gt;
>
We have open discussions on making the delegation of capabilities a better API
and we are actively working to improve the other associated mechanisms (such as
allowing a project/deployment/etc to require an x509 client cert or krb5) for
cases where a higher level of assurance of the identity
The Keystone team is evaluating the support of the LDAP Assignment backend
within OpenStack and how it is used in deployments. The assignment backend
covers “Projects/Tenants”, “Roles/Grants”, and in the case of SQL “Domains”.
There is a concern that the assignment backend implemented against LD
As a note, since I've seen some responses about users and/or groups on this
survey, I will be sending a survey about identity out today. This survey is
strictly about projects/tenants and roles/role assignments in LDAP.
Sent via mobile
> On Jan 6, 2015, at 11:23, Morgan Fainber
The Keystone development team is looking for deployment feedback regarding the
use of the LDAP Identity backend. The Identity backend only covers Users and
Groups.
We are looking to get an idea of types (read-only, read-write, etc) and reasons
for use of the LDAP backend. The answers to this su
ading through the whole email! Please feel free to chat with the
development team on IRC or via the Mailing List to discuss any other issues /
concerns related to this change.
Cheers,
Morgan Fainberg
Keystone PTL
___
Mailing list: http://lists.openstac
On Monday, April 13, 2015, Ray Sun wrote:
> Stackers,
> I have found there are two parts can set memcache in keystone.conf of Juno
> release. I am not quite sure if they are duplicated or any difference?
>
> Thanks.
>
> [token]
> driver = keystone.token.backends.memcache.Token
> caching = True
>
Hi Hans,
Thanks for the heads up on this. Let me take a closer look and make sure we
have this addressed (and tested for) in the upstream code base.
I think I know where this came from. I'll check to make sure we don't already
have a bug on this and/or if you have an open bug in launchpad. If
On Jun 17, 2015, at 23:14, Tim Bell wrote:
>> -Original Message-
>> From: Jan van Eldik [mailto:jan.van.el...@cern.ch]
>> Sent: 17 June 2015 20:54
>> To: openstack@lists.openstack.org
>> Subject: Re: [Openstack] How should an instance learn what tenant it is in?
>>
>> Hi Andrew,
>>
>>
The policy file is not really used for v2 keystone. There are very limited
things that can be done with v2 and policy.
Please also note that the keystoneclient cli only supports v2 (and is
deprecated in favor of the common openstack client).
Other than those two point Steve's email is spot on
> On Sep 20, 2015, at 19:17, Shinobu Kinjo wrote:
>
> Fernet token sounds like not being persistent, and not having too much
> information.
> Meaning that it sounds like more secure than UUID and PKI.
>
> And performance wise, it also going to be more reasonable than them.
> It's because of l
nnection can be compromised, this means the compromiser
can inject a row into the db via direct sql manipulation, granting tokens.
Likewise, you need to secure the private key in the case if PKI tokens. If the
private key is compromised, you also have similar issues.
> Ref:
> https://crypto
Hi Johnathan,
This might be related to your issue.
I think there are two problems here. The first problem has to do with limited
page sizes in memcache. If you have an insane number of tokens issued (and as
you said neutron is making a ton of requests for new tokens), you can fill up
the use
(or if you have any issues with it). Feel free to
respond via email or comment on the review. Disclaimer: I have not performed
functional performance tests on this code, just some initial cleanup and change
of logic that should help minimize external calls.
Cheers,
Morgan
—
Morgan Fainberg
% solve the issue, we should start digging further into what
is going on, but I am confident this will (at the very least) help a reasonable
amount.
—Morgan
On January 11, 2014 at 19:04:59, Jonathan Proulx (j...@jonproulx.com) wrote:
On Sat, Jan 11, 2014 at 8:24 PM, Morgan Fainberg wrote:
>
aintain it outside of the releases.
Cheers,
Morgan
Sent from my tablet-like-device
> On Jan 11, 2014, at 11:01 PM, Jonathan Proulx wrote:
>
>> On Sat, Jan 11, 2014 at 10:57 PM, Morgan Fainberg wrote:
>> Sounds good! Just remember that prior to the fix I posted there, for
nproulx.com]
> Sent: 12 January 2014 18:32
> To: Morgan Fainberg
> Cc: openstack@lists.openstack.org
> Subject: Re: [Openstack] [Keystone] performance issues after havana upgrade
>
> puzzling side effect?
>
> I just made a small change to neutron.conf (adjuste
.
Cheers,
Morgan
—
Morgan Fainberg
Principal Software Engineer
Core Developer, Keystone
m...@metacloud.com
On March 12, 2014 at 13:57:44, Subbu Allamaraju (su...@subbu.org) wrote:
Adam - can you comment if the status of ephemeral tokens. All commits for
https://blueprints.launchpad.net/keystone/+spec
Hi!
The Keystone team is looking for feedback from the community on what type of
Keystone Token is being used in your OpenStack deployments. This is to help us
understand the use of the different providers and get information on the
reasoning (if possible) that that token provider is being use
I think you may have hit an issue with a specific version of auth token
middleware, where one of the options was incorrectly "deprecated" and
warns. I'm sure either Steve or I can dig up the specific info on that, it
might be a minor version bump of keystonemiddleware package needed or
similar. I a
On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei wrote:
> I did a project where we had all three of them in a sep VLAN, sep net.
>
> So to answer your question, this depends how much you want to secure, what
> is the requirements of your env, with access etc..
> here is one of the answer from OpenStac
On Fri, Apr 8, 2016 at 1:06 AM, Shinobu Kinjo wrote:
> On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg
> wrote:
> >
> >
> > On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei wrote:
> >>
> >> I did a project where we had all three of them in a sep VLAN, sep
On Tue, Apr 19, 2016 at 1:25 PM, Adam Young wrote:
> On 04/19/2016 01:55 AM, Kuo Hugo wrote:
>
> Hi Keystone Team,
>
> We aware this deprecation information in keystone middleware. I got couple
> of questions.
>
>
> https://github.com/openstack/keystonemiddleware/blob/6e58f8620ae60eb4f26984258d15
OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in
revocation bypass
:Date: May 23, 201
Usually this is simply a "recommendation" phase, where the real clearance
is handled before the poll is sent out to everyone.
--Morgan
On Wed, Jun 22, 2016 at 12:37 PM, Edward Leafe wrote:
> On Jun 22, 2016, at 10:40 AM, Ed Leafe wrote:
> >
> >> https://wiki.openstack.org/wiki/Release_Naming/
On Jun 26, 2016 19:39, "林自均" wrote:
>
> Hi all,
>
> I have the following scenario:
>
> 1. On client machine A, a user obtains an auth token with a username and
password.
> 2. The user can use the auth token to do operations on client machine A.
> 3. A thief steals the auth token, and do operations
It would be nice if there was a bit more transparency on the "legal
risk" (conflicts with another project, etc), but thanks for passing on
the information none-the-less. I, for one, welcome our new "Rocky"
overlord project name :)
Cheers,
--Morgan
On Fri, Apr 28, 2017 at 2:54 PM, Monty Taylor wr
26 matches
Mail list logo
