Re: [Openstack] can't access keystone endpoint http://localhost:5000/v2.0

Deepak, The client handles the slashes correctly, but there's still a bit of a bug in the server as there's no matching route without the trailing slash. Legacy keystone had a trivial URL normalization middleware to handle a similar issue. -Dolph Mathews On Mar 7, 2012, at 6:27

Re: [Openstack] Keystone database (using latest devstack)

To answer the second half of your question: keystoneclient cli does not support list-roles-for-user https://bugs.launchpad.net/keystone/+bug/932282 On Thu, Mar 8, 2012 at 4:46 PM, Jason Hedden wrote: >It seems a little odd that the mapping of users to roles is stored > in a pyth

Re: [Openstack] Keystone database (using latest devstack)

Proposed fix: https://review.openstack.org/#change,5153 Usage: $ keystone role-list --user= --tenant_id= On Thu, Mar 8, 2012 at 10:01 PM, Deepak Garg wrote: > I have also been trying to find a cli to get a user's role in a > particular tenant. > I could not do that even with db tables mappin

Re: [Openstack] [GLANCE] owner: name vs id

The glance auth middleware also references X_USER & X_ROLE which were deprecated similarly to X_TENANT in favor of X_USER_ID, X_USER_NAME, and X_ROLES. On Fri, Mar 9, 2012 at 9:53 AM, Kevin L. Mitchell < kevin.mitch...@rackspace.com> wrote: > On Fri, 2012-03-09 at 00:40 -0500, Jay Pipes wrote: >

Re: [Openstack] Keystone Not Logging

The 'file' handler is missing from your loggers; in other words, logging to a file is not enabled, as-is. Try: [logger_keystone] level=ERROR handlers=file qualname=keystone -Dolph Mathews On Mar 19, 2012, at 12:47 AM, Andrew Michael Weiss wrote: > Hey Kevin, > > I

Re: [Openstack] Keystone Not Logging

With: https://review.openstack.org/#change,5528 Out of the box: 1) uncomment log_config in keystone.conf 2) Run ./bin/keystone-all (with proposed logging configuration, no output will occur on the CLI) 3) ./keystone.log will be produced containing WARNING / ERROR / CRITICAL. On Mon, Mar 19, 2012

Re: [Openstack] [openstack] [keystone] Keystone XSDs?

WADL's and XSD's were recently moved to the identity API repo. WADL's: https://github.com/openstack/identity-api/tree/master/openstack-identity-api/src/docbkx XSD's: https://github.com/openstack/identity-api/tree/master/openstack-identity-api/src/docbkx/common/xsd -Dolph On Tue, Mar 20, 2012 a

Re: [Openstack] horizon and keystone no route matched error

Wasn't this fixed in keystoneclient (properly handling an unexpected trailing slash)? -Dolph On Wed, Mar 21, 2012 at 6:56 PM, Gabriel Hurley wrote: > It looks like you’ve got an extra slash in your URL. That probably means > you’ve got a trailing slash on your OPENSTACK_KEYSTONE_URL setting. As

Re: [Openstack] Keystone credentials

keystoneclient ($ keystone) is actually the new way to perform these types of operations instead of keystone-manage ($ keystone-manage) You'll first need to let keystoneclient authenticate with your keystone server as an admin, see: http://keystone.openstack.org/configuration.html#adding-users-ten

Re: [Openstack] Keystone client broken??

I'm not sure if there's an open bug on this or not (definitely should be), but you're attempting to perform operations using a SERVICE_TOKEN and SERVICE_ENDPOINT ( that require -Dolph Mathews On Mar 22, 2012, at 1:42 PM, Joshua Harlow wrote: > Hi all, > > When trying

Re: [Openstack] Keystone client broken??

Accidentally hit send... Anyway... which does not necessarily correspond to a normal user with a service catalog. The error message should explain this and direct you to use an OS_USERNAME, OS_PASSWORD, OS_TENANT_* and OS_AUTH_URL instead (which can have a service catalog). -Dolph Mathews

Re: [Openstack] Keystone client broken??

hould of been set: > > > > export OS_AUTH_URL=http://172.21.102.236:5000/v2.0 > > export OS_PASSWORD=ac31bec851146d3c7f00 > > export OS_TENANT_NAME=demo > > export OS_USERNAME=demo > > > > > > On 3/22/12 1:39 PM, "Dolph Mathews" wrote: &g

Re: [Openstack] 回复： is this a bug in milestone-proposed keystone ? (cannotget endpoint-list, nor create endpoint)

( This is significant gap in the current keystone docs, so I'll be ensuring this makes it into the docs ASAP; feedback here is very much appreciated! ) There are two driver options for your service catalog - one based on a flat file, and one backed by SQL. The flat file does not support administra

Re: [Openstack] BUG on dashboard (Horizon)

Agree with the other posters; Keystone is not reachable from Horizon -- make sure it's running, keystone's IP and ports are reflected correctly in horizon config, etc. -Dolph On Mon, Mar 26, 2012 at 6:21 AM, Guilherme Souza < souza.guilherm...@gmail.com> wrote: > Hello Razique, > > What do you w

Re: [Openstack] is this a bug in milestone-proposed keystone ? (cannotget endpoint-list, nor create endpoint)

I think I'm to blame (apologies!) for suggesting that one driver was preferred over the other (that was my understanding a few weeks ago, based on test coverage). However, test coverage has since improved and I think people are having good experience with the SQL driver. The two methods are *not*

Re: [Openstack] BUG on dashboard (Horizon)

nd > tried to log in, but it had identified a problem on access, then i up the > service and i can log in. Them i think that's a bug, cannot be another > thing once that all configurations are right. > > Em 26 de março de 2012 13:11, Dolph Mathews escreveu: > > Agree wit

Re: [Openstack] 回复： is this a bug in milestone-proposed keystone ? (cannotget endpoint-list, nor create endpoint)

wrote: > On 03/26/2012 11:43 AM, Dolph Mathews wrote: > >> ( This is significant gap in the current keystone docs, so I'll be >> ensuring this makes it into the docs ASAP; feedback here is very much >> appreciated! ) >> >> There are two driver options

Re: [Openstack] keystone-all with argument (or where to find config files)

Chmouel, That's pretty much the strategy keystone does already; the problem you're seeing is just a completely useless error message. A bug with tagged for RC would be helpful. -Dolph On Tue, Mar 27, 2012 at 10:35 AM, Chmouel Boudjnah wrote: > Hello, > > Posting here, as I am wondering if I do

Re: [Openstack] Programming OpenStack Compute API - 1.1 Mistake

Nicolas, It looks like that guide was written for the diablo (or perhaps pre-diablo) keystone API. The corrections you're suggesting are accurate to bring the guide forward to essex. However, you might find the following a bit easier, as we now have a real auth client

Re: [Openstack] Code 500 when authenticating with password

That would do it! Glad you found your problem. I'll be working on improving the docs for building your service catalog pretty soon; common issues like this are useful to know about. -Dolph On Fri, Mar 30, 2012 at 11:03 PM, Pete Zaitcev wrote: > On Sat, 31 Mar 2012 10:26:10 +0800 > Yong Sheng G

Re: [Openstack] Swift and keystone: asking for an auth token.

Included one answer for you below :) -Dolph On Tue, Apr 3, 2012 at 9:53 AM, Pierre Amadio wrote: > > The ubuntu user is associated to the admin role (i know i did it with > keystone user-role-add , altough i m not sure how to list the role of a > given user to double check, if you know how to do

Re: [Openstack] Endpoints problems

While $(tenant_id)s is certainly the documented syntax, it appears that the SQL catalog backend (and *only* the SQL catalog backend, as far as I can tell) explicitly supports both $(tenant_id)s and %(tenant_id)s: https://github.com/openstack/keystone/blob/master/keystone/catalog/backends/sql.py#L1

Re: [Openstack] [Keystone] What exactly are we modeling with endpoints?

here's certainly room for improvement there as well. -Dolph Mathews On Apr 25, 2012, at 11:37 AM, "Nguyen, Liem Manh" wrote: > I would like to keep the service type and name under the service and not the > endpoint, too. Make it easier to parse for a given service. >

Re: [Openstack] [Keystone] What exactly are we modeling with endpoints?

g attributes on those > endpoints (including what "service" and "type" it is), with some expected > conventions (that there are a few well defined types - such as PublicURL > and InternalURL, and relevant names for the rest API endpoints (ec2, > compute, volume, image, ide

Re: [Openstack] [Keystone] What exactly are we modeling with endpoints?

endpoints (including what "service" and "type" it is), with some expected > conventions (that there are a few well defined types - such as PublicURL > and InternalURL, and relevant names for the rest API endpoints (ec2, > compute, volume, image, identity...) > > Ad

Re: [Openstack] [Keystone] What exactly are we modeling with endpoints?

;m wrong). Please, contribute yours! -Dolph On Wed, Apr 25, 2012 at 1:00 PM, Dolph Mathews wrote: > I'm not sure it makes sense for a "service" to have more than one > "endpoint." Two different endpoints might as well be two separate services > IMO, even if t

Re: [Openstack] [Keystone] What exactly are we modeling with endpoints?

ard towards a v.next API, what do you all think about having > just "endpoints", with everything else being attributes on those endpoints > (including what "service" and "type" it is), with some expected conventions > (that there are a few well defined typ

Re: [Openstack] Integrating keystone for a public cloud panel

rough the API). -Dolph Mathews On Apr 26, 2012, at 7:58 PM, Adrian Moya wrote: > Hi everyone, I'm currently building a customer panel to offer public cloud > services based on openstack. I'd like to share my plans to validate my > approach is good and hear suggestions/feedbac

Re: [Openstack] Configuring Keystone in OpenStack (Essex) white-papers

It looks like the PDF is rendering trying to render the outside quotes as \\paired smart quotes// instead of ||regular double quotes||. Try this instead: http://paste.openstack.org/raw/14073/ -Dolph On Fri, Apr 27, 2012 at 9:35 AM, Shake Chen wrote: > HI > > Canonical provide the keystone doc

Re: [Openstack] URL Scheme for deploying Openstack in HTTPD

I very much like the idea that we should have a well documented recommendation on this topic. My only criticism is that the API/service names should be used in place of project names, e.g. https://hostname/identity, https://hostname/compute, etc. -Dolph On Mon, Apr 30, 2012 at 11:34 AM, Adam You

Re: [Openstack] OpenStack Client Followup

On Mon, Apr 30, 2012 at 1:18 PM, Doug Hellmann wrote: > > > On Mon, Apr 30, 2012 at 12:13 PM, Adam Spiers wrote: > >> Dean Troyer (dtro...@gmail.com) wrote: >> > One of the first things to do is to find out who is interested in >> > contributing to this project.and hopefully coordinating some of

Re: [Openstack] URL Scheme for deploying Openstack in HTTPD

On Apr 30, 2012, at 3:20 PM, "Daniel P. Berrange" wrote: > On Mon, Apr 30, 2012 at 01:58:24PM -0500, Dolph Mathews wrote: >> I very much like the idea that we should have a well documented >> recommendation on this topic. >> >> My only criticism is that th

Re: [Openstack] OpenStack Client Followup

I disagree with all three... the line between "admin" and "not admin" is going to get very blurry in the long run. Example: I may be a regular user, but I've been granted what is "normally" an admin capability on tenant X. Does that make me an admin? Do I now need to use two different clients? I a

Re: [Openstack] OpenStack Client Followup

holly feasible depending on how we are > tracking API versioning inside of the client. > > So I suppose the question is... how does the client approach API > versioning? > > -Matt > > On Wed, May 2, 2012 at 6:14 AM, Dolph Mathews > wrote: > > I disagree with all three

Re: [Openstack] Keystone API question

The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating "User roles not supported: tenant I

Re: [Openstack] Missing(?) keystone service catalog

"service-list" calls the admin API (port 35357), but the auth_url you provided was port 5000. I don't think the current keystoneclient is smart enough to try and switch to the correct endpoint. If you have an admin role, switching to port 35357 should work for you. Additionally, you won't get a se

Re: [Openstack] Keystone API question

nants/{tenant_id}/users/{user_id}/roles works fine. For a bit more >> detail have a look at >> >> >> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html >> >> Everett >> >> >>

Re: [Openstack] Missing(?) keystone service catalog

DISCLOSED/v1.1/ ", "publicURL": " > https://GLANCE_API_IS_N <https://glance_api_is_n/> > OT_DISCLOSED/v1.1/ "}], "type": "image", "name": "glance"}, > {"endpoints": [{"a > dminURL": "https://nova-

Re: [Openstack] Listing roles for a user

This actually just changed yesterday in https://github.com/openstack/python-keystoneclient/commit/e9ba370434537bcf1e53266e24397311d595b71e PRIOR to that commit: $ keystone help role-list usage: keystone role-list [--user ] [--tenant_id ] List all roles, or only those granted to a user. Optiona

Re: [Openstack] [Glance][Nova] Can't list images

Your swift endpoint appears to be literally configured in keystone as "http://${SWIFT_HOST}:8080/v1/..."; -- I'm guessing that's unreachable :) Based on your logs, I'm not certain that will fix your 500, however. -Dolph On Mon, May 7, 2012 at 5:23 AM, Leander Bessa wrote: > This is as much as

Re: [Openstack] [Glance][Nova] Can't list images

nder Bessa wrote: > Does that mean that glance is somehow configured to use swift as storage > instead of the local file system or is does the error simply occur due to > the a parsing error because of ${SWIFT_HOST}? > > > On Mon, May 7, 2012 at 2:59 PM, Dolph Mathews wrote: > &g

Re: [Openstack] ERROR: Malformed request url (HTTP 400)

The request URL is actually fine, but the request body is quite malformed: {"tenantName": "labSpaceDemo", "passwordCredentials": {"username": "adminUser", "password": "lfplhfgthvf"}}} What's there would be just fine if it were wrapped in an "auth" element (see http://keystone.openstack.org/ap

Re: [Openstack] ERROR: Malformed request url (HTTP 400)

It also just occurred to me that perhaps you're using a *very* old novaclient against a more recent version of keystone? -Dolph On Wed, May 9, 2012 at 3:30 PM, Dolph Mathews wrote: > The request URL is actually fine, but the request body is quite malformed: > > {"tenantN

Re: [Openstack] ERROR: Malformed request url (HTTP 400)

Hrm, good catch! I see no problems with that request at all... -Dolph Mathews On May 9, 2012, at 5:58 PM, "Kevin L. Mitchell" wrote: > On Wed, 2012-05-09 at 15:32 -0500, Dolph Mathews wrote: >> It also just occurred to me that perhaps you're using a *very* old >

Re: [Openstack] Keystone client, user belongs to many tenants?

o a user-tenant pair, creating an explicit relationship between the two. Using default tenants is optional with this method, but will affect how users must auth. -Dolph Mathews On May 9, 2012, at 3:46 PM, Joshua Harlow wrote: > A question, > > I am using anvil to setup the keystone roles/user

Re: [Openstack] Keystone client, user belongs to many tenants?

+1 The second "way to accomplish this" is exactly what keystone currently supports (explicit role grants), which didn't change between diablo and essex at all. The first method (using global unscopedness) was dropped because its just as confusing as you describe it. -Dolph Mat

Re: [Openstack] Keystone client, user belongs to many tenants?

d this > to the docs. > Let me know if you find the above useful; or feel free to revise and submit :) > > > Take care, > > Lorin > -- > Lorin Hochstein > Lead Architect - Cloud Services > Nimbis Services, Inc. > www.nimbisservices.com > > > > > > On

Re: [Openstack] [Glance][Nova] Can't list images

aste.openstack.org/show/16184/ >> >> glance-registry.conf > http://paste.openstack.org/show/16185/ >> >> glance-api-paste.ini > http://paste.openstack.org/show/16186/ >> >> glance-registry-pastet-ini > http://paste.openstack.org/show/16187/ >> >

Re: [Openstack] [Glance][Nova] Can't list images

Can you paste those deprecation warnings, your keystone.conf, and logging.conf? -Dolph Mathews On May 10, 2012, at 10:37 AM, Leander Bessa Beernaert wrote: > Both. The log file is completely empty and the stdout only prints deprecation > warnings :/ > > On Thu, May 10, 201

Re: [Openstack] 'admin' role hard-coded in keystone and nova, and policy.json

policy.json is entirely end-user configurable (it's not hardcoded at all): replace every instance of "role:admin" in your policy.json (there's two by default in nova's policy.json, for example) with "role:myadmin", create the corresponding "myadmin" role in keystone, and grant it to the appropriate

Re: [Openstack] [Documentation] Missing section in documentation

There's a very related open review in progress concerning the auth_token docs at http://keystone.openstack.org/ as well. https://review.openstack.org/#/c/7217 -Dolph On Thu, May 10, 2012 at 12:09 AM, Milind wrote: > Hi, > > In Admin installation document guide of Ubuntu 12.04 in the secti

Re: [Openstack] 'admin' role hard-coded in keystone and nova, and policy.json

On Fri, May 11, 2012 at 2:25 PM, Joshua Harlow wrote: > Cool, I’m glad that is the ultimate goal. > Working on it! https://blueprints.launchpad.net/keystone/+spec/rbac-keystone > > It seems like nova should be asking keystone for an initial policy > template of some kind, which nova then fills

Re: [Openstack] glance keystone authentication problem

I think the key is this line: 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Keystone rejected admin token {'X-Auth-Token': u' 6f220a2e7e324bf4bd7a96040f364316'}, resetting It looks like your auth_token middleware isn't properly authenticating itself with keystone. Verify tha

Re: [Openstack] glance keystone authentication problem

The admin_token config is being used to bypass to normal authentication process, thereby avoiding the issue. Can you paste the rest of your authtoken config? Also, try token-get against 5000, and then try the resulting token as your admin_token value. -Dolph Mathews On May 12, 2012, at 12:01

Re: [Openstack] ERROR: Malformed request url (HTTP 400)

4964a8d0a43649fcf898/images/detail > >> > >> 2012-05-10 14:40:08 DEBUG nova.api.openstack.wsgi > >> [req-c6b9ea76-bbe1-4796-a231-41fc41c7695f > >> 50be127b9b7f49dcbf5ffea06d23d83a ebf29e67cbd445daa5ad09f76cdf69f9] > >> Unrecognized Content-Type provided in request from (pi

Re: [Openstack] keystone error (python setup)

I'm not sure if you have a weird copy/paste there or not, but the line with multiple imports shouldn't work at all (it should work as three separate lines). >>> import ldap >>> import keystone >>> import keystone.identity >>> If python-ldap is correctly installed, you should definitely be able to

Re: [Openstack] [OpenStack][Keystone]Does legacy_auth v1.0 exist in Keystone Essex ?

I haven't tested it myself, but I imagine you *could* deploy legacy_token_auth (which rewrites from keystone stable/diablo or essex-3 with stable/essex or folsom; however, there are a couple of issues that need to be resolved first. https://github.com/openstack/keystone/blob/stable/diablo/keyston

Re: [Openstack] devstack installation failing

The output to the curl command below should definitely point you in the right direction -- devstack is expecting keystone to return an authentication response there, but it's getting something else instead. Feel free to paste the results to the list. -Dolph On Wed, May 23, 2012 at 11:47 PM, Vaze,

Re: [Openstack] [QA] Weekly Meeting tomorrow, Thursday, May 23 @ 17:00 UTC

The wiki page for meetings has a link to an iCal feed you can subscribe to: http://wiki.openstack.org/Meetings Direct iCal link: http://goo.gl/okDGE On Wed, May 23, 2012 at 10:43 PM, Paul Belanger < paul.belan...@polybeacon.com> wrote: > On 12-05-23 10:00 PM, Jay Pipes wrote: > >> The weekly QA

Re: [Openstack] devstack installation failing

keystoneclient is looking for enough arguments for it to either fully authenticate or bypass authentication. To fully authenticate: keystone --os_username=admin --os_password=secret --os_tenant_name=project-x --os_auth_url=http://keystone:5000/v2.0/tenant-list To bypass authentication (i.e. you a

Re: [Openstack] install cloud computing by openstack!!!

That's just a warning you can safely ignore for now (and a known issue): https://bugs.launchpad.net/keystone/+bug/936404 On Thu, May 31, 2012 at 12:09 PM, Từ Minh Mẫn wrote: > Dear all, > When I Create Tenants: I use command: keystone tenant-create --name admin, > Have error: No handlers could b

Re: [Openstack] install cloud computing by openstack!!!

Can you share your keystone configuration and keystoneclient configuration? A 400 could be as simple as the keystone service not running. -Dolph Mathews On Jun 2, 2012, at 1:48 AM, Từ Minh Mẫn wrote: > When I try to do tenant-create I also have problem: > > "No handlers coul

Re: [Openstack] Comparing roles - case (in)sensitivity

prefer it to be done with case-insensitivity to avoid confusion. However, the machine-readable identifier is really intended to be the Role ID (UUID, etc) from keystone. -Dolph Mathews On Jun 8, 2012, at 6:35 PM, Christopher B Ferris wrote: > case-insensitive - why would 'Admin&#x

Re: [Openstack] [openstack][keystone] v3 API question

On Jun 8, 2012, at 6:47 PM, "Nguyen, Liem Manh" wrote: > Hi Joe/Dolph, > > I have a few questions on the v3 API’s create_user (sorry the comments > section in the Google docs is getting pretty cluttered now): > > (POST) /users ==> create_user > { > " tenant_id": ... > "name": ... > "password

Re: [Openstack] [keystone] v3 API draft (update and questions to the community)

The X-Subject-Token solution is definitely not valid HTTP, in that it implies that two otherwise identical requests for GET /tokens would return two completely different results (hence the need for a Vary header, as we include for X-Auth-Token). I have a slightly more proper (and complicated) solu

Re: [Openstack] HTTP/1.1 404 Not Found error in swift

The URL http://192.168.20.7:5000/auth/v1.0 is not one supported by keystone; does that command work if you use http://:5000/v2.0 instead? For anyone interested, direct link to the doc in question: http://docs.openstack.org/essex/openstack-compute/install/apt/content/verify-swift-installation.html

Re: [Openstack] [keystone] Keystone on port 5000 - proposing change default port to 8770

Alternatively, if anyone would like to tar and feather me for picking port 5000 in the first place, I'm available. That said, I have no attachment to port 5000... but I'm curious, are people experiencing real issues trying to use port 5000? -Dolph On Wed, Jun 20, 2012 at 6:16 PM, Joseph Heck wro

Re: [Openstack] Keystone API

If you let webob calculate the Content-Length by itself it won't resort to adding a Transfer-Encoding header: https://review.openstack.org/#/c/8818 On Thu, Jun 21, 2012 at 12:54 PM, Tomasz Paszkowski wrote: > I have created bug report: > > https://bugs.launchpad.net/keystone/+bug/1016171 > > > >

Re: [Openstack] [keystone] proposing adding Adam Young (ayoung) to keystone-core

Easy +1 -Dolph Mathews On Jun 26, 2012, at 4:06 PM, Joseph Heck wrote: > Given his work in Keystone since the redux, I would like propose Adam Young > (ayoung) be added to the group keystone-core. > > For a process in doing this, I thought we'd generally follow Nova&#x

Re: [Openstack] PKI Token Generation

On Jul 3, 2012, at 4:55 PM, Adam Young wrote: > However, nothing in the API comments on the token length. This is very intentional! If a specific length is documented somewhere, it should be corrected. -Dolph Mathews ___ Mailing list: ht

Re: [Openstack] Glance Image Upload error.

The SERVICE_ENDPOINT and SERVICE_TOKEN variables are effectively overriding the corresponding OS_* variables from your environment (they're not intended to be used together); try removing the SERVICE_* variables. The OS_* variables provide a normal authentication flow while the SERVICE_* variables

Re: [Openstack] [keystone] Rate limit middleware

REPOSE would be worth taking a look at, as well (includes rate limiting): https://github.com/rackspace/repose http://openrepose.org/documentation.html -Dolph On Wed, Jul 11, 2012 at 9:19 AM, Kevin L. Mitchell < kevin.mitch...@rackspace.com> wrote: > On Wed, 2012-07-11 at 01:50 +0200, Rafael

Re: [Openstack] [nova] [cinder] Nova-volume vs. Cinder in Folsom

On Thu, Jul 12, 2012 at 2:37 PM, George Reese wrote: > This ain't the first time I've had a run in with you where your response > was essentially "if you don't like it, go code it". > > And obviously you missed the entire "constructive" point in my response. > It's this: > > The proposed options s

Re: [Openstack] [Quantum] Network, Subnet and Port names

The philosophy from the keystone side of the fence is that once you have non-unique names you can't go back; whereas, it's trivial to go from unique to non-unique names. So, without a solid business case to push us in either direction, we started by enforcing uniqueness. With the Identity API v3 d

Re: [Openstack] [Keystone] API Question

Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133

Re: [Openstack] [Keystone] API Question

henticate? > > I'd love to be able to read that. And it's totally not documented > anywhere if it exists. > > -Matt > > > On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce > wrote: > >> Works for me. =D >> >> >> On Tue, Jul 17, 2012 at 1:51

Re: [Openstack] Keystone client could not behave well, call for help

Try running the same command with the --debug option, and share the output here. Thanks, -Dolph On Sunday, July 22, 2012, MURAOKA Yusuke wrote: > Hi, > > There is devstack all-in-one openstack builder. http://devstack.org/ > Officially, its not supporting RHEL 6.1 on the site. But its only > sh

Re: [Openstack] why [Errno 111] ECONNREFUSED ????please help me

Replace "" with the IP/hostname & port of your keystone server (e.g. 127.0.0.1:35357). -Dolph On Mon, Aug 6, 2012 at 9:15 PM, 王鹏 wrote: > Hi,every: > That is my first install swift,I according to > objectstorage-adminguide-essex.pdf from www.openstack.org. > when I after install ,Verify the Ins

Re: [Openstack] keystone initialization problem

The admin_token value from keystone.conf is not a real token; it exists as a string in memory and has no context, user or actual roles associated with it (hence it does not appear in your token table). As for your actual issue, I don't see anything obviously wrong with what's below. Is logging ena

Re: [Openstack] sort_key and sort_dir for collections based REST APIs

I have the majority of the latest v3 draft implemented on both the client and server, but it's neither complete nor polished... yet. My goal is to have a solid implementation (perhaps in a branch?) for everyone to poke at in plenty of time for the summit :) -Dolph On Mon, Aug 20, 2012 at 4:33 PM

Re: [Openstack] multiple LDAPs in OpenStack

While there's no implementation of this in keystone today, I'm sure you could write your own LDAP driver in keystone, heavily leveraging the existing LDAP driver. -Dolph On Mon, Aug 20, 2012 at 4:19 PM, Ryan Lane wrote: > On Mon, Aug 20, 2012 at 1:52 PM, pat wrote: > > Hello, > > > > I'm new t

Re: [Openstack] KeyStone service is not responding while installing thorough DevStack !!

What exactly happens when you try to start it directly? cd /opt/stack/keystone && /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --log-config /etc/ke'stone/logging.conf -d --debug What happens when you curl http://localhost:5000/v2.0/ on that machine? And with

Re: [Openstack] KeyStone service is not responding while installing thorough DevStack !!

That potentially a different issue; likely a pypi mirror not responding? You can download/install prettytable directly if you need to: http://pypi.python.org/pypi/PrettyTable/ -Dolph On Thu, Aug 23, 2012 at 3:39 AM, Trinath Somanchi < trinath.soman...@gmail.com> wrote: > Hi- > > Me too experienc

Re: [Openstack] keystone installed by devstack redirect http request

Keystone doesn't return 301's (ever). However, your 301 response headers show: Server: BlueCoat-Security-Appliance I'm guessing that wasn't installed by devstack :) -Dolph On Fri, Aug 24, 2012 at 3:03 AM, Lu, Lianhao wrote: > Hi gang, > > I used the devstack to install a "all-one-one" dev

Re: [Openstack] Keystone Error

Have you gotten this error more than once / is it reproducible at all? If it is reproducible, is the same token ID value (6796383476b8442d9a3b9fd488d56e05) being produced consistently? If I'm reading the traceback correctly, you actually produced a UUID4 collision (the probability of which is insa

Re: [Openstack] keystone questions

You're looking to provide data redundancy across keystone instances with varying backend implementations... what's your use case? How would you orchestrate the synchronization and failover, if any? What's the purpose of each backend in such a deployment? -Dolph On Wed, Aug 29, 2012 at 3:50 AM, p

Re: [Openstack] About the Role and User's rights

Those roles you see in keystone are merely examples, and don't have any "meaning" by themselves. You create your own roles in keystone (e.g. $ keystone role-create) and define the associated actions specific to each service via each service's own policy.json. For example, here's nova's default poli

Re: [Openstack] [Keystone] LDAP integratiom

pip-requires/test-requires is aimed at developers and is broken up into two files more-so for documentation/organization purposes. IMO, including LDAP as a dependency should be solved by real packaging (e.g. $ apt-get install keystone keystone-ldap). -Dolph On Fri, Sep 7, 2012 at 8:30 AM, Adam

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

You thought correct: https://bugs.launchpad.net/keystone/+bug/983304 -Dolph On Mon, Sep 10, 2012 at 11:32 AM, Adam Young wrote: > On 09/10/2012 11:29 AM, boden wrote: > >> I've been munking with the latest Keystone LDAP identity driver and >> based on what I'm seeing the driver does not suppor

Re: [Openstack] [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)

012-4413 > Date: September 12, 2012 > Title: Revoking a role does not affect existing tokens > Impact: High > Reporter: Dolph Mathews (Rackspace) > Products: Keystone > Affects: Essex, Folsom > > Description: > Dolph Mathews reported a vulnerability in Keystone. Granti

Re: [Openstack] Keystone v2.0 dev API doc confusion

I'm not sure what's wrong here, but I definitely want to make sure this is fixed-- just assigned the bug to myself. -Dolph On Fri, Sep 21, 2012 at 8:43 AM, Anne Gentle wrote: > Hi Boden - > This is a known bug with the way those Keystone dev docs are output. > I'm tracking it here: > https://b

Re: [Openstack] Keystone: Get user/tenant by name returning full list

I'm not aware that this was ever implemented during essex (it was available in diablo) -- definitely worth opening a bug! -Dolph On Fri, Sep 21, 2012 at 11:15 AM, boden wrote: > As per the Keystone v2.0 API docs, I've been trying to use the 'get user > by name' and 'get tenant by name' APIs to

Re: [Openstack] keystone install / user-role-list error

It looks like at least one of your endpoints isn't being parsed correctly. List your endpoints: keystone --token --endpoint http://192.168.1.11:35357/v2.0 endpoint-list ... and make sure they all appear as expected (at least one public URL is wrong, according to the stack trace). Feel free to

Re: [Openstack] keystone install / user-role-list error

As you're definitely not the first person to run into this problem, I've opened a bug so that we can improve the error feedback in this scenario: https://bugs.launchpad.net/keystone/+bug/1058494 -Dolph On Sat, Sep 29, 2012 at 1:51 AM, Dolph Mathews wrote: > It looks like at

Re: [Openstack] keystone user-role-list error

By default, I believe it shows you your own roles. With a token/endpoint specified (bypassing auth), it should work if you specify a user & tenant: $ keystone help user-role-list usage: keystone user-role-list [--user-id ] [--tenant-id ] List roles granted to a user Optional arguments: --user-

Re: [Openstack] HTTP_X_SERVICE_CATALOG endpoints_links

The environment variables that auth_token sets are documented in the module's docstring: https://github.com/openstack/keystone/blob/master/keystone/middleware/auth_token.py As these variables are the defined interface for any projects consuming authentication services from middleware, it's safe to

Re: [Openstack] Enabling logging in keystone.

The X-Auth-Token is what you get back from the authentication call you're trying to make -- try removing the header completely. If you're still getting a 401 error back, either your username or password is wrong, your tenant name is wrong, or you haven't granted "adminUser" any role(s) on "adminTen

Re: [Openstack] Enabling logging in keystone.

You're missing a "5" on the admin_token you've specified on the command line. 012345SECRET99TOKEN01234 (your CLI arg) 012345SECRET99TOKEN012345 (keystone.conf) -Dolph On Tue, Oct 2, 2012 at 1:08 PM, Ahmed Al-Mehdi wrote: > Hi Joe, > > I have put the conf file (renamed to ahmed_keystone.conf)

Re: [Openstack] Enabling logging in keystone.

t > Dload Upload Total SpentLeft > Speed > 100 2310 116 100 115 2771 2747 --:--:-- --:--:-- --:--:-- > 3052 > { > "error": { > "code": 401, > "message": "The request y

Re: [Openstack] Enabling logging in keystone.

Dload Upload Total SpentLeft > Speed > 100 191080 100 111346480 --:--:-- --:--:-- --:--:-- > 497 > { > "error": { > "code": 401, > "message": "Invalid tenant", > "title": &

  1   2   3   >