Thanks for the information. I will first make quantum client to support keystone and then go to the server side.
I will ask advice from you about it soon.
Thanks again.
-----Joseph Heck <he...@me.com> wrote: -----
To: Yong Sheng Gong/China/IBM@IBMCN
From: Joseph Heck <he...@me.com>
Date: 05/16/2012 11:37PM
Cc: netstack@lists.launchpad.net, gkot...@redhat.com
Subject: Re: [Netstack] Want to start Keystone support for Quantum Client
Morning Yong,
From: Joseph Heck <he...@me.com>
Date: 05/16/2012 11:37PM
Cc: netstack@lists.launchpad.net, gkot...@redhat.com
Subject: Re: [Netstack] Want to start Keystone support for Quantum Client
Morning Yong,
Glance, Keystone, and Nova are all using the policy mechanism that Termie created in their code bases, and I think it would be exceptionally easy to port it over into Quantum.
within the nova codebase, look at nova/policy.py and etc/nova/policy.json. The nova codebase is also using a simple wrapper called "wrap_check_policy" and a subsidary method check_policy.py (defined in nova/compute/api.py): that uses the api functional name to check against the policy setup to determine if an API is allowed to be called or not.
nova/tests/test_policy.py is exercising it, if you'd like to see the tests that drive it to get a sense of how it does its thing.
I haven't dug into the Quantum API calls, but the same or very similiar mechanism could be used to quickly port this into Quantum and solve your authorization needs using the same methods the other systems are with Keystone.
I'm presuming that you're already using token_auth in the WSGI pipeline to the API, which is setting additional context after verifying access (right now token based with Keystone). The check_policy assumes the context has some specific keys available within it.
If you'd like help with enabling that, or porting it, I'd be happy to offer advice on the code and review any changes. I rather intended to do some of this porting myself, but I found myself under the gun for the F1 milestone within keystone itself and getting some tasks done there. (which is all a rather sheepish apology to Dan for not being able to get this earlier)
-joe (lurking keystone PTL)
On May 16, 2012, at 5:10 AM, Gary Kotton wrote:
On 05/16/2012 02:56 PM, Yong Sheng Gong wrote:--Hi,Not that I am aware of.
https://blueprints.launchpad.net/quantum/+spec/authorization-support-for-quantum is for server side. On server side, most of our functions even have no context as a parameter like other project does. I don't know how we will deal with it.
It seems the API design is just at the beginning. Is there a special blueprint for API?
Thanks
-----netstack-bounces+gongysh=cn.ibm....@lists.launchpad.net wrote: -----To: netstack@lists.launchpad.net
From: Gary Kotton
Sent by: netstack-bounces+gongysh=cn.ibm....@lists.launchpad.net
Date: 05/16/2012 04:48PM
Subject: Re: [Netstack] Want to start Keystone support for Quantum Client
Hi,
On the IRC meeting last night the following was discussed - https://blueprints.launchpad.net/quantum/+spec/authorization-support-for-quantum. Are these tasks mutually exclusive?
I guess that with the Melange addition the client API may also change - all I have seen is http://etherpad.openstack.org/quantum-v2-api. Hope that this helps.
Thanks
Gary
On 05/16/2012 05:44 AM, Yong Sheng Gong wrote:hi,
Do we have a blueprint for quantum api2.0? I think we have no need to change the old clients for 1.0 and 1.1 api. I will have the new client based on the new api 2.0.
Thanks.
-----Yong Sheng Gong/China/IBM wrote: -----To: netstack@lists.launchpad.net
From: Yong Sheng Gong/China/IBM
Date: 05/12/2012 07:21AM
Subject: Want to start Keystone support for Quantum Client
Hi,
I want to start a blueprint to implement the "Keystone support for Quantum Client" listed in http://wiki.openstack.org/QuantumStarterBugs
Workflows:
My idea is to make an initial workable quantum client with keystone service support.
Quantum client's workflow will look like:
1. To send auth request to keystone and get token and related service catalog and other stuff
2. To send request to quantum server with X-Auth-Token in header
workflow on Quantum server side:
1. keystone's authtoken filter will auth and cache this token, and then will populate the related stuff into http headers
2. context filter will create context according to the populated http headers
Next step is to use this context to check policy. I have not seen any functions which have context as first parameter just like what we do in nova project. How will we use the populated context? Use is as a thread variable or modify all the related functions? Also how about the agent? Do agents need auth?
What will happen to quantum client:
present:
[root@robinlinux glance]# quantum
Usage: quantum [OPTIONS] <command> [args]
Options:
-h, --help show this help message and exit
-H HOST, --host=HOST ip address of api host
-p PORT, --port=PORT api poort
-s, --ssl use ssl
-v, --verbose turn on verbose logging
-f LOGFILE, --logfile=LOGFILE
log file path
-t TOKEN, --token=TOKEN
authentication token
--version=VERSION Accepts 1.1 and 1.0, defaults to env[QUANTUM_VERSION].
Commands:
list_nets <tenant-id> [filterspec ...]
create_net <tenant-id> <net-name>
unplug_iface <tenant-id> <net-id> <port-id>
plug_iface <tenant-id> <net-id> <port-id> <iface-id>
update_port <tenant-id> <net-id> <port-id> <params>
show_port_detail <tenant-id> <net-id> <port-id>
show_net <tenant-id> <net-id>
delete_port <tenant-id> <net-id> <port-id>
delete_net <tenant-id> <net-id>
list_nets_detail <tenant-id> [filterspec ...]
show_net_detail <tenant-id> <net-id>
show_iface <tenant-id> <net-id> <port-id>
update_net <tenant-id> <net-id> <new-name>
show_port <tenant-id> <net-id> <port-id>
list_ports_detail <tenant-id> <net-id> [filterspec ...]
create_port <tenant-id> <net-id>
list_ports <tenant-id> <net-id> [filterspec ...]
after
we will have
quantum [--debug] [--os_username OS_USERNAME] [--os_password OS_PASSWORD]
[--os_tenant_name OS_TENANT_NAME] [--os_auth_url OS_AUTH_URL]
[--os_region_name OS_REGION_NAME] [--os_auth_token OS_AUTH_TOKEN]
[--region_name REGION_NAME]
[--endpoint_url url] command args
So the first tenant-id parameter will be replaced by value returned from keystone.
Question is how to deal with 'default' tenant?
What will happen to quantum server
1. Context filter is added and can be used as filter
Other question:
If it is ok, should I add one new blueprint or just do it under blueprint https://blueprints.launchpad.net/quantum/+spec/new-cli?
Thanks
Yong Sheng Gong
--
Mailing list: https://launchpad.net/~netstack
Post to : netstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~netstack
More help : https://help.launchpad.net/ListHelp
Mailing list: https://launchpad.net/~netstack
Post to : netstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~netstack
More help : https://help.launchpad.net/ListHelp
-- Mailing list: https://launchpad.net/~netstack Post to : netstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~netstack More help : https://help.launchpad.net/ListHelp
