Re: [Openstack] [Keystone] Policy settings not working correctly

I think keystone client is still V2 by default, which is enforcing admin_required. Try this "admin_required": [["role:KeystoneAdmin"], ["role:admin"], ["is_admin:1"]], Guang From: Openstack [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of Adam Youn

Re: [Openstack] [keystone] Encryption based user authentication in keystone

Only password and token authentications are natively supported (by default) at the moment. There are also signature-based authentication APIs like ec2 and s3 available as extensions. Other mechanisms such as two-way SSL and external authentication via a web frontend is also possible? In v3, we sho

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Is "belongsTo" mandatory? If not, what will token validation API return? {"access": [list of tokens]} ? Guang -Original Message- From: Jorge Williams [mailto:jorge.willi...@rackspace.com] Sent: Wednesday, November 14, 2012 2:47 PM To: OpenStack Development Mailing List Cc: openstack@

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

An unscoped token is basically implicitly scoped to Keystone service right? One should be able to use an unscoped token to reset his password, and ask Keystone for information pertaining to himself, such as what are his roles, what services/endpoints are available to him, and what are his tenants,

Re: [Openstack] Keystone client, user belongs to many tenants?

I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible.

Re: [Openstack] [Keystone] What exactly are we modeling with endpoints?

A service can have 0 to N endpoints. Why not? To the end users, what's the difference between no endpoints and unreachable endpoints anyway. It should be up to the client to return a more human-readable, actionable error message. An endpoint is basically consisted of an URI and a bunch of characte

Re: [Openstack] "Admin"-ness in Keystone, Nova, et. al.

t;solution" to this bug/feature request would be to add similar functionality to Keystone, Nova and Quantum? Best, -jay On 03/30/2012 02:10 PM, Yee, Guang wrote: > Does this look familiar? J > > https://bugs.launchpad.net/keystone/+bug/890411 > > Guang > > *From:*ope

Re: [Openstack] "Admin"-ness in Keystone, Nova, et. al.

Does this look familiar? J https://bugs.launchpad.net/keystone/+bug/890411 Guang From: openstack-bounces+guang.yee=hp@lists.launchpad.net [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of Andy Smith Sent: Friday, March 30, 2012 10:27 AM To: Julien

Re: [Openstack] Capture of the Keystone/LDAP Role discussion

Sorry I am a little late to this thread. " When we talk about Roles, we mean the permissions a given user has in a given tenant. As such, it is a three way relationship, and LDAP does not handle those well." Have we also consider services and global roles? There was security bug regarding tena

[Openstack] Keystone: is revoke token API "officially" supported

I see it implemented in the code as DELETE /v2.0/tokens/{tokenId} But it doesn't appear to be documented in any of the WADLs. Thanks! Guang smime.p7s Description: S/MIME cryptographic signature ___ Mailing list: https://launchpad.