Re: [Openstack] Project Alignment
On 16/05/11 18:11, Vishvananda Ishaya wrote: Hello Everyone, The PTLs had a quick meeting the other day to try and align some things between the projects. In order for openstack to be successful, it is very important that we create a consistent user experience for users and administrators. We realize that it is hard to find agreement between all developers on implementation details, so we focused less on the idea of code-sharing and more on the idea of bringing the user-experience into alignment. If we are going to be successful in this effort, we all need to realize that we should value doing things the same way over doing things the best way. We have a few actions that we are taking to help move in this direction. 1. Consistent Auth -- all of the projects are working on integrating the keystone project so that we have one auth system. For nova, this means that we may lose some of the rbac features we provide for the ec2 api, but by the diablo release we expect to have equivalent features and a migration plan for cactus deployments. SNIP Hi Vish, This is really useful to know, thank you for the highlevel outline. I didn't quite understand the Consistent Auth, and what it means for ec2 api for the Diablo release. Would you be able to confirm the extent / roadmap of the ec2 api breakage expected? Are you expecting the base ec2 api functionality to be near stable throughout the transition, or are you expecting large breakage? In regards to the loss of RBAC, is this expected to be transitional; and be fixable in time for Diabalo release? Essentially, can you clarify equivalent features. The blueprint[0] or specification on the wiki[1] doesn't seem to mention ec2' anywhere, can you confirm where this was discussed? I'd also like to check if consideration on how this might impact possible future implementation of comparative feature of AWS Identity and Access Management (IAM)[2] support in both ec2 and openstack API was discussed? Additionally, are the logs of the PTL's meeting available anywhere? Thanks. [0] https://blueprints.launchpad.net/nova/+spec/integrate-nova-authn [1] http://wiki.openstack.org/openstack-authn [2] http://aws.amazon.com/documentation/iam/ Kind Regards, Dave Walker ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Project Alignment
On May 16, 2011, at 12:33 PM, Dave Walker wrote: Hi Vish, This is really useful to know, thank you for the highlevel outline. I didn't quite understand the Consistent Auth, and what it means for ec2 api for the Diablo release. Would you be able to confirm the extent / roadmap of the ec2 api breakage expected? Are you expecting the base ec2 api functionality to be near stable throughout the transition, or are you expecting large breakage? If you will be tracking milestone releases, there will most likely be breakages relating to roles and authz. It may also require using a modified ec2 access key for a while as we determine the best way to map access and secret keys using keystone. In regards to the loss of RBAC, is this expected to be transitional; and be fixable in time for Diabalo release? Essentially, can you clarify equivalent features. The blueprint[0] or specification on the wiki[1] doesn't seem to mention ec2' anywhere, can you confirm where this was discussed? Authz checking will most likely be moving out of the top level apis, so that a deployment can have consistent authz regardless of which api a user is using. That means that a certain level of access can be specified for launching instances and it would apply to the euca-run-instances and the servers create apis. I'd also like to check if consideration on how this might impact possible future implementation of comparative feature of AWS Identity and Access Management (IAM)[2] support in both ec2 and openstack API was discussed? we haven't discussed IAM Additionally, are the logs of the PTL's meeting available anywhere? It was an impromptu meeting that was held in openstack-meeting last tuesday, but we neglected to use the start-meeting and stop-meeting directives so it looks like it wasn't logged anywhere. Thanks. [0] https://blueprints.launchpad.net/nova/+spec/integrate-nova-authn [1] http://wiki.openstack.org/openstack-authn [2] http://aws.amazon.com/documentation/iam/ Kind Regards, Dave Walker ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Project Alignment
Dave, While I'm not Vish, I have been working on/around authentication for the past couple weeks and I'll provide my thoughts. EC2 and OpenStack Nova APIs should not be affected by the authentication work going on. The Keystone project is the only candidate I'm aware of, and it seems like it is, or soon will be, a good candidate for integration into the stack. Migration to a separate authentication service is going to be tricky, but the goal is to do it as seamlessly as possible. Near stable should be able to be promised. This is the phased approach myself and Brian Waldon have been playing around with: http://wiki.openstack.org/Nova/AuthManagerSpec Keystone should be able to provide the features of IAM. I'm not able to find the PTL meeting logs, perhaps a #startmeeting was never issued for it? I was eavesdropping at the time but can't find the logs, perhaps someone can find them or send them out. The meeting I'm refering to was right after this: http://eavesdrop.openstack.org/meetings/openstack-meeting/2011/openstack-meeting.2011-05-10-21.01.log.html -Original Message- From: Dave Walker davewal...@ubuntu.com Sent: Monday, May 16, 2011 3:33pm To: openstack@lists.launchpad.net Subject: Re: [Openstack] Project Alignment On 16/05/11 18:11, Vishvananda Ishaya wrote: Hello Everyone, The PTLs had a quick meeting the other day to try and align some things between the projects. In order for openstack to be successful, it is very important that we create a consistent user experience for users and administrators. We realize that it is hard to find agreement between all developers on implementation details, so we focused less on the idea of code-sharing and more on the idea of bringing the user-experience into alignment. If we are going to be successful in this effort, we all need to realize that we should value doing things the same way over doing things the best way. We have a few actions that we are taking to help move in this direction. 1. Consistent Auth -- all of the projects are working on integrating the keystone project so that we have one auth system. For nova, this means that we may lose some of the rbac features we provide for the ec2 api, but by the diablo release we expect to have equivalent features and a migration plan for cactus deployments. SNIP Hi Vish, This is really useful to know, thank you for the highlevel outline. I didn't quite understand the Consistent Auth, and what it means for ec2 api for the Diablo release. Would you be able to confirm the extent / roadmap of the ec2 api breakage expected? Are you expecting the base ec2 api functionality to be near stable throughout the transition, or are you expecting large breakage? In regards to the loss of RBAC, is this expected to be transitional; and be fixable in time for Diabalo release? Essentially, can you clarify equivalent features. The blueprint[0] or specification on the wiki[1] doesn't seem to mention ec2' anywhere, can you confirm where this was discussed? I'd also like to check if consideration on how this might impact possible future implementation of comparative feature of AWS Identity and Access Management (IAM)[2] support in both ec2 and openstack API was discussed? Additionally, are the logs of the PTL's meeting available anywhere? Thanks. [0] https://blueprints.launchpad.net/nova/+spec/integrate-nova-authn [1] http://wiki.openstack.org/openstack-authn [2] http://aws.amazon.com/documentation/iam/ Kind Regards, Dave Walker ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Project Alignment
On 16/05/11 21:06, Brian Lamar wrote: Dave, While I'm not Vish, I have been working on/around authentication for the past couple weeks and I'll provide my thoughts. EC2 and OpenStack Nova APIs should not be affected by the authentication work going on. The Keystone project is the only candidate I'm aware of, and it seems like it is, or soon will be, a good candidate for integration into the stack. Migration to a separate authentication service is going to be tricky, but the goal is to do it as seamlessly as possible. Near stable should be able to be promised. This is the phased approach myself and Brian Waldon have been playing around with: http://wiki.openstack.org/Nova/AuthManagerSpec Keystone should be able to provide the features of IAM. I'm not able to find the PTL meeting logs, perhaps a #startmeeting was never issued for it? I was eavesdropping at the time but can't find the logs, perhaps someone can find them or send them out. The meeting I'm refering to was right after this: http://eavesdrop.openstack.org/meetings/openstack-meeting/2011/openstack-meeting.2011-05-10-21.01.log.html SNIP Thanks Vish and Brian for your replies, it makes more sense now. I did find the meeting in my IRC logs here: http://pb.daviey.com/U0db/ Kind Regards, Dave Walker ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Project Alignment
I still had meeting in scrollback. Pastie'd here: http://pastie.org/1912671 On May 16, 2011, at 1:06 PM, Brian Lamar wrote: Dave, While I'm not Vish, I have been working on/around authentication for the past couple weeks and I'll provide my thoughts. EC2 and OpenStack Nova APIs should not be affected by the authentication work going on. The Keystone project is the only candidate I'm aware of, and it seems like it is, or soon will be, a good candidate for integration into the stack. Migration to a separate authentication service is going to be tricky, but the goal is to do it as seamlessly as possible. Near stable should be able to be promised. This is the phased approach myself and Brian Waldon have been playing around with: http://wiki.openstack.org/Nova/AuthManagerSpec Keystone should be able to provide the features of IAM. I'm not able to find the PTL meeting logs, perhaps a #startmeeting was never issued for it? I was eavesdropping at the time but can't find the logs, perhaps someone can find them or send them out. The meeting I'm refering to was right after this: http://eavesdrop.openstack.org/meetings/openstack-meeting/2011/openstack-meeting.2011-05-10-21.01.log.html -Original Message- From: Dave Walker davewal...@ubuntu.com Sent: Monday, May 16, 2011 3:33pm To: openstack@lists.launchpad.net Subject: Re: [Openstack] Project Alignment On 16/05/11 18:11, Vishvananda Ishaya wrote: Hello Everyone, The PTLs had a quick meeting the other day to try and align some things between the projects. In order for openstack to be successful, it is very important that we create a consistent user experience for users and administrators. We realize that it is hard to find agreement between all developers on implementation details, so we focused less on the idea of code-sharing and more on the idea of bringing the user-experience into alignment. If we are going to be successful in this effort, we all need to realize that we should value doing things the same way over doing things the best way. We have a few actions that we are taking to help move in this direction. 1. Consistent Auth -- all of the projects are working on integrating the keystone project so that we have one auth system. For nova, this means that we may lose some of the rbac features we provide for the ec2 api, but by the diablo release we expect to have equivalent features and a migration plan for cactus deployments. SNIP Hi Vish, This is really useful to know, thank you for the highlevel outline. I didn't quite understand the Consistent Auth, and what it means for ec2 api for the Diablo release. Would you be able to confirm the extent / roadmap of the ec2 api breakage expected? Are you expecting the base ec2 api functionality to be near stable throughout the transition, or are you expecting large breakage? In regards to the loss of RBAC, is this expected to be transitional; and be fixable in time for Diabalo release? Essentially, can you clarify equivalent features. The blueprint[0] or specification on the wiki[1] doesn't seem to mention ec2' anywhere, can you confirm where this was discussed? I'd also like to check if consideration on how this might impact possible future implementation of comparative feature of AWS Identity and Access Management (IAM)[2] support in both ec2 and openstack API was discussed? Additionally, are the logs of the PTL's meeting available anywhere? Thanks. [0] https://blueprints.launchpad.net/nova/+spec/integrate-nova-authn [1] http://wiki.openstack.org/openstack-authn [2] http://aws.amazon.com/documentation/iam/ Kind Regards, Dave Walker ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Project Alignment
On 16/05/11 21:06, Brian Lamar wrote: Dave, While I'm not Vish, I have been working on/around authentication for the past couple weeks and I'll provide my thoughts. EC2 and OpenStack Nova APIs should not be affected by the authentication work going on. The Keystone project is the only candidate I'm aware of, and it seems like it is, or soon will be, a good candidate for integration into the stack. Migration to a separate authentication service is going to be tricky, but the goal is to do it as seamlessly as possible. Near stable should be able to be promised. This is the phased approach myself and Brian Waldon have been playing around with: http://wiki.openstack.org/Nova/AuthManagerSpec Keystone should be able to provide the features of IAM. I'm not able to find the PTL meeting logs, perhaps a #startmeeting was never issued for it? I was eavesdropping at the time but can't find the logs, perhaps someone can find them or send them out. The meeting I'm refering to was right after this: http://eavesdrop.openstack.org/meetings/openstack-meeting/2011/openstack-meeting.2011-05-10-21.01.log.html SNIP Thanks Vish and Brian for your replies, it makes more sense now. I did find the meeting in my IRC logs here: http://pb.daviey.com/U0db/ Thanks again. Kind Regards, Dave Walker ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp