Re: [Openstack] [OpenStack][Keystone] where is IRC?

We are in #openstack-dev. Keystone is fundamental to all projects actually being able to work, and so we've made the decision not to move to our own IRC channel. On 08/01/2013 05:12 AM, Gareth wrote: thanks, Chmouel! On Thu, Aug 1, 2013 at 5:08 PM, Chmouel Boudjnah

Re: [Openstack] Running Keystone inside Apache with memcache token driver

On 08/05/2013 05:41 AM, Simon Pasquier wrote: Hello, I've set up Keystone to run inside a WSGI container with Apache2. I've configured the SQL driver for tokens as recommended by the documentation [1] but I'm unclear why it wouldn't work with the memcache driver. Could anybody explain why? It

Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)

On 08/06/2013 08:37 AM, Rok Kralj wrote: As far as I know, the ability to log in to OpenStack via arbitrary Identity Provider (IdP) is a widely desired feature. Therefore, we have decided to integrate Keystone & Horizon with *Simple Saml PHP*, Why PHP? THis is a very interesting approach, but

Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)

On 08/07/2013 08:16 AM, Tim Bell wrote: Yes, this is something we're very interested in. Joe's blueprint (https://blueprints.launchpad.net/keystone/+spec/virtual-idp) has a number of the user stories and would be a good place to start to add others. Work is underway under two approaches. 1.

Re: [Openstack] Keystoner as Certificate Authority

We are working on FreeIPA integration. It comes with Dogtag integrated. http://www.freeipa.org/page/Main_Page http://pki.fedoraproject.org/wiki/PKI_Main_Page On 09/05/2013 04:05 AM, Somanchi Trinath-B39208 wrote: Thanks a lot Jeff... Will go through this.. -- Trinath Somanchi - B39208 tri

Re: [Openstack] Keystone 'NoneType' object is unsubscriptable error

I've seen that before. It has been a while since I looked into it, but it is not an error in Kesytone iteslf, but rather the part of the setup talking to Keystone. I'll take the bug and comment on it there. On 09/06/2013 11:52 AM, Goldstone, Robin J. wrote: I opened a bug yesterday mornin

Re: [Openstack] Swift Fail Unauthorized

I am the Keystone dev that wrote the PKI token code. Here is my guide to troubleshooting it. http://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/ ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to

Re: [Openstack] Swift Fail Unauthorized

On 09/13/2013 03:25 AM, Mahardhika wrote: Hi, still i can't get out from this issue, can you please lead me. I follow this guide http://docs.openstack.org/developer/swift/howto_installmultinode.html On 9/12/2013 9:24 AM, Kuo Hugo wrote: You can observe the log out put while issue the request.

Re: [Openstack] Swift Fail Unauthorized

the remote services config file. So it would be swift.conf or something comparable. https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L199 sorry i just confused in this part thanks On 9/13/2013 11:40 PM, Adam Young wrote: On 09/13/2013

Re: [Openstack] Swift Fail Unauthorized

article. Email-an dari Kokpit On 16 Sep 2013, at 09:01 PM, Adam Young <mailto:ayo...@redhat.com>> wrote: On 09/16/2013 07:02 AM, Mahardhika wrote: Hi Adam, in my proxy node, am i must create keystone.conf ? Sorry, not sure what you mean by this? In most deployements, there is a

Re: [Openstack] Keystone pluggable auth?

On 09/18/2013 11:18 PM, Jamie Lennox wrote: Can you clarify a bit please? Keystone is working on a pluggable auth model based off nova's, however it isn't implemented yet. Jamie, you are thining client. I thin he is referring to the Server piece, v3/auth If you mean choosing the identity ap

Re: [Openstack] [Heat/havana]: User needs admin rights in order to heat create to succeed

On 09/23/2013 11:16 AM, Steven Hardy wrote: On Fri, Sep 20, 2013 at 09:43:27AM +0300, Juha Tynninen wrote: Hi, In havana the user must have admin privileges to be able to create heat stacks having e.g. HARestarter resource. Otherwise an error will occur... What's logic behind this / or is this

Re: [Openstack] Linux Distribution Recommendations for Testing?

On 09/30/2013 08:11 PM, Stuart Longland wrote: On 30/09/13 14:52, Clint Dilks wrote: I think if you understand the components you can get things working of any of the distributions. The problem at least for me initially was understanding how all of the different components inter-relate. From m

Re: [Openstack] openstack - keystone - what is stable version?

To get started with Keystone, might I suggest that you use the version of the packages supplied with your distribution: My group works with Fedora, and there is a good getting starte guide here: https://fedoraproject.org/wiki/Getting_started_with_OpenStack_on_Fedora The standard guide is here

Re: [Openstack] [All] Start Contributing to OpenStack - The Easy Way with a docker container

On 11/27/2014 04:45 AM, Maish Saidel-Keesing wrote: I would like to share with a small tool that should make things a lot easier to start getting involved in contributing code into Openstack. The OpenStack-git-env docker[1] container. Simple. docker pull maishsk/openstack-git-env More detail

Re: [Openstack] Keystone Build

On 03/16/2015 10:09 PM, John Williams wrote: I'm on the following URL of the build docs http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-users.html I'm trying to put keystone together. The build is failing on the following: root@os1:/etc# keystone tenant-create --na

Re: [Openstack] Cant login Horizon

On 03/26/2015 02:02 PM, James Fleet wrote: Hello Wilson, Rabbit is too far down the list, and should not be an issue on an initial Horizon login. Problem might be the Keystone setup. http://adam.younglogic.com/2015/03/troubleshoot-new-keystone/ One of the things you can check is your ap

Re: [Openstack] [Keystone Juno] How to grant ResellerAdmin permission(role) to an user ?

On 04/07/2015 09:34 AM, Kuo Hugo wrote: Hi Steve, Good explanation. It's much more clear on top of my mind now. http://adam.younglogic.com/2015/03/troubleshoot-new-keystone/ Thanks a lot. Hugo 2015-04-07 21:14 GMT+08:00 Steve Martinelli >: You can't reall

Re: [Openstack] Bulk operations support plan

On 04/15/2015 03:57 PM, Ivan Krutov wrote: Hi, I’m using Openstack almost every day and my activities frequently require doing bulk operations, e.g. launching dozens and hundreds of VMs, terminating and restarting them, creating snapshots and so on. Some of such operations (e.g. bulk terminat

Re: [Openstack] Problem authenticating tokens with signing_cert issued by external CA

On 04/21/2015 08:25 AM, Daniel Marks wrote: Hi all, being on Openstack Icehouse 2014.1.3 I am trying to exchange the default token signing certificate (the one generated during installation of the .deb package) with one signed by our CA. I followed http://docs.openstack.org/admin-guide-cloud/

Re: [Openstack] Keystone Token expiration on long Swift operations.

On 04/22/2015 02:38 PM, Clay Gerrard wrote: I thought the default token lifetime was 24 hours, it's curious they only last 1hr for you. We cut the default time down to an hour. 24 hours is s huge attack surface. I'd like to make tokens 5 minutes long, with all longer operations done using s

Re: [Openstack] user who provision a vm

On 04/24/2015 06:57 AM, Jesus arteche wrote: thanks a million!!! is there any way to know the VM that has been provisioned by a specific user, or in a specific project, if the VMs have been deleted? There might be some ability to recreate some of this from Audit data. Assuming you are colle

Re: [Openstack] {keystone] Keystone and Apache mod_auth_mellon

On 02/27/2014 11:36 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote: Hello, I have been reading Keystone blueprints that hint about using Apache2 with mod_auth_mellon as a SAML front end. Does anyone have any documentation as to how to set up Apache2 and mod_auth_mellon as a front end

Re: [Openstack] [keystone] Multi-region with horizon

On 05/04/2015 10:23 AM, rémi Le trocquer wrote: Hi, In multi-region configuration : multi keystone, multi database but with a common ldap. Is-it possible on Horizon to switch region without re-authenticate ? Horizon talks to Keystone to get the service catalog, and uses the service catalog to

Re: [Openstack] EndpointNotFound keystone endpoints.list

On 05/26/2015 05:58 PM, Daniel Watrous wrote: I'm having trouble using some of the keystone client functions https://gist.github.com/dwatrous/c8f24b6d85be7eaa32a3 As you can see, I can list tenants, but I can't list endpoints (or users...) Any ideas? ___

Re: [Openstack] flavor restrictions by user

On 06/25/2015 03:14 AM, Chris wrote: Hello, I know the flavors can be restricted based on the tenant/project. Is it possible to restrict it by user as well? I would not advise it. It makes more sense to restrict based on Role assignment within the project, but that does not exist yet.

Re: [Openstack] [openstack-dev][cinder] Nested Quota Driver and policy.json changes

On 07/22/2015 12:42 AM, Vilobh Meshram wrote: Hi, While developing Nested Quota Driver for Cinder, when performing show/update/delete following restrictions apply :- 1. show : Only user who is admin or admin in parent or admin in root project should be able to perform show/view the quota of

Re: [Openstack] Multiple Domains in one install

On 08/05/2015 01:30 AM, Lance Haig wrote: Hi All, We have an icehouse install that uses a default domain and tennant list What has been requested is that we create a new Domain with new projects etcc within that domain. I tried creating the domain in horizon and it seems to complete just f

Re: [Openstack] possible to PXE-boot an instance from another instance?

On 08/09/2015 01:47 AM, Chris Friesen wrote: Hi, I'm wondering if it's possible to set up one instance as a DHCP/tftp server, and netboot another instance from it (using PXE or similar). Has anyone tried something like this? I'm using neutron, so I figure there's at least a chance that it o

Re: [Openstack] [Juno] Keystone commandline bug?

On 08/18/2015 01:53 PM, Barrow Kwan wrote: Hi, I just installed Juno and when I tried to run the keystone commandline client ( eg keystone user-list, keystone service-list ), they all return "The resource could not be found. (HTTP 404)" However, if I use use curl to access the API ( keyst

Re: [Openstack] heat CLI not working after modifying roles

On 08/27/2015 02:25 AM, kevin parrikar wrote: i have a user whose role was "_member_ "later changed to "heat_stack_user" and again changed to "_member_" but now the user is not able to do any heat commands as it returns "ERROR: You are not authorized to complete this action". for heat stack-lis

Re: [Openstack] PKI Issue vs UUID

On 09/19/2015 03:52 PM, Remo Mattei wrote: Hello all, I have notice that when I do the RDO installation of Kilo with the UUID and login with the admin account, I can select which project to spin up new instances and also which project to select from the pull down menu. If I do the same instal

Re: [Openstack] cloud-wide access policies

On 10/05/2015 05:47 PM, Andrew Bogott wrote: I would like to be able to create some accounts with cloud-wide permissions in my OpenStack install. Specifically: https://bugs.launchpad.net/keystone/+bug/968696 'observer' permissions: This would be an account (or type of account) that h

Re: [Openstack] Unable to create openstack service (service entity and API endpoint)

On 10/24/2015 06:37 PM, Tony Su wrote: # openstack service create --name keystone --description "OpenStack Identity" identity ERROR: openstack Internal Server Error (HTTP 500) Look in the error logs; something is not ahappy inside the kerysonte server; either in /var/log/keystone/keystone.log

Re: [Openstack] Keystone Fernet Token

On 10/28/2015 02:23 PM, Reza Bakhshayeshi wrote: Hi all, I'm going to use fernet token on OpenStack Kilo (only Keystone service is installed), I've configured keystone.conf like: [token] provider = keystone.token.providers.fernet.Provider when I'm running: keystone-manage fernet_setup --keys

Re: [Openstack] OpenStack OAuth

On 10/12/2013 12:00 PM, Frans Thamura wrote: Hi All I am seeking information regarding OpenStack username integration to OAuth is there a ref to use this? F ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to

Re: [Openstack] SAML support in OpenStack

On 10/14/2013 09:56 AM, Rok Kralj wrote: *Hello OpenStack community,* As you might remember, some time ago we had a quick discussion about supporting the SAML 2.0 protocol for identity management in federations as this is the protocol of big importance in business enterprise. At first, the d

Re: [Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity

On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote: The havana configuration reference contains a section on how to configure keystone to accept x.509 certificates. How does one map x.509 credentials to keystone IDs, projects, roles and privileges? I think there is more work to be done here. To

Re: [Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity

On 10/24/2013 05:15 AM, David Chadwick wrote: I think you need the attribute mapping functionality that is currently being specified here https://review.openstack.org/#/c/51980/ The API says how to set up the mappings (though currently not how to apply them. This will be an internal method in

Re: [Openstack] One Time Keystone Use Tokens?

On 10/25/2013 04:03 PM, Ali, Haneef wrote: I don't think it is possible. Can't you revoke the token after VM boot? Yes, but I would not recommend doing that. You would have to modify every place that used tokens. Youncould make the token timeout very short, but it will break on any long r

Re: [Openstack] Doc or Link for enabling Active Directory authentication for login information in Havana

On 10/25/2013 11:17 AM, Anne Gentle wrote: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider Not sure how accurate these are, but I think they were updated last release at least. Those are correct. The LDAP configuration has not changed sign

Re: [Openstack] One Time Keystone Use Tokens?

I think we need to look into using a trust for this instead of a Token hand-off. The need for one user or limited use trusts has come up multiple times. That coupled with a very short lived token (5 minutes) is probably a better solution. - Original Message - From: "Adam Young

Re: [Openstack] One Time Keystone Use Tokens?

On 10/25/2013 11:19 AM, Brian Chong wrote: Hi, I'm trying to figure out if its possible to configure KeyStone tokens to be one time use. My use case is that when a user requests that they want to take a action on the platform (i.e.: boot a VM) they aren't also using that same token to load a

Re: [Openstack] OPENSTACK[KEYSTONE]- MS SQL as Backend Store

On 11/13/2013 03:13 AM, Srujana C P wrote: Hello All, We are planning to use MS SQL Server as keystone backend store . Has anybody tried this? Can someone share the information regarding the steps to be followed and required configurations and drivers to be installed. It has not been pu

Re: [Openstack] ERROR: Unauthorized (HTTP 401)

On 11/19/2013 03:31 PM, Noel Burton-Krahn wrote: I've just started getting this error during devstack's stack.sh: ERROR: Unauthorized (HTTP 401) It looks like nova is sending an HTTPS request to keystone, but keystone is expecting HTTP. Everything was working around last Friday. Did som

Re: [Openstack] [keystone] could not find keystone.conf

On 11/23/2013 06:22 PM, zakaria amine wrote: Hi everybody, I installed keystone using apt-get. I want to edit the /etc/keystone/keystone.conf for adding the mysql db, but the directory is not even created. What does this means ? Thanks My guess is that it did not get configured, which might

Re: [Openstack] [Keystone] Keystone performance work

Sounds good for a start. There is a lot in Devstack that should help as far as documenting how to set up LDAP etc. Can you indicate which is going to be your first effort? We (Keystone team) can provide some guidance on how to best hammer on it. On 12/11/2013 05:48 AM, Neependra Khare w

Re: [Openstack] [Keystone] Keystone performance work

On 12/13/2013 02:28 PM, Jay Pipes wrote: On 12/13/2013 08:14 AM, Neependra Khare wrote: On 12/12/2013 12:00 PM, Neependra Khare wrote: On 12/12/2013 01:11 AM, Adam Young wrote: Can you indicate which is going to be your first effort? We (Keystone team) can provide some guidance on how to

Re: [Openstack] [Keystone] Keystone performance work

On 12/16/2013 02:56 AM, Neependra Khare wrote: On 12/14/2013 02:04 AM, Adam Young wrote: On 12/13/2013 02:28 PM, Jay Pipes wrote: On 12/13/2013 08:14 AM, Neependra Khare wrote: On 12/12/2013 12:00 PM, Neependra Khare wrote: On 12/12/2013 01:11 AM, Adam Young wrote: Can you indicate which is

Re: [Openstack] Can I move keystone-signing-XXX files out of /tmp ?

On 12/24/2013 11:30 AM, Xin Zhao wrote: Hello, I am running a Grizzly multi-host test cluster on RHEL6. On the controller node, there are several keystone-signing- files automatically created by the daemons. But if some disk cleanup scripts kick in and remove them, that will cause problem

Re: [Openstack] Keystone under Apache+fcgid?

On 12/27/2013 12:21 PM, Dave Walker wrote: Hey Mark, Thanks for your response. It is certainly an option, but I am attempting a deployment in a prescriptive environment of Apache+fcgid. It looks like it should work... I am the guy that origianlly got Keystone/Apache working, but I have t

Re: [Openstack] Can I move keystone-signing-XXX files out of /tmp ?

On 01/02/2014 01:29 PM, Clint Byrum wrote: Excerpts from Adam Young's message of 2014-01-02 08:51:04 -0800: On 12/24/2013 11:30 AM, Xin Zhao wrote: Hello, I am running a Grizzly multi-host test cluster on RHEL6. On the controller node, there are several keystone-signing- files automaticall

Re: [Openstack] [keystone] memcache token backend performance

On 01/03/2014 11:38 PM, Xu (Simon) Chen wrote: Hi folks, I am having trouble with using memcache as the keystone token backend. I have three keystone nodes running active/active. Each is running keystone on apache (for kerberos auth). I recently switched from using sql backend to memcache, w

Re: [Openstack] Keystone External Authentication clarification

On 01/21/2014 08:58 AM, Joe Topjian wrote: Hello, One of the new features advertised in the Havana release of Keystone was external authentication via REMOTE_USER. I'm beginning to assume that I should take that at face value: Keystone has external auth, but that's it. OpenStack as a whole ca

Re: [Openstack] [Barbican] Keystone PKI token too much long

On 01/22/2014 12:21 PM, John Wood wrote: (Adding another member of our team Douglas) Hello Giuseppe, For questions about news or patches for Keystone's PKI vs UUID modes, you might reach out to the openstack-...@lists.openstack.org mailing list, with the subject line prefixed with [openstack-

Re: [Openstack] Glance suddenly unhappy with Keystone behind Apache

On 01/27/2014 11:58 AM, Jonathan Proulx wrote: Hi All, This was working fine until I rebooted to clear an issue with network namespaces... glance consistently gives authentication failures if I'm running keystone in wsgi mode behind apache, all other services (cinder, nova, neutron, and keytone

Re: [Openstack] [Keystone] Difference in values returned after authentication

On 01/27/2014 01:30 PM, Shrinand Javadekar wrote: Hi, I am seeing a difference in the values returned by Keystone when a user is authenticated. These differences are in the endpoints section of the serviceCatalog. In one instances, I see the returned value has an "id": "serviceCatalog": [

Re: [Openstack] [Keystone] performance issues after havana upgrade

On 01/29/2014 10:01 AM, Felix Lee wrote: Dear all, Just some experiences to share on this. After I upgraded Grizzy to Havana, I lived with keystone token expiration = 14400 plus memcached backend perfectly without patch for weeks. But since last week, it started suffering "Unable to add token

Re: [Openstack] [Barbican] Keystone PKI token too much long

gt;> ha scritto: By the way, you can achieve the same benefits of uuid tokens (shorter tokens) with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. This is poorly documented but it seems to work just fine. *From: *Adam Young mailto:ayo...@redh

Re: [Openstack] [Barbican] Keystone PKI token too much long

, "Ferreira, Rafael" <mailto:r...@io.com>> ha scritto: By the way, you can achieve the same benefits of uuid tokens (shorter tokens) with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. This is poorly documented but it seems to work just fine. From: Ad

Re: [Openstack] [Keystone]404 error when trying to get list of users

On 02/04/2014 06:28 PM, Mark Vlcek (mavlcek) wrote: Hi all, I'm using the Keystone V2 REST API to try to get a list of users and their IDs but for some reason I keep getting a 404 error in the JSON response. The specific API call

Re: [Openstack] Odd Keystone Behaviour

On 02/06/2014 10:53 AM, Daniel Ellison wrote: On Feb 6, 2014, at 10:19 AM, Remo Mattei wrote: Seems a permissions issue did you try a different user? I just defined a new user with OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT set (because that DOES work) and when I tried to get a user list as tha

Re: [Openstack] token request with pki

On 02/06/2014 09:10 AM, Rob Crittenden wrote: Emanuel Marzini wrote: Hi, if I use a certificate to communicate with keystone, Can I request a token? How? Upstream is working on external authentication methods at http://docs.openstack.org/developer/keystone/external-auth.html It shows how t

Re: [Openstack] Deleted admin tenant by mistake

On 02/07/2014 04:49 AM, dheeru wrote: Create another tenant and assign the admin role. You should be able to use it. Which services are not starting ? Not quite enough. Assuming you are using the SQL backend, you want to recreate the old Admin tenant ID so tha resources owned by that tenant a

Re: [Openstack] best single node install tutorial

On 02/14/2014 10:08 PM, Aryeh Friedman wrote: On Fri, Feb 14, 2014 at 10:05 PM, Remo Mattei > wrote: Are you looking for red hat / centos or ubunto ? Doesn't matter we plan to make versions of the tutorial for each OS Packstack does I nice job rh/centos

Re: [Openstack] Keystone v3 APIs

On 02/17/2014 11:22 AM, Rajdeep Dua wrote: Trying to get list of groups in a tenant using Keystone v3 APIs. It is giving me an error - resource not found even where there are groups in that tenant. Any idea why this might be happening Thanks Rajdeep Code - Listing import keystoneclient.v3.cl

Re: [Openstack] keystone with Ephemeral PKI tokens

On 02/19/2014 07:00 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote: Hello, I read the following and want to register a disagreement: "With token revocation events in place, we no longer have a need to store a token revocation list. The token revocation list is the primary reason why

Re: [Openstack] ldap + sql in keystone (multi-domain)

On 02/27/2014 02:07 AM, Sandro CAZZANIGA wrote: Le 27/02/2014 06:42, Martinx - ? a écrit : A bit off-topic but, I'm wondering here... Don't you guys think that it would be great to have some kind of "LDAP as a Service", just live Trove, but for LDAP, of course? So, each tenant will have its

Re: [Openstack] {keystone] Keystone and Apache mod_auth_mellon

On 02/27/2014 11:36 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote: Hello, I have been reading Keystone blueprints that hint about using Apache2 with mod_auth_mellon as a SAML front end. Does anyone have any documentation as to how to set up Apache2 and mod_auth_mellon as a front end

Re: [Openstack] issue when I using PKI for token format

On 03/05/2014 08:59 PM, Li, Chen wrote: Hi, I'm working under CentOS 6.4 + Havana, my keystone version is: openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana When I run command "keystone user-list", I get error: Authorization Failed: Unable to sign token. (HTTP 500)

Re: [Openstack] Swift/Keystone authentication problem?

On 03/03/2014 02:24 PM, Adam Lawson wrote: Hola folks! I had a working Swift deployment (one proxy, 10 storage nodes) using tempauth/swauth and with that config everything works fine. Add/remove objects, list etc. I am now in the process of trying to integrate Keystone and getting confused wi

Re: [Openstack] issue when I using pki as the token provider

On 03/05/2014 08:58 PM, Li, Chen wrote: provider = keystone.token.providers.pki That needs to be the full path to the class. keystone.token.providers.pki.Provider ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to

Re: [Openstack] Keystone Startup issue

On 03/18/2014 05:29 PM, Erich Weiler wrote: Hey Y'all, I'm a bit new to OpenStack, and I'm going through all the Keystone setup items listed here, for RedHat: http://docs.openstack.org/trunk/install-guide/install/yum/content/keystone-install.html And when I get to the point of actually st

Re: [Openstack] Keystone support for simultaneous AD/LDAP domain

On 03/26/2014 02:41 AM, Mohammed, Allauddin wrote: Thanks Adam for the information. Just curious to know, is it 'domain_specific_driver' implementation that existed in Havana, which will enable to have multiple identity provider backends. I had installed IceHouse-2, and was trying to configu

Re: [Openstack] Feasibility of using Keystone Folsom + Swift IceHouse

On 04/02/2014 06:38 AM, Mohammed, Allauddin wrote: Hi All, Is it possible to use keystone (Folsom) + Swift (IceHouse)? Will it be compatible to each other? Thanks in advance Regards, Mohammed Allauddin ___ Mailing list: http://lists.open

Re: [Openstack] Install OS-KSADM and LDAP for Devstack

On 04/10/2014 12:34 AM, Shital Patil wrote: Hi, I have a devstack setup running but for tenant management I need /OS/-/KSADM /extension//and LDAP configuration//with /keystone /what changes will I need to do in local.conf/? / /Thank you / ___ Mail

Re: [Openstack] Federated Authn & ldap/saml

I posted a message on openstack-dev. The short version is that we need a mechanism for deconflicting userids between multiple backends. I expect to have this hashed out at the Juno summit. On 04/14/2014 01:35 PM, Adam Lawson wrote: Incidentally, were the release notes recently added? RC2 cand

Re: [Openstack] Integrate External Service with Keystone

On 04/17/2014 02:15 AM, Reza Bakhshayeshi wrote: Hi, I want to integrate an external service with keystone, in a way that only an authorized user in keystone could make access to that service. In the simplest form, consider it as a web service which receive the user's request and return a spec

Re: [Openstack] [Keystone] Leverage an existing (non-KS) DB?

On 04/21/2014 02:28 PM, Adam Lawson wrote: Crap, hit send half-way through. Let's try this again... Can Keystone work with a non-KS database for authentication and authorization via API? There is an existing SQL database of users/passwords/roles etc supporting an existing cloud and I'm being

Re: [Openstack] Keystone - Domain Support in LDAP.

On 04/23/2014 01:54 PM, Michael Hearn wrote: As I understand it, within an icehouse implementation of keystone when utilising a single LDAP server as the assignment backend, only one Domain (default) is supported. I believe there are plans to extend this ability in Juno but to what extent? C

Re: [Openstack] Keystone w/ LDAP identity

On 05/01/2014 06:17 PM, Lillie Ross-CDSR11 wrote: I've been playing with using LDAP authentication (identity) and SQL authorization (assignment) within Keystone in the current devstack release running in a single VM. The problem with this setup, as I understand it, is the need to have LDAP en

Re: [Openstack] Keystone w/ LDAP identity

UPS to a group as defined in the Identity backend. Long term, I would expect to have the service users specified in Keystone in their own domain that is explicitly in Keystone, and all other users specified via the Federated APIs, and ephemeral to Keystone itself. On 05/01/2014 07:48

Re: [Openstack] Keystone with openLdap

On 05/09/2014 03:52 AM, i...@intocloud.org wrote: Hi, It would be great help if anyone can share any reference to integrate Openldap with keystone. Thanks ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to

Re: [Openstack] How to implement: Role based access control using XACML and SAML over rest for cloud

On 05/09/2014 08:00 AM, Ageeleshwar Kandavelu wrote: Hi, Your first hop is keystone project. It is the openstack identity management system. Try to get a picture of how the various other parts of openstack interact with keystone for providing their service. Second you should look into policy.

Re: [Openstack] Keystone, LDAP & Token behaviour

On 05/21/2014 10:48 AM, Michael Hearn wrote: Keystone gurus, Can you help put me straight on expected Authentication behaviour when using an LDAP identity backend. In the scenario where a user is granted a token (keystone token-get) should they not be able to make repeated API calls, e.g /glanc

Re: [Openstack] Stacked authentication with AD,LDAP

On 05/29/2014 01:27 AM, srindu vai wrote: Hi, Can someone please let me know when will this be available or plans in this regard.. Regards, srinduva On Friday, 23 May 2014 10:40 AM, srindu vai wrote: Hi, I have a query here regarding stacked authentication support with AD,LDAP. P

Re: [Openstack] Does Horizon honour Tokens

On 06/13/2014 11:22 AM, Michael Hearn wrote: Horizon gurus Release: icehouse Token Type : PKI Identity Backend: LDAP Monitoring the authentication traffic generated by Horizon to LDAP, I was surprised to see that after the initial logon, and under the 'Project' tab, I was still seeing

Re: [Openstack] _member_ role after keystone installation

On 06/14/2014 05:59 PM, Steve Gordon wrote: - Original Message - From: "Steve Gordon" To: "Mike Spreitzer" - Original Message - From: "Mike Spreitzer" To: "Steve Gordon" Steve Gordon wrote on 06/14/2014 03:22:51 PM: From: "Mike Spreitzer" To: "Steve Gordon" Steve Gor

Re: [Openstack] Renewing keystone signing certs

On 06/23/2014 02:38 AM, Sam Morrison wrote: OK this is looking really scary, (unless I’m missing something…..) In havana and icehouse, services will only download the signing cert if it doesn’t exist. So if you replace it on the keystone server it will continue to use the existing cert. Ideal

Re: [Openstack] Renewing keystone signing certs

On 06/23/2014 03:28 PM, Adam Young wrote: On 06/23/2014 02:38 AM, Sam Morrison wrote: OK this is looking really scary, (unless I’m missing something…..) In havana and icehouse, services will only download the signing cert if it doesn’t exist. So if you replace it on the keystone server it

Re: [Openstack] Renewing keystone signing certs

window to consider for a download. I'd also suspect a lot of people would really benefit by CRL checking. If a cert is revoked, Auth token should detect. Cheers, Sam On 24 Jun 2014, at 6:23 am, Adam Young wrote: On 06/23/2014 03:28 PM, Adam Young wrote: On 06/23/2014 02:

Re: [Openstack] Renewing keystone signing certs

On 06/25/2014 07:57 AM, Sam Morrison wrote: On 25 Jun 2014, at 9:05 am, Adam Young wrote: On 06/23/2014 07:37 PM, Sam Morrison wrote: Hi Adam, Thanks for the advice, I’ve tested it out and it is possible to switch over pretty seamlessly. Here is what I did (spelt out in full for others

Re: [Openstack] [keystone] Authenticating third-party applications against Keystone

On 07/30/2014 05:20 AM, Macdonald-Wallace, Matthew wrote: Hi all, I wasn't sure if this would be more appropriate for -dev or -users so I thought I'd start here and move over if needed! As part of logging and monitoring, we are having to create htpasswd files for apache to secure the various

Re: [Openstack] Why ceilometer use mongo?

I'd look at what Keystone did fronting the various Key Value stores woth Dogpile. Then the same APi from Keystone can be backed by any Dogpile implementation. We support Reddis, Memcached, with Cassandra and Mongo both somewhere in there (not certain their state) On 08/16/2014 02:28 AM, Ma

Re: [Openstack] Unable to execute keystone commands from Network Node

On 11/12/2014 11:09 AM, varun bhatnagar wrote: Hi, I am trying to setup a multinode openstack environment with 1 Contorller, 1 Network & 1 Compute node. The Host OS is SLES 11 SP3 & hostnames of my machine are as follows: Controller -- Ops-Controller (10.10.10.10) Network -- Ops-Network (10.

Re: [Openstack] Icehouse, LDAP/Active Directory Authentication, Invalid Password

On 11/13/2014 09:02 PM, et...@757.org wrote: Hello, I'm in a bit of a pickle. We had an OpenStack Havana install that ended up dead due to database issues. It was installed by a co-worker that left. Brand new install using Icehouse, and everything was going pretty good. Imported all of t

Re: [Openstack] best practise to add SAML into keystone deployment and keep local auth?

On 11/14/2014 09:32 AM, Don Waterloo wrote: I have a system (juno/ubuntu 14.10) which currently has keystone as the master of the universe for identity and authentication. By convention, each user of my system is also a tenant, which is my intent to continue. My system is used by a combination

Re: [Openstack] Icehouse, LDAP/Active Directory Authentication, Invalid Password

On 11/14/2014 02:08 PM, et...@757.org wrote: 1. Authentication. This is done via a simple bind to the LDAP server 2. Get user data. This is done as an LDAP query to the LDAP server as the system LDAP user, not as the end user. 3. Getting the roles for the user on the project. If you are r

Re: [Openstack] Keystone Fernet Token

Best Regards ZhangJialong -- Original -- *From: * "Adam Young"mailto:ayo...@redhat.com>>; *Date: * Tue, Nov 3, 2015 11:01 AM *To: * "openstack"mailto:openstack@lists.openstack.org>>; *Subject: * Re: [Openstack] K

Re: [Openstack] [keystone] Auth-token expiration time

On 11/18/2015 03:40 AM, ESWAR RAO wrote: Hi All, I have an application which does some HEAT transactions of creating stack,polling for it and updating stack in a loop. In my setup, /etc/keystone/keystone.conf has below settings: expiration=3600 But my transaction loop takes more than 1 hr a

  1   2   >