Re: [openstack-dev] Pluggable Auth for clients and where should it go
On Wed, Feb 18, 2015 at 8:54 PM, Dean Troyer dtro...@gmail.com wrote: I think one thing needs to be clarified...what you are talking about is utilizing keystoneclient's auth plugins in neutronclient. Phrasing it as 'novaclient parity' reinforces the old notion that novaclient is the model for doing things. It is no longer that...and maybe not even the right example of how to use auth plugins even though jamielennox did most of that work. and FYI jamie has a serie of excellent articles about keystone's pluggable auth on his blog: http://www.jamielennox.net/ Chmouel __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Pluggable Auth for clients and where should it go
Perhaps I am misunderstanding, but doesn't the OSC support for pluggable auth just come for free from Neutron's perspective? (i.e. we don't have to make any Neutron-specific changes for that to work) What I was hoping here was that we could get something in the Neutron client that works with the older auth plugins written for the Nova client to support setups not using OSC (specifically the Nova-Neutron interactions). I didn't mean that I didn't want to support OSC at all. On Wed, Feb 18, 2015 at 11:16 AM, Tim Bell tim.b...@cern.ch wrote: Asking on the operators mailing list may yield more examples where people are using the Neutron client. From the CERN perspective, we use OSC heavily now it has Kerberos and X.509 support. With the new support of Keystone V3 in the Nova python client, we are interested in extending this support to these methods. While we are in the process of planning our Nova network to Neutron migration (and thus our Neutron usage is limited to testing currently), it would be attractive if the OSC support Neutron operations with these authentication methods. Worst case, following the same structure as Nova would allow us to work with others interested in Kerberos and X.509 for a single set of patches so we would strongly prefer the same plug in approach for Neutron as used by Nova (compared to re-inventing the wheel). Tim *From:* Kevin Benton [mailto:blak...@gmail.com] *Sent:* 18 February 2015 20:01 *To:* OpenStack Development Mailing List (not for usage questions) *Subject:* Re: [openstack-dev] Pluggable Auth for clients and where should it go This is something I have been working on internally as well. I've been trying to find a way to make the changes to the python neutronclient in the least invasive way to support pluggable authentication. I would be happy to help review the changes you submit upstream if you have something already well-tested. Would you benefit from pluggable auth? Yes. What are you looking for in auth? Parity with the nova client. Would you benefit from the python-neutronclient getting nova's auth capabilities? Yes I have a similar constraint with waiting for the move to OSC/SDK. Even if the support for auth was merged into OSC/SDK, it wouldn't work with existing scripts and (more importantly) existing Icehouse/Juno Nova deployments that use the neutron client for the notifications to Neutron. On Wed, Feb 18, 2015 at 8:52 AM, Justin Hammond justin.hamm...@rackspace.com wrote: Just starting this discussion… This is in reference to https://blueprints.launchpad.net/python-neutronclient/+spec/pluggable-neutronclient-auth Originally the blueprint was for python-neutronclient only, but pluggable auth is a wide-reaching issue. With OSC/SDK on the horizon (however far), we should probably begin the discussion of how to best do this (if it hasn't been done). A request: We have an immediate need to add pluggable auth to the python-neutronclient, modeled after python-novaclient's pluggable auth system, to maintain a consistent workflow for our users. After the discussion in the neutron-drivers meeting ( http://eavesdrop.openstack.org/meetings/neutron_drivers/2015/neutron_drivers.2015-02-18-15.31.log.html) it is clear that python-neutronclient will survive for Kilo +12 months, at least. During that timeframe we'd like to have pluggable auth supported so we can bridge that gap. Beyond that immediate need, we are dedicated to making OSC/SDK the way to go in the future, and will gladly assist in adding said features. We have a solution for our immediate solution but that may not apply to OSC/SDK. So my questions are: - Would you benefit from pluggable auth? - What are you looking for in auth? - Would you benefit from the python-neutronclient getting nova's auth capabilities? Thank you for your time! - Justin (roaet) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kevin Benton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kevin Benton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Pluggable Auth for clients and where should it go
This is something I have been working on internally as well. I've been trying to find a way to make the changes to the python neutronclient in the least invasive way to support pluggable authentication. I would be happy to help review the changes you submit upstream if you have something already well-tested. Would you benefit from pluggable auth? Yes. What are you looking for in auth? Parity with the nova client. Would you benefit from the python-neutronclient getting nova's auth capabilities? Yes I have a similar constraint with waiting for the move to OSC/SDK. Even if the support for auth was merged into OSC/SDK, it wouldn't work with existing scripts and (more importantly) existing Icehouse/Juno Nova deployments that use the neutron client for the notifications to Neutron. On Wed, Feb 18, 2015 at 8:52 AM, Justin Hammond justin.hamm...@rackspace.com wrote: Just starting this discussion… This is in reference to https://blueprints.launchpad.net/python-neutronclient/+spec/pluggable-neutronclient-auth Originally the blueprint was for python-neutronclient only, but pluggable auth is a wide-reaching issue. With OSC/SDK on the horizon (however far), we should probably begin the discussion of how to best do this (if it hasn't been done). A request: We have an immediate need to add pluggable auth to the python-neutronclient, modeled after python-novaclient's pluggable auth system, to maintain a consistent workflow for our users. After the discussion in the neutron-drivers meeting ( http://eavesdrop.openstack.org/meetings/neutron_drivers/2015/neutron_drivers.2015-02-18-15.31.log.html) it is clear that python-neutronclient will survive for Kilo +12 months, at least. During that timeframe we'd like to have pluggable auth supported so we can bridge that gap. Beyond that immediate need, we are dedicated to making OSC/SDK the way to go in the future, and will gladly assist in adding said features. We have a solution for our immediate solution but that may not apply to OSC/SDK. So my questions are: - Would you benefit from pluggable auth? - What are you looking for in auth? - Would you benefit from the python-neutronclient getting nova's auth capabilities? Thank you for your time! - Justin (roaet) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kevin Benton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Pluggable Auth for clients and where should it go
On Wed, Feb 18, 2015 at 1:29 PM, Kevin Benton blak...@gmail.com wrote: Perhaps I am misunderstanding, but doesn't the OSC support for pluggable auth just come for free from Neutron's perspective? (i.e. we don't have to make any Neutron-specific changes for that to work) It does if/when the command layer were implemented in OSC. It already knows how to create a neutron client object and give it the plugin auth info. What I was hoping here was that we could get something in the Neutron client that works with the older auth plugins written for the Nova client to support setups not using OSC (specifically the Nova-Neutron interactions). I didn't mean that I didn't want to support OSC at all. I think one thing needs to be clarified...what you are talking about is utilizing keystoneclient's auth plugins in neutronclient. Phrasing it as 'novaclient parity' reinforces the old notion that novaclient is the model for doing things. It is no longer that...and maybe not even the right example of how to use auth plugins even though jamielennox did most of that work. dt -- Dean Troyer dtro...@gmail.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Pluggable Auth for clients and where should it go
Asking on the operators mailing list may yield more examples where people are using the Neutron client. From the CERN perspective, we use OSC heavily now it has Kerberos and X.509 support. With the new support of Keystone V3 in the Nova python client, we are interested in extending this support to these methods. While we are in the process of planning our Nova network to Neutron migration (and thus our Neutron usage is limited to testing currently), it would be attractive if the OSC support Neutron operations with these authentication methods. Worst case, following the same structure as Nova would allow us to work with others interested in Kerberos and X.509 for a single set of patches so we would strongly prefer the same plug in approach for Neutron as used by Nova (compared to re-inventing the wheel). Tim From: Kevin Benton [mailto:blak...@gmail.com] Sent: 18 February 2015 20:01 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Pluggable Auth for clients and where should it go This is something I have been working on internally as well. I've been trying to find a way to make the changes to the python neutronclient in the least invasive way to support pluggable authentication. I would be happy to help review the changes you submit upstream if you have something already well-tested. Would you benefit from pluggable auth? Yes. What are you looking for in auth? Parity with the nova client. Would you benefit from the python-neutronclient getting nova's auth capabilities? Yes I have a similar constraint with waiting for the move to OSC/SDK. Even if the support for auth was merged into OSC/SDK, it wouldn't work with existing scripts and (more importantly) existing Icehouse/Juno Nova deployments that use the neutron client for the notifications to Neutron. On Wed, Feb 18, 2015 at 8:52 AM, Justin Hammond justin.hamm...@rackspace.commailto:justin.hamm...@rackspace.com wrote: Just starting this discussion… This is in reference to https://blueprints.launchpad.net/python-neutronclient/+spec/pluggable-neutronclient-auth Originally the blueprint was for python-neutronclient only, but pluggable auth is a wide-reaching issue. With OSC/SDK on the horizon (however far), we should probably begin the discussion of how to best do this (if it hasn't been done). A request: We have an immediate need to add pluggable auth to the python-neutronclient, modeled after python-novaclient's pluggable auth system, to maintain a consistent workflow for our users. After the discussion in the neutron-drivers meeting (http://eavesdrop.openstack.org/meetings/neutron_drivers/2015/neutron_drivers.2015-02-18-15.31.log.html) it is clear that python-neutronclient will survive for Kilo +12 months, at least. During that timeframe we'd like to have pluggable auth supported so we can bridge that gap. Beyond that immediate need, we are dedicated to making OSC/SDK the way to go in the future, and will gladly assist in adding said features. We have a solution for our immediate solution but that may not apply to OSC/SDK. So my questions are: * Would you benefit from pluggable auth? * What are you looking for in auth? * Would you benefit from the python-neutronclient getting nova's auth capabilities? Thank you for your time! - Justin (roaet) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kevin Benton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev