On Fri, Mar 23, 2012 at 7:00 AM, Deepak Garg <deepakgarg.i...@gmail.com>wrote:

> Sure and thanks.
> Dan, please share your thoughts before I start preparing the bp.
>

Deepak, please go ahead and create the blueprints.  Once the design is
flushed out in the blueprint, you can submit it to the community for
feedback just by sending a note to the ML.  Great to see all of the people
helping out on this.

Dan


>
> Deepak
>
>
> On Fri, Mar 23, 2012 at 7:12 PM, Rohit Agarwalla (roagarwa)
> <roaga...@cisco.com> wrote:
> > Deepak, the approach you outlined is perfect.
> >
> > I have been trying to tackle the issue from the Quantum Manager end (v/s
> the quantum client) when making api requests to Quantum using AuthN.
> > Thought was the implementation mechanism could be reused if either is
> fixed.
> >
> > I'm able to request a token from keystone (within Quantum manager using
> username/password) and then pass that along when a quantum api call is made.
> > Keystone returns the token to QuantumManager,  the token gets validated
> at the Quantum end and then the api request is executed to the plugin. (a
> quick test that I tried - I was able to create subsequent networks with
> nova-manage if authN is enabled in Quantum (it was failing earlier)).
> > However, I still have some open design concerns. If possible, it would
> be great to coordinate and I can also provide inputs on the blueprint.
> >
> > Thanks
> > Rohit
> >
> >>-----Original Message-----
> >>From: Deepak Garg [mailto:deepakgarg.i...@gmail.com]
> >>Sent: Friday, March 23, 2012 3:36 AM
> >>To: Dan Wendlandt
> >>Cc: Rohit Agarwalla (roagarwa); gkot...@redhat.com;
> >>netstack@lists.launchpad.net
> >>Subject: Re: [Netstack] Quantum and Keystone
> >>
> >>Thanx Dan. I had a __long__ fun chat with Salvatore regarding nova +
> >>Quantum yesterday. Please find my
> >>answers in-line
> >>
> >>> 1) network creation no longer happens via nova-manage.  Networks are
> >>created
> >>> directly via Quantum API.
> >>
> >>[Deepak] We will have to take feedbacks from the broader community
> >>about this. People using Flat networking might have concerns with it.
> >>
> >>> Because of #2, Quantum will need to authenticate to the Quantum API,
> >>meaning
> >>> it will need an auth token if the Quantum API is performing
> authn/authz.
> >>>  Its likely that this should be an "admin" token of sorts, as Nova is
> >>> presumably an entity trusted by the cloud operation (this of course
> requires
> >>> that Nova performs is own authn/authz checks).
> >>
> >>[Deepak} I guess above you meant  "#2, Quantum Manager will need to"
> >>
> >>> In Folsom, we should shift over to using python-quantumclient as a nova
> >>> dependency (rather than having the quantum client code embedded in
> >>Nova).
> >>
> >>[Deepak]  +1. In this case we will have to insert some code in
> >>python-novaclient. Isn't it ?
> >>
> >>>  As a result, we'll need to make sure we add keystone support to
> >>> python-quantum client.  This is already called out on the community
> projects
> >>> page: http://wiki.openstack.org/QuantumStarterBugs
> >>
> >>[Deepak] I think, until we figure out nova + quantum issue, I can get
> >>started with the python-quantumclient and keystone integration. I
> >>looked at the code and here is a summary what needs to be done:
> >>
> >>a. enable fetching values from env variables
> >>b. when token is not specified :
> >>    i. fetch values from env variables, make call for fetching token
> >>and make api call with that token
> >>c. when token is specified:
> >>    i. make the api call
> >>
> >>A no. of failure cases need to be handled here. If you say yes, I can
> >>prepare a short bp on this and clarify a few
> >>questions ( e.g. do we want to support both version 1 and v2 of keystone
> ) ?
> >>
> >>
> >>Cheers,
> >>Deepak
> >>
> >>
> >>>
> >>> Dan
> >>>
> >>>
> >>>
> >>>>
> >>>>
> >>>> Deepak
> >>>>
> >>>> On Thu, Mar 22, 2012 at 12:08 AM, Rohit Agarwalla (roagarwa)
> >>>> <roaga...@cisco.com> wrote:
> >>>> > I had tried to resolve this issue at my end just prior to RC1
> period as
> >>>> > well
> >>>> > (had pointed it out to a limited group then). Couple of config
> changes
> >>>> > in
> >>>> > quantum.conf that worked for me are as follows  -
> >>>> >
> >>>> >
> >>>> >
> >>>> > [filter:authN]
> >>>> >
> >>>> > #this is using the default auth_token.py in keystone middleware
> >>>> >
> >>>> > paste.filter_factory = keystone.middleware.auth_token:filter_factory
> >>>> >
> >>>> > #admin username/password for token validation
> >>>> >
> >>>> > admin_user = admin
> >>>> >
> >>>> > admin_password = nova
> >>>> >
> >>>> >
> >>>> >
> >>>> > $ quantum --token b4c8b3a1370e45e5b96483caa3430aad list_nets
> >>default
> >>>> >
> >>>> > Virtual Networks for Tenant default
> >>>> >
> >>>> >                 Network ID: 6aad8883-e35d-402c-8d5c-480d8138ca32
> >>>> >
> >>>> >
> >>>> >
> >>>> > $ quantum --token xxyyzz list_nets default
> >>>> >
> >>>> > An unexpected exception occured:401 Unauthorized
> >>>> >
> >>>> >
> >>>> >
> >>>> > This server could not verify that you are authorized to access the
> >>>> > document
> >>>> > you requested. Either you supplied the wrong credentials (e.g., bad
> >>>> > password), or your browser does not understand how to supply the
> >>>> > credentials
> >>>> > required.
> >>>> >
> >>>> >
> >>>> >
> >>>> > (for the above error message to pop, a change in quantum is needed)
> >>>> >
> >>>> >
> >>>> >
> >>>> > Limited functionality -
> >>>> >
> >>>> > -          A valid token works across all tenants using quantum api
> >>>> >
> >>>> > -          devstack install errors out if keystone is enabled in
> quantum
> >>>> >
> >>>> > o   work around - install quantum without keystone enabled, enable
> >>>> > keystone,
> >>>> > restart quantum
> >>>> >
> >>>> >
> >>>> >
> >>>> > Maybe Deepak can confirm if these changes are valid and if so we can
> >>>> > update
> >>>> > the documentation.
> >>>> >
> >>>> >
> >>>> >
> >>>> > Thanks
> >>>> >
> >>>> > Rohit
> >>>> >
> >>>> >
> >>>> >
> >>>> > From: netstack-bounces+roagarwa=cisco....@lists.launchpad.net
> >>>> > [mailto:netstack-bounces+roagarwa=cisco....@lists.launchpad.net] On
> >>>> > Behalf
> >>>> > Of Dan Wendlandt
> >>>> > Sent: Wednesday, March 21, 2012 11:01 AM
> >>>> > To: gkot...@redhat.com
> >>>> > Cc: netstack@lists.launchpad.net
> >>>> > Subject: Re: [Netstack] Quantum and Keystone
> >>>> >
> >>>> >
> >>>> >
> >>>> > Hi Gary,
> >>>> >
> >>>> >
> >>>> >
> >>>> > The Quantum Administrator Guide has a section on Quantum +
> >>>> >
> >>>> > Keystone: http://docs.openstack.org/incubation/openstack-
> >>network/admin/content/ch_quantum-keystone-authn-authz.html
> >>>> >
> >>>> >
> >>>> >
> >>>> > Unfortunately, it seems like these instructions are out of date, as
> the
> >>>> > quantum middleware seems to have been removed from Keystone
> >>(possibly as
> >>>> > part of the keystone redux?).  Deepak (on the ML) has been looking
> into
> >>>> > this, and is best to comment in more detail.
> >>>> >
> >>>> >
> >>>> >
> >>>> > Dan
> >>>> >
> >>>> >
> >>>> >
> >>>> > On Mon, Mar 19, 2012 at 4:39 PM, Gary Kotton <gkot...@redhat.com>
> >>wrote:
> >>>> >
> >>>> > Hi,
> >>>> > Are there any guidelines in configuring Quantum to use Keystone?
> >>>> > Thanks in advance
> >>>> > Gary
> >>>> >
> >>>> > --
> >>>> > Mailing list: https://launchpad.net/~netstack
> >>>> > Post to     : netstack@lists.launchpad.net
> >>>> > Unsubscribe : https://launchpad.net/~netstack
> >>>> > More help   : https://help.launchpad.net/ListHelp
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> >>>> > --
> >>>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>>> > Dan Wendlandt
> >>>> >
> >>>> > Nicira Networks: www.nicira.com
> >>>> >
> >>>> > twitter: danwendlandt
> >>>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> >>>> > --
> >>>> > Mailing list: https://launchpad.net/~netstack
> >>>> > Post to     : netstack@lists.launchpad.net
> >>>> > Unsubscribe : https://launchpad.net/~netstack
> >>>> > More help   : https://help.launchpad.net/ListHelp
> >>>> >
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> Deepak Garg,
> >>>> Data Center and Cloud Div.
> >>>> Citrix R&D, India
> >>>> Skype-id: deepakgarg.iit
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>> Dan Wendlandt
> >>> Nicira Networks: www.nicira.com
> >>> twitter: danwendlandt
> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>>
> >>
> >>
> >>
> >>--
> >>
> >>Deepak Garg,
> >>Data Center and Cloud Div.
> >>Citrix R&D, India
> >>Skype-id: deepakgarg.iit
>
>
>
> --
>
> Deepak Garg,
> Data Center and Cloud Div.
> Citrix R&D, India
> Skype-id: deepakgarg.iit
>



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira Networks: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- 
Mailing list: https://launchpad.net/~netstack
Post to     : netstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~netstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to