift store Hey everyone, TL;DR: glance_store requires a way

  1   2   >