To anyone who's interested, we're working on a proposal and implementation
of a fine-grained v3 compatible RBAC scheme for the API.
The WIP spec change is here:
https://review.openstack.org/#/c/112137/
I realize this will need to move from Juno to Kilo because it won't make
Juno.
And the code
his approach should still work.
>
> On 08/14/14 04:38 PM, Pendergrass, Eric wrote:
> > Sure, Doug. We want the ability to selectively apply policies to
> > certain Ceilometer API methods based on user/tenant roles.
> >
> > For example, we want to restrict the ability
seem to work. The issue is that
> > security is enforced at routing time (while the controller is still
> > actually being discovered). In order to do this sort of thing with
> > the `check_permissions`, we'd probably need to add a feature to pecan.
> >
> > O
> Can you share some code? What do you mean by, "is there a way for the
> decorator code to know it was called by MetersController.get_all"
>
> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> > Thanks Ryan, but for some reason the controller attribute is None:
> &
/class using Pecan secure decorators?
>
> This should give you what you need:
>
> from pecan.core import state
> state.controller
>
> On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > Hi, I'm trying to use the built in secure decorator in Pecan for access
> > control
Hi, I'm trying to use the built in secure decorator in Pecan for access
control, and I'ld like to get the name of the method that is wrapped from
within the decorator.
For instance, if I'm wrapping MetersController.get_all with an @secure
decorator, is there a way for the decorator code to know
> From: David Stanek [mailto:dsta...@dstanek.com]
> Sent: Friday, August 08, 2014 7:25 AM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Ceilometer] Question on decorators in
> Ceilometer pecan framework
> It looks like maybe WSME or Pecan is ins
Wrong link again, this is embarrassing :(
https://review.openstack.org/#/c/112137/3
From: Pendergrass, Eric
Sent: Friday, August 08, 2014 7:15 AM
To: openstack-dev@lists.openstack.org
Subject: RE: [Ceilometer] Question on decorators in Ceilometer pecan framework
Sorry, wrong BP review link
Sorry, wrong BP review link below. Here is the correct one:
https://review.openstack.org/#/c/112127/3. Please disregard the wiki link.
From: Pendergrass, Eric
Sent: Friday, August 08, 2014 6:50 AM
To: openstack-dev@lists.openstack.org
Cc: Giannetti, Fabio
Subject: [Ceilometer] Question on
Hi,
We have been struggling to get a decorator working for proposed new RBAC
functionality in ceilometer-api. We're hitting a problem where GET request
query parameters are mucked up by our decorator. Here's an example call:
curl -H "X-Auth-Token:$TOKEN"
'http://localhost:8777/v2/meters?q.fi
In an effort to test ceilometer roles I removed the admin role from the
admin tenant and user. Now I can't add it back since I don't have a
user/tenant combo with the admin role:
keystone user-role-add --role e4252b63c308470b8cb7f77c37d27632 --user
8c678720fb5b4e3bb18dee222d7d7933 --tenant 922
Hi, I've read much of the documentation around Openstack tests, tox, and
testr. All I've found indicates debugging can be done, but only by running
the entire test suite.
I'd like the ability to run a single test module with pdb.set_trace()
breakpoints inserted, then step through the test. I'
Hi, I pulled devstack yesterday and have been trying to get any test to run
successfully.
My process is this:
Install tox >=1.6,<1.7
Install libmysqlclient-dev
Install mongodb-server
Source .tox/py27/bin/activate
Install test-requuirements packages in venv
Install pytidylib 0.2.1 from ta
I need to add an additional layer of authorization between auth_token and
the reporting API.
I know it's as simple as creating a WSGI element and adding it to the
pipeline. Examining the code I haven't figured out where to begin doing
this.
I'm not using Apache and mod_wsgi, just the rep
Hi, I've been out for nearly 3 weeks and noticed Compute meter names are now
prefaced by "instance:"
http://docs.openstack.org/developer/ceilometer/measurements.html
Not sure when this happened but I was wondering if the change applies across
all OpenStack. Will Nova use the change for i
While debugging a token auth problem I noticed that the enforcer searches the
role list in a token for a role called 'admin' (any case). If it's present,
the enforcer returns true and the acl does not set the X-Project-Id header on
the request.
I was wondering what the reason for not setting p
Hi, I'm struggling with a problem related to tokens. I have one token for
which the project ID gets passed to v2.MeterController.get_all() in the
kwargs:
(Pdb) kwargs
{'project': u'10032339952700', 'meter': u'network.outgoing.bytes'}
I have another token for a different tenant and the pro
I'm implementing a role based access control system where I'll use a list of
projects to determine which projects a user can query. This project list
will come from an upstream filter based on roles associated with the user's
auth token.
In the current v2/meters/ (Sample) code, the kwargs rece
Does anyone know how to disable keystone authorization in ceilometer-api?
Is there a ceilometer.conf option for this?
Thank you
smime.p7s
Description: S/MIME cryptographic signature
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http:
I've been editing /etc/ceilometer/ceilometer.conf trying to change the
keystone provider:
[keystone]
auth_host=
auth_port=35357
auth_protocol=https
auth_uri=https://:35357
admin_user=
admin_password=
Tracing throught auth_token.py, I see none of the configuration info is
picked up:
Our group would like to have resource_metadata available on the Meter object
(currently it's not there). The reason is so we may supply additional
customized attributes associated with a Meter. Examples include other
timestamp values, a project owner, and processing status.
Currently, to get
21 matches
Mail list logo
