Re: [Openstack] Keystone tenants vs. Nova projects

I got it. We need to create something like domain-wide backend configuration. Domain can contain several tenants and users and should be explicitly specified in authentication data. The only problem I see here is security. If I have a cloud and provide access to it to some company, they are free to

Re: [Openstack] Physical host identification

I think it's sensitive because one could figure out how many hosts a SP has globally... which a SP might not necessarily want to reveal. - Chris On Jul 15, 2011, at 3:34 PM, karim.allah.ah...@gmail.com wrote: > On Fri, Jul 15, 2011 at 11:31 PM, Chris Behrens > wrote: > Nevermind. Just found

Re: [Openstack] Physical host identification

On Fri, Jul 15, 2011 at 11:31 PM, Chris Behrens wrote: > Nevermind. Just found a comment in the API spec that says "hostID" is > unique per account, not globally. Hmmm... > This is weird ! I can't find anything in the code that says so !! hostID is just a hashed version of the 'host' which is

[Openstack] [Keystone] [Swift] Keystone Tenant vs Swift Account

Hi, For Nova, the Keystone Tenant maps to a Nova project, and according to the "Finalize Auth integration" blueprint, the Nova project is going away ("no more project/roleuser info in nova"). What about Swift's account? I assume the Keystone tenant would map to a Swift account. How would thi

Re: [Openstack] Physical host identification

I see the v1.1 API spec talks about a 'hostId' item returned when you list your instances (section 4.1.1 in the spec). These should be the same thing, IMO. I think you're right, though. I don't believe we have any sort of 'hostId' today, since hosts just become available by attaching to AMQP.

Re: [Openstack] Physical host identification

Nevermind. Just found a comment in the API spec that says "hostID" is unique per account, not globally. Hmmm... On Jul 15, 2011, at 2:27 PM, Chris Behrens wrote: > I see the v1.1 API spec talks about a 'hostId' item returned when you list > your instances (section 4.1.1 in the spec). These

[Openstack] Physical host identification

I understand that we're all familiar with virtualization and its benefits. However, in the Real World, those of us who run clouds often need to work with physical devices. I've proposed a blueprint and spec for a /hosts admin API resource that would return information on physical hosts. However,

Re: [Openstack] Keystone tenants vs. Nova projects

Just to clarify - yuriy, what you're describing is very reasonable for an enterprise system, where you definitely strive to achieve centralized authentication. I however believe that model is too restrictive for a cloud service provider. These two worlds are somewhat different. On Jul 15, 2011, at

Re: [Openstack] Keystone tenants vs. Nova projects

I guess sfdc disagrees with you - they allow e.g Dell to use a single sign on to authenticate to their services - as a @dell user, you can login with the same email/password to internal resources as well as sfdc ones. ( in case it's not obvious - you also update your password in one location - the

Re: [Openstack] Keystone tenants vs. Nova projects

Currently there is a basic skeleton for only one backend (identity store) configuration per Keystone instance. It can be either DB or LDAP (the latter is almost done). May be in future we should be somehow able to specify not only tenants but also an backend for each authentication request. But I c

Re: [Openstack] Keystone tenants vs. Nova projects

Yuriy, a use-case scenario for keystone would be a service provider servicing large customers with their own authentication infrastructure (e.g. LDAP/ AD etc). Obviously, different tenants have different instances. To authenticate a user, the correct authentication back end must be selected.

Re: [Openstack] Keystone tenants vs. Nova projects

In typical RBAC systems you specify the role you will be acting in when you gain access. This is the principal of least privilege. Jason From: Yuriy Taraday [mailto:yorik@gmail.com] Sent: Friday, July 15, 2011 11:27 AM To: Nguyen, Liem Manh Cc: openstack@lists.launchpad.net; Ziad Saw

Re: [Openstack] Keystone tenants vs. Nova projects

Yeah, I agree that we should not duplicate user-tenant link this way. But I cannot understand why should we have anything default. I think, everything should be explicit here. It'll make both code and experience simpler and clearer. So, as I said, user will have to have either some global role or s

Re: [Openstack] Keystone tenants vs. Nova projects

Hi Yuriy, The “dual” link concept between user and tenant (user <-> tenant, and user <-> role <-> tenant) is a little bit confusing for me (perhaps, I don’t understand the nuances of it). What happens if a user belongs to a tenant but has no role in it? It seems to me that instead of having a

Re: [Openstack] XEN non-VT based compute workers

Il 15/07/2011 12:40, Zeeshan Ali Shah ha scritto: Sound Excellent I also thought it is a documentation bug .. I will try now and will report the experience. Zeeshan Hi all, i'mdoing some testsin thesedays usingxen4.0.2:works fine (except withqcow images). Thanks to thegriddynamicsguysfor

[Openstack] Announcing Ubuntu Cloud Days

Hi everyone, This is a reminder note that Ubuntu Cloud Days is 10 days away. You can read more at: https://wiki.ubuntu.com/UbuntuCloudDays/ If you would like to host an irc session, please directly edit https://wiki.ubuntu.com/UbuntuCloudDays/Timetable For more information or questions, pleas

[Openstack] FLAG --start_guests_on_host_boot=true

HI all, Cant find any reference about this flag on the openstack docs --start_guests_on_host_boot=true, is really available ? If so, even if i setted up on hthe compute nova.conf, doesnt restart instances at node reboot Using Cactus by now Any clues ? Regards __

Re: [Openstack] [Openstack-operators] FLAG --start_guests_on_host_boot=true

Ah, doc bug reporting abounds today. :) The flag is in /nova/virt/libvirt/connection.py, and it indicates "Whether to restart guests when the host reboots." It was added prior to revno 989 (it's revno 912) so it should be available in Cactus. I learned this by grepping the code for part of the fl

Re: [Openstack] XEN non-VT based compute workers

Ah, yes, thank you for pointing it out. Here is the doc bug. https://bugs.launchpad.net/openstack-manuals/+bug/811027 Anne * * *Anne Gentle* my blog | my book

Re: [Openstack] XEN non-VT based compute workers

2011/7/15 Zeeshan Ali Shah : > which says "Hardware: OpenStack components are intended to run on standard > hardware. Specifically for virtualization on the node or nodes running > nova-compute, you need a x86 machine with an AMD processor with SVM > extensions (also called AMD-V) or an Intel proce

Re: [Openstack] XEN non-VT based compute workers

Sound Excellent I also thought it is a documentation bug .. I will try now and will report the experience. Zeeshan On Fri, Jul 15, 2011 at 12:36 PM, Soren Hansen wrote: > 2011/7/15 Zeeshan Ali Shah : > > which says "Hardware: OpenStack components are intended to run on > standard > > hardwa

Re: [Openstack] XEN non-VT based compute workers

>From here i read it http://docs.openstack.org/cactus/openstack-compute/admin/content/compute-system-requirements.html which says "*Hardware*: OpenStack components are intended to run on standard hardware. Specifically for virtualization on the node or nodes running nova-compute, you need a x86 ma

Re: [Openstack] S3-compatible client tools?

On Fri, 15 Jul 2011 17:40:28 +1000 Tom Fifield wrote: > Hi all, > > Any recommendations for S3-compatible cli or gui client tools to work > with OpenStack? > > My summary so far: > * CloudBerry Explorer (windows only!) works > * S3Fox uses the new sub-domain based buckets, which aren't supporte

[Openstack] S3-compatible client tools?

Hi all, Any recommendations for S3-compatible cli or gui client tools to work with OpenStack? My summary so far: * CloudBerry Explorer (windows only!) works * S3Fox uses the new sub-domain based buckets, which aren't supported in OpenStack * s3cmd should work with the Eucalyptus patches (but

Re: [Openstack] OpenStack Identity: Keystone API Proposal

I'm a bit confused as to how Keystone will handle authorization. It sounds now like it is only handling authentication. Can you clarify? Devin On Jul 13, 2011, at 9:41 PM, Ziad Sawalha wrote: > We've taken much of that out of the current API; so the API does not allow > creating these entiti