Re: [Openstack] IMPORTANT: Openstack List Migration (Please read)

Yes, but subscribing for that gets a page with The requested URL /mailman/subscribe/openstack was not found on this server. On 07/25/2013 08:52 AM, Damion Parry wrote: Hello, I happened to stumble across: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack HTH, Damion. On 25 Jul

Re: [Openstack] glance: "Invalid Openstack Identity Credentials"

I wrote this up as a general answer. Hope it helps. https://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/ On 07/24/2013 11:44 AM, Adam Young wrote: On 07/24/2013 10:45 AM, Salvatore Orlando wrote: Hav you tried checking the credentials that glance uses for validating tokens with

Re: [Openstack] glance: "Invalid Openstack Identity Credentials"

On 07/24/2013 10:45 AM, Salvatore Orlando wrote: Hav you tried checking the credentials that glance uses for validating tokens with keystone? They are defined in glance's conf files in the section: [keystone_authtoken] signing_dir = /var/cache/glance/api make sure that the directory /var/cac

Re: [Openstack] can one user in multiple tenants?

The CLI keystone user-role-list should be returning that, so long as you don't filter by tenant. >From an API perspective, you would call /users/{user_id}/roles http://docs.openstack.org/developer/keystone/api_curl_examples.html#get-users-user-id-roles On 07/18/2013 04:04 AM, Peter Cheung wrot

Re: [Openstack] Keystone client auth plugins

On 07/18/2013 12:33 AM, Alessio Ababilov wrote: Hi, Chmouel! I have seen your commit https://review.openstack.org/#/c/36427/2 introducing auth plugins to keystone client. I have developed a common API client library that already has auth plugin mechanism found in novaclient. The library can

Re: [Openstack] can one user in multiple tenants?

On 07/18/2013 12:12 AM, Peter Cheung wrote: Hi all 1) can one user in multiple tenants? I think yes, but when i "keystone user-get", i can see only one tenant field. User has a role assignemnt. The default role is Member, and they can have this role in multiple tenants. You are seeing the

Re: [Openstack] [keystone] How to validate token without admin privileges

We are moving to an RBAC system for enforcing access to the APIs. So, where as in the past we enforced "is admin" when checking a token, in the future, you can specify your own policy rule. PKI based Tokens can be verified without talking to Keystone. See the auth_token middleware and cms.py

Re: [Openstack] Keystone, pki tokens and memcache

On 06/17/2013 12:27 AM, Sam Morrison wrote: I'm currently looking into Grizzly and have been having some issues getting PKI tokens to work. If I have memcache as the token backend keystone issues uuid based tokens, if I have sql as the backend then it issues PKI tokens. Does this mean you can

Re: [Openstack] [Keystone] Policy settings not working correctly

What is the actualy question here? Is it "why is this failing" or "why was it done that way?" On 06/04/2013 07:47 AM, Heiko Krämer wrote: Heyho guys :) I've a little problem with policy settings in keystone. I've create a new rule in my policy-file and restarts keystone but keystone i don't

Re: [Openstack] [Keystone] Splitting the Identity Backend

0/05/2013 17:46, Adam Young wrote: Currently, the Identity backend has Domains, Users , Groups, Roles, Role Assignments and Projects. I've proposed splitting it into 3 distinct pieces. Domain, Identity, and Projects. Here is the rationale: Somewhere between a third and a half of the OpenS

[Openstack] [Keystone] Splitting the Identity Backend

Currently, the Identity backend has Domains, Users , Groups, Roles, Role Assignments and Projects. I've proposed splitting it into 3 distinct pieces. Domain, Identity, and Projects. Here is the rationale: Somewhere between a third and a half of the OpenStack deployments are using LDAP. Ho

Re: [Openstack] AuthN/AuthZ

usual keystone ports. You will want Keystone on a separate machine from Horizon. On Wed, May 15, 2013 at 3:57 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk to AD. On 05/14/2013 06:11 PM, Aaron K

Re: [Openstack] AuthN/AuthZ

Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk to AD. On 05/14/2013 06:11 PM, Aaron Knister wrote: *bump* Here's the tl;dr version: - How have other folks handled integration of OpenStack with existing authN/authZ infrastructures? I'm particularly interested in the

Re: [Openstack] [Grizzly] NoneType object unsubscriptable while setting up keystone

Look in the bug database, I think there is already an entry for this. user-list works in general, so it has to be something in your environment that is triggering it. If I remember correctly, you are likely using the Admin token. What are the openstack variables in your environment? On 05

Re: [Openstack] keystone

Looks like you have typos in x.sh On 05/14/2013 08:43 AM, Mahzad Zahedi wrote: I have followed basic install guide openstack on ubuntu (grizzy) so for configuration keystone first, I have created openrc File and added below lines into it: export OS_TENANT_NAME=admin export OS_USERNAME=admin

Re: [Openstack] Heat PTL candidacy

On 04/23/2013 10:15 AM, Steven Hardy wrote: Repost to correctly include openstack-dev on Cc On Tue, Apr 23, 2013 at 02:45:31PM +0100, Steven Hardy wrote: Hi! I'd like to propose myself as a candidate for the Heat PTL role, ref Thierry's nominations email [1] I've been professionally involved

Re: [Openstack] New site for questions http://ask.openstack.org

Is there a way I can get notified for any new Questions specific to Keystone? I'm a core dev on Keystone, and can probably answer some of the more esoteric stuff. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launch

Re: [Openstack] [Keystone]Question: Assignment of default role

Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With

Re: [Openstack] [Swift][Keystone] Authentication problems with Swift and Keystone by Grizzly release

On 02/14/2013 09:38 AM, Heiko Krämer wrote: Heyho Guys, i'm testing Swift and Keystone (Grizzly). !NOTE! I'm posting only the importent stuff (output, responses, configs) I've upgraded and migrate the database, the migration are working not correct (kyestone-manage db_sync) because in the role

Re: [Openstack] keystone question

On 02/06/2013 10:06 AM, pat wrote: Hi all, I have a question about keystone. I have an application (Jee web one) which I want to authenticate against keystone. What I have to do? Thanks Pat Freehosting PIPNI - http://www.pipni.cz/ _

Re: [Openstack] keystone delegate Athentication

et by Apache and sent to Keystone saying the username of the authenticated user. Will that work for you? On 02/06/2013 09:58 AM, Dolph Mathews wrote: Adam Young is working on introducing delegation in grizzly: https://blueprints.launchpad.net/keystone/+spec/trusts I'm sure he'd appre

Re: [Openstack] [OpenStack] Keystone did not start - DevStack Installation

ror: [Errno 13] Permission denied: '/opt/stack/keystone/keystone.log' while if i launch that command with sudo, it seems that it runs. Thank you, Antonio On 5 February 2013 17:04, Adam Young <mailto:ayo...@redhat.com>> wrote: On 02/05/2013 08:00 AM, Antonio Tirri wrote:

Re: [Openstack] [OpenStack] Keystone did not start - DevStack Installation

On 02/05/2013 08:00 AM, Antonio Tirri wrote: Hi all, actually i'm trying to install OpenStack through DevStack script. Unfortunately the installation is not successful because the keystone service doesn't start. This is the log of the script: 2013-02-05 13:19:05 + SCREEN_NAME=stack 2013-02-0

Re: [Openstack] [keystone] Why are we returing such a big payload in validate token?

chpad.net/keystone/+spec/trusts Vish Thanks Haneef *From:*openstack-bounces+haneef.ali=hp@lists.launchpad.net <mailto:openstack-bounces+haneef.ali=hp@lists.launchpad.net> [mailto:openstack-bounces+haneef.ali=hp@lists.launchpad.net <mailto:bounces+haneef.ali=hp....@lists

Re: [Openstack] [keystone] Why are we returing such a big payload in validate token?

On 01/31/2013 07:44 PM, Ali, Haneef wrote: Hi, As of now v3 validateToken response has "tokens, service catalog, users, project , roles and domains. (i.e) Except for groups we are returning everything. We also discussed about the possibility of 100s of endpoints. ValidateToken is supp

Re: [Openstack] Poll: "H" release cycle naming

On 01/24/2013 10:13 AM, Thierry Carrez wrote: It's that time of the year again... As is the tradition, we'd like the help of the community to help select the code name of the next release cycle of OpenStack. The Technical Committee narrowed the list of valid candidates to 4 names, and we'd like

Re: [Openstack] Glance image upload Keystone error

On 01/23/2013 06:34 AM, Trinath Somanchi wrote: Hi Stackers- I have installed glance and Keystone and configured them. Not sure how you installed, but you need to make sure the PKI provisioning is done. You can do it by hand with the keystone_manage command. Make sure you run it as the use

Re: [Openstack] keystone + LDAP username only with numbers

On 01/18/2013 08:18 AM, Marcelo Mariano Miziara wrote: Hello to everyone. First of all sorry for my bad english. Second, i'm implementing openstack here in my company, and we pretend to use it with ldap integration. I detected a problem when the username is only numbers (in our case we use our

Re: [Openstack] Logging Keystone x Remote Syslog

On 01/11/2013 07:31 AM, Alex Vitola wrote: It's possible send to logs to remote server? Logging is using the standard Python logging module: In keystone/common/logging: import logging import logging.config You should be able to configure this to use SysLog: http://docs.python.org/2/library/

Re: [Openstack] [keystone] IBM DB2 configuration

What I think we need is a simple way to run our current body of unit tests, to include the sql Migration tests, against a Live database, kindof the same way as I have et up for the live LDAP test. The steps: create a file under keystone/tests that doesn't trigger the nameing scheme that ma

Re: [Openstack] S3 Token

On 12/11/2012 11:11 AM, Adam Young wrote: On 12/11/2012 01:40 AM, Chmouel Boudjnah wrote: On Mon, Dec 10, 2012 at 4:17 AM, Adam Young <mailto:ayo...@redhat.com>> wrote: As a Keystone core developer, I have to say that I don't see it as a huge burden to keep it in plac

Re: [Openstack] S3 Token

On 12/11/2012 01:40 AM, Chmouel Boudjnah wrote: On Mon, Dec 10, 2012 at 4:17 AM, Adam Young <mailto:ayo...@redhat.com>> wrote: As a Keystone core developer, I have to say that I don't see it as a huge burden to keep it in place. We want to maintain API backward comp

Re: [Openstack] LDAP + Keystone,, Error after authentication..

On 12/11/2012 04:15 AM, yasith tharindu wrote: Hi Team; I was trying to configure ldap + keystone but it seems not working. I feel like authentication is successful but horizon return me python error. Im unable to trace as its does not give any detail. Following I have attached the error,

Re: [Openstack] S3 Token

On 12/08/2012 08:22 AM, Chmouel Boudjnah wrote: Hi, I'm working on removing the swift+keystone middleware from keystone, we have moved it already as keystoneauth since last OpenStack release into the main swift repository. One thing that left in keystone is the s3_token middleware. Since in

[Openstack] [Keystone] LDAP Backend for Catalog

Right now, only the Identity submodule has an LDAP backend. This is user, tenants, and roles. Is there any requirement for the Catalog to have an LDAP back end? Endpoints and Services do not necessarily map directly to the LDAP view of machines, but could probably be made to fit. I will sta

Re: [Openstack] [devstack] keystone failed to get-token

On 12/03/2012 05:57 AM, benzwt benzwt wrote: I gitted the devstack with version 6540d8910194bb523601ffdd06cdf4c2126e3fd0 I ran it but it returned glance: error: argument --os-auth-token: expected one argument after tracing the code I found that it was due to line 1662 in stack.sh as the keysto

Re: [Openstack] Configuring keystone with ldap

On 11/29/2012 11:47 PM, yasith tharindu wrote: I was trying to enable enable keystone with ldap. but always return me with a this error. "*Error: *Invalid user name or password." and no log trace can be found. All I can say is it looks correct enough, but you obviosuly have a problem in y

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

;unscoped" token, because an unscoped token does have a scope. It just so happens that the scope of that token is the resource that provides a list of available tenants. -jOrGe W. On Oct 22, 2012, at 9:57 PM, Adam Young wrote: Are you guys +1 ing the original Idea, my suggestion to make it opt

Re: [Openstack] [keystone] Domain Name Spaces

On 10/30/2012 06:43 AM, David Chadwick wrote: On 27/10/2012 00:17, Henry Nash wrote: So to pick up on a couple of the areas of contention: a) Roles. I agree that role names must stay globally unique. One way of thinking about this is that it is not actually keystone that is creating the "role

Re: [Openstack] [keystone] Domain Name Spaces

On 10/26/2012 07:17 PM, Henry Nash wrote: So to pick up on a couple of the areas of contention: a) Roles. I agree that role names must stay globally unique. One way of thinking about this is that it is not actually keystone that is creating the "role name space" it is the other services (Nov

Re: [Openstack] [SWIFT] Proxies Sizing for 90.000 / 200.000 RPM

On 10/24/2012 07:45 PM, heckj wrote: John brought the concern over auth_token middleware up to me directly - I don't know of anyone that's driven the keystone middleware to these rates and determined where the bottlenecks are other than folks deploying swift and driving high performance number

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Tokens" as a straw man, and we can beat it up to come up with a better term. "Sloppy" was never meant seriously, but more a way to tweak the noses of the project members named "Joe." -jOrGe W. On Oct 22, 2012, at 9:57 PM, Adam Young wrote: Are you guys +1 ing the

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

hould always be kept as limited as possible. Personally, I don't feel like limiting the tenant list makes much difference. THe more I think about it, the real benefit comes from limiting the endpoints. On Oct 20, 2012, at 21:07, "Adam Young" <mailto:ayo...@redhat.com&g

Re: [Openstack] Keystone-dev question

On 10/22/2012 02:16 PM, Ken Thomas wrote: Greetings all, I'm working on a keystone bug (to get my feet wetter) and I have a couple of questions. Could someone please take a look at comment #2 in https://bugs.launchpad.net/python-keystoneclient/+bug/1031245 (Get a User by Name) and let me kn

Re: [Openstack] Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

On 10/20/2012 01:50 PM, heckj wrote: I sent this to the openstack-dev list, and thought I'd double post this onto the openstack list at Launchpad for additional feedback. -joe Begin forwarded message: *From: *heckj mailto:he...@mac.com>> *Subject: **[openstack-dev] [keystone] Tokens represent

Re: [Openstack] A simple guide to install OpenStack Folsom

On 10/10/2012 05:27 AM, Skible OpenStack wrote: Le 10/10/2012 11:23, Alan Pevec a écrit : On Wed, Oct 10, 2012 at 11:10 AM, Skible OpenStack wrote: I am counting on our your feedback to enhance my work and contribute it to the OpenStack Eco System. I wonder about https://github.com/mseknibil

Re: [Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/ Many thanks. On Sep 24, 2012, at 11:10 PM, Adam Young wrote: Role is grouped in the collection under the Tenant, with the userid in the members attribute for that role. On 09/24/2012 03:18 AM, 邱剑 wrote: Openstack services

Re: [Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

eeIP as backend of Keystone. User and tenants information can be fetched from LDAP. However, I could not figure out how to assign roles to users in specific tenants. I'm wondering whether someone can help? I noticed that Mr. Adam Young had post a blog about this topic: htt

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

On 09/10/2012 03:55 PM, Adam Young wrote: On 09/10/2012 02:28 PM, Joseph Heck wrote: Hey Boden, It's not scheduled to be fixed in the Folsom release, the linkages to milestones and such indicate that. The original developer that proposed a patch disappeared in that flow, so it stag

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

bug/983304 -Dolph On Mon, Sep 10, 2012 at 11:32 AM, Adam Young mailto:ayo...@redhat.com>> wrote: On 09/10/2012 11:29 AM, boden wrote: I've been munking with the latest Keystone LDAP identity driver and based on what I'm seeing the driver does not support t

Re: [Openstack] Keystone: LDAP identity driver 'list resource' support

On 09/10/2012 11:29 AM, boden wrote: I've been munking with the latest Keystone LDAP identity driver and based on what I'm seeing the driver does not support the 'list' resource based methods. For example 'list users', 'list tenants'... For example, config your keystone.conf up to use an LDAP ba

Re: [Openstack] Cannot submit topic for Summit.

ck-bounces+donald.d.dugger=intel@lists.launchpad.net [mailto:openstack-bounces+donald.d.dugger=intel@lists.launchpad.net] On Behalf Of Adam Young Sent: Saturday, September 08, 2012 6:53 PM To: openstack Subject: [Openstack] Cannot submit topic for Summit. I've been through the seque

[Openstack] Cannot submit topic for Summit.

I've been through the sequence to submit a topic proposal for the summit a handful of times. I submit, and it says "You are not logged in." And yes, I logged back in afterwards. ___ Mailing list: https://launchpad.net/~openstack Post to : opens

Re: [Openstack] [Keystone] LDAP integratiom

, keystone would be configured to use LDAP as the identity store. -Dolph On Fri, Sep 7, 2012 at 8:30 AM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote: Hi Everyone, Keystone uses python-ldap library to communicate with LDAP

Re: [Openstack] [Keystone] LDAP integratiom

On 09/06/2012 05:23 PM, Ivan Kolodyazhny wrote: Hi Everyone, Keystone uses python-ldap library to communicate with LDAP server. There are to points where Keystone communicates with LDAP server: keystone.common ldap and keystone.identity.backends.ldap packages. According to the current Keyston

Re: [Openstack] [Keystone] Creating tenant failed when using ldap as identity backend: 'attribute type undefined'

Interesting. We have this outstanding bug report https://code.launchpad.net/bugs/980085 I would appreciate it if you could add what you found to the bug report. On 09/06/2012 03:50 AM, Yanping Xie wrote: Hi, All I have resolved this problem by add 'enabled' attribute to class groupOfN

Re: [Openstack] Keystone PKI support

On 09/04/2012 09:36 AM, boden wrote: Hi, I'm trying to better understand the current status of PKI (http://wiki.openstack.org/PKI) and delegated authZ from a folsom perspective. I can see the blueprint targets folsom-rc1, is marked as implemented (https://blueprints.launchpad.net/keystone/+spec/

Re: [Openstack] Keyring support in openstack

On 08/22/2012 07:15 PM, Bhuvaneswaran A wrote: On Mon, Jul 30, 2012 at 5:48 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young mailto:ayo...@redhat.com>> wrote: On 07/3

Re: [Openstack] ldaps support in keystone?

On 08/22/2012 09:38 AM, Yanping Xie wrote: Hi, all Could I ask if ldaps is supported in keystone? I do know that ldap is supported in keystone, but I couldn't find any information about ladps support in keystone via google nor openstack doc. Could anyone give some explicit information about t

Re: [Openstack] implementing custom keystone module

On 08/21/2012 05:10 PM, pat wrote: Hello, I want to implement custom keystone authentication module. I went through the What are you trying to do? There is a good chance that one of the other modules can be a good example. documentation and I'm not sure where to start :-\ Please, could yo

Re: [Openstack] keystone initialization problem

OK, SERVICE_TOKEN is the same as --token You can follow the steps here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/ Specifically: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/1/html/Getting_Started_Guide/ch02.html#id3165390 || *|expor

Re: [Openstack] RedHAt * OPenSTack

On 08/14/2012 03:16 PM, Joshua Harlow wrote: Are signups taking a while?? Anyone else got the email yet, I think they lost mine, sad++ Contact me off list if this is still a problem. On 8/14/12 11:57 AM, "Frans Thamura" wrote: hi all Redhat just post in his wall openstack.. http://www

Re: [Openstack] The Return of Hyper-V

On 08/13/2012 11:26 AM, Peter Pouliot wrote: Hello Everyone, I would like to take this moment to make everyone aware of the following: https://review.openstack.org/#/c/11276/ I would like to thank the following individuals, who have given so much to help this project progress to this state.

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.opens

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

e new idea here, just reimplementaiton of ideas from other projects. Nate On Aug 2, 2012 10:24 PM, "Adam Young" <mailto:ayo...@redhat.com>> wrote: On 08/01/2012 11:05 PM, Maru Newby wrote: Hi Adam, I apologize if my questions were answered before. I wasn't a

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

avoid PKI tokens until revocation support became available. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise thi

[Openstack] Fwd: Re: Keystone: 'PKI Signed Tokens' lack support for revocation

touchy subject when we first started designing it, and suspected that it would take some form of commit before the discussion hit the majority of the community. On 08/02/2012 02:20 PM, Christopher MacGown wrote: On Thursday, August 2, 2012 at 6:59 AM, Adam Young wrote: So, let me put the onus on

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

ntial it is that we have rapid revocation of tokens. And firing someone is usually part of the whole "escort from the building" routine. So, let me put the onus on you: make the argument for rapid revocation of tokens. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Yo

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.opens

Re: [Openstack] Keyring support in openstack

On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the

Re: [Openstack] Performing HPCC Benchmark on OpenStack Cloud

On 07/30/2012 10:22 AM, Reza Bakhshayeshi wrote: Hi I want to run HPCC benchmark on OpenStack cloud, I want you to help me to make the results more real. How can we impute the results to OpenStack and not to my computers? Do I really need a server farm to perform the test? And I think I have t

Re: [Openstack] Keyring support in openstack

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesys

Re: [Openstack] Suspend/Stop VM

On 07/30/2012 12:13 PM, George Reese wrote: Thanks, but I am looking for how this is done via API. You can determine from the CLI what APIs are called by running with --debug. For example: nova --debug list You will see: send: u'GET /v2/cdc204424fdf4f428ca27cc3d65ea583/servers/detail HT

Re: [Openstack] Hiding complexity of paste config files from operators

On 07/30/2012 05:12 AM, Thierry Carrez wrote: Lorin Hochstein wrote: I wanted to discuss the usability of the paste config files from an operator's point of view. The paste config files are opaque to administrators who are trying to stand an OpenStack cloud for the first time, since they expose

Re: [Openstack] [keystone] Multi-tenants per user, authentication tokens and global roles

On 07/27/2012 12:50 AM, Ryan Lane wrote: Not in Essex. When we discussed the Domains blueprint, one issue that I brought up was nested groups/projects. That would solve your problem. It is not currently being developed. Ok. I can deal with handling tens of thousands of tokens, but I need so

Re: [Openstack] [keystone] Multi-tenants per user, authentication tokens and global roles

On 07/26/2012 08:30 PM, Ryan Lane wrote: I'm working on upgrading to essex, which means I need to start using keystone. My use case seems to not fit keystone very well, though... In my environment, one user can be a member of many projects (some users are in up to 20-30 projects). Management of

Re: [Openstack] [Keystone] Quotas: LDAP Help

.bell=cern...@lists.launchpad.net [mailto:openstack-bounces+tim.bell=cern...@lists.launchpad.net] On Behalf Of Ryan Lane Sent: 17 July 2012 20:43 To: Adam Young Cc: Joseph Heck; openstack Subject: Re: [Openstack] [Keystone] Quotas: LDAP Help I haven't been thinking about quotas, so bear with me here.

Re: [Openstack] 回复： Keystone client could not behave well, call for help

On 07/22/2012 09:12 AM, 延生 付 wrote: reply: 'HTTP/1.1 503 Service Unavailable\r\n' This seems to be the main problem. The error message "/string indices must be integers, not str" /seems to be a bug in trying to parse the error page. ___ Mailing lis

Re: [Openstack] Identity API v3 - Why allow multi-tenant users?

gt; [mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net <mailto:hp@lists.launchpad.net>] *On Behalf Of *Adam Young *Sent:* Tuesday, July 17, 2012 11:55 AM *To:* openstack@lists.launchpad.net <mailto:openstack@lists.launchpad.net> *Subject:

Re: [Openstack] [Keystone] API Question

"name": "project-x", "id": "1213c2511f364264b1dfea9a56a225e0" } ], "tenants_links": [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce

Re: [Openstack] [Keystone] API Question

tenant_ids = self.identity_api.get_tenants_for_user(context, user_ref['id']) I'm not sure that this is the right semantics for it, but it looks like it does what you want. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 07/17/2012 03:55 PM,

Re: [Openstack] [Keystone] API Question

On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenan

Re: [Openstack] [Keystone] API Question

On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provi

Re: [Openstack] [INTERNAL ONLY (NDA)] Fwd: Reqs for OpenStack from Intel IT - Redhat/OpenStack discussions

On 07/17/2012 02:53 PM, Adam Young wrote: On 07/17/2012 02:01 PM, Perry Myers wrote: CONFIDENTIAL/INTERNAL ONLY (NDA) Please do not forward this spreadsheet outside of this list. Please do not talk about any of these features externally as "Something Intel has asked for". We can

Re: [Openstack] [Keystone] Quotas: LDAP Help

On 07/17/2012 02:42 PM, Ryan Lane wrote: I haven't been thinking about quotas, so bear with me here. A few thoughts: Certain deployments might not be able to touch the LDAP backend. I am thinking specifically where there is a corporate AD/LDAP server. I tried to keep the scheme dependency simp

Re: [Openstack] Identity API v3 - Why allow multi-tenant users?

On 05/29/2012 01:18 PM, Caitlin Bestler wrote: One of the major complication I see in the API is that users can be associated with multiple tenants. What is the benefit of this? What functionality would be lost if a human user merely had to use a different account with each tenant? There a

Re: [Openstack] debugging a db migration script

On 07/17/2012 11:42 AM, Jim Fehlig wrote: Hengqing Hu wrote: There is a test in nova: You can run run_tests.sh in your nova root like this: ./run_tests.sh -v test_migrations Thanks for the tip! To set a breakpoint, you can either run python -m pdb run_tests.py or modify your code and

Re: [Openstack] [Keystone] Quotas: LDAP Help

On 07/17/2012 11:18 AM, Everett Toews wrote: On Mon, Jul 16, 2012 at 7:20 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: Usually a Quota is a limitation on a resource. I suspect that the problem here is we have not nailed down the resource objects that you would the

Re: [Openstack] debugging a db migration script

On 07/16/2012 11:59 PM, Jim Fehlig wrote: I'm working on a patch that adds a column to the compute_nodes table in the nova db, but it seems my db migration script fails when calling 'db sync' in stack.sh. I tried running the command manually, same failure: stack@virt71:~> /opt/stack/nova/bin/no

Re: [Openstack] enforce admin_required with LDAP admin user

You need an admin token and to go against port 35357 for those types of operations. A basic user does not have permission to do so. It has nothing to do with LDAP. On 05/22/2012 11:47 AM, Sharif Islam wrote: I think my LDAP bind is working by tenant-list and user-list gives me admin_require

Re: [Openstack] Change user password (not admin)

On 06/06/2012 07:24 PM, Sam Morrison wrote: Hi, There has been a first attempt at this in keystone. See https://review.openstack.org/#/c/7437/ And bug: https://bugs.launchpad.net/keystone/+bug/996922 It needs more work to make it secure though. WHat do you think it needs? Please open a bug

Re: [Openstack] [Keystone] Quotas: LDAP Help

On 07/16/2012 07:31 PM, Everett Toews wrote: Hi All, I've got a working implementation of quotas in Keystone. However it's only working for the KVS and SQL backends right now and I need it to work with LDAP before submitting it for review. I have limited experience with LDAP and only from an

Re: [Openstack] UnifiedCLI suggestion

On 06/28/2012 11:54 AM, Dean Troyer wrote: On Mon, Jun 25, 2012 at 5:28 PM, Doug Hellmann wrote: On Mon, Jun 25, 2012 at 6:19 PM, Ken Thomas wrote: [...] I've already submitted the keystone changes for review (https://review.openstack.org/#/c/8958/3/keystoneclient/shell.py) and I'd be happy

Re: [Openstack] Routing ReST API Calls by URL

On 07/13/2012 05:39 PM, Nathanael Burton wrote: Dan, Adam Young was advocating for something like this. I don't know if a consensus was ever reached, but I thought it was a good idea. https://lists.launchpad.net/openstack/msg10864.html Nate Dan, Here's my proposed sch

Re: [Openstack] Keystone Federation

ul 5, 2012 at 11:26 AM, Adam Young <mailto:ayo...@redhat.com>> wrote: I am contemplating writing up a post-Folsom Blueprint for Keystone Federation and /or replication, and would like to solicit input from the community. With Signed tokens, we can provide the n

[Openstack] Keystone Federation

I am contemplating writing up a post-Folsom Blueprint for Keystone Federation and /or replication, and would like to solicit input from the community. With Signed tokens, we can provide the name of the Keystone server that signed the token. With this comes the need to verify that the specifi

[Openstack] PKI Token Generation

The discussion during the Keystone meeting today had a couple of key points I'd like to address. The Current token length is 32 characters long. An example: e50d580692d644cfb8bec0246aede2c2 With PKI Signed tokens, they will be much longer MIICgAYJKoZIhvcNAQcCoIICcTCCAm0CAQExCTAHBgUrDgMCGjC

Re: [Openstack] OVF vs. bare container formats for qcow2 images

On 04/01/2012 11:15 AM, Lorin Hochstein wrote: On Mar 29, 2012, at 12:40 PM, Daniel P. Berrange wrote: On Wed, Mar 28, 2012 at 04:41:28PM -0400, Lorin Hochstein wrote: All: Given that I have a qcow2 image from somewhere (e.g., downloaded it from a uec-images.ubuntu.com

Re: [Openstack] [Devstack]Keystone authentication problem when installing

Can you post your localrc file? YOu can blank out the passwords. Also, what distribution? On 06/27/2012 09:30 PM, Ke Wu wrote: Hi, I can't find a mailing list of devstack so I choose to ask here, hope this doesn't spam you guys. I was trying to build Devstack on my VM (Ubuntu 12.04 serve

Re: [Openstack] [keystone] Keystone on port 5000 - proposing change default port to 8770

That is for admin, 5000 is for normal usage. Personally, I'd like to see all of the custom ports go away and we use an URL scheme as proposed: http://wiki.openstack.org/URLs On 06/20/2012 08:56 PM, Mellquist, Peter wrote: What happened to 35357? In general, new port #s should be applied thr

  1   2   >