Comments inline below.
Best Regards,
Lance
On Thu, Aug 21, 2014 at 11:40 AM, Adam Young wrote:
> On 08/21/2014 12:21 PM, Daniel P. Berrange wrote:
>
>> On Thu, Aug 21, 2014 at 05:05:04PM +0100, Matthew Booth wrote:
>>
>>> "I would prefer that you didn't merge this."
>>>
>>> i.e. The project i
Hey all,
Here is what's on my radar for keystone-specific sessions and talks next
week:
*Tuesday*
- Change ownership of resources [0]
- Keystone Project Update [1]
- OpenStack Policy 101 [2]
- Keystone Project Onboarding [3]
- Gaps between OpenStack and business logic with Adjutant [4]
*Wednesda
Just a reminder that we won't be holding a weekly meeting for keystone next
week due to the OpenStack Summit in Berlin.
Meetings will resume on the 20th of November.
Thanks,
Lance
__
OpenStack Development Mailing List (not f
https://review.openstack.org/#/q/project:openstack/oslo.limit+status:open
On Tue, Sep 11, 2018 at 8:10 AM Lance Bragstad wrote:
> Extra eyes on the API would be appreciated. We're also close to the point
> where we can start incorporating oslo.limit into services, so preparing
> those changes m
We are in the process of removing XML support from Keystone [1] and have
provided
configuration options to Tempest for testing XML in older releases [2].
However, the
identity client is still tightly coupled to XML test cases. We can either
fix the 309 test cases
that use the XML identity client or
On Wed, Dec 3, 2014 at 9:18 AM, Sean Dague wrote:
> We've hit two interesting issues this week around multiple projects
> installing into the paste pipeline of a server.
>
> 1) the pkg_resources explosion in grenade. Basically ceilometer modified
> swift paste.ini to add it's own code into swift
://review.openstack.org/#/c/139051/
[2] https://wiki.openstack.org/wiki/ReleaseNotes/Kilo#Upgrade_Notes
On Wed, Dec 3, 2014 at 10:26 AM, Sean Dague wrote:
> On 12/03/2014 10:57 AM, Lance Bragstad wrote:
> >
> >
> > On Wed, Dec 3, 2014 at 9:18 AM, Sean Dague > <ma
Keystone also has API documentation in the keystone-spec repo [1], which
went in with [2] and [3].
[1] https://github.com/openstack/keystone-specs/tree/master/api
[2] https://review.openstack.org/#/c/128712/
[3] https://review.openstack.org/#/c/130577/
On Mon, Dec 8, 2014 at 1:06 PM, Adam Young
https://review.openstack.org/#/c/113586/ is owned by dstanek but I
understand he is out this week at a conference?
It might be worth dropping in #openstack-keystone and seeing if dstanek
would be alright with you picking it up, since you're building on it.
On Wed, Jan 7, 2015 at 12:21 AM, Ajaya A
+1
On Jan 18, 2015 1:23 PM, "Marek Denis" wrote:
> +1
>
> On 18.01.2015 20:11, Morgan Fainberg wrote:
>
> Hello all,
>
> I would like to nominate Brad Topol for Keystone Spec core (core
> reviewer for Keystone specifications and API-Specification only:
> https://git.openstack.org/cgit/openstack
John,
Adam had a blog post on Compressed Tokens that might help shed a little
light on them in general[1]. We also have a blueprint for tracking the work
as it gets done[2].
[1] http://adam.younglogic.com/2014/02/compressed-tokens/
[2] https://blueprints.launchpad.net/keystone/+spec/compress-tok
@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Furthermore Russell talked to Dolph in IRC and Dolph created this
blueprint for planning the path forward from keystone v2 to v3:
https://blueprints.launchpad.net/keystone/+spec/document-v2-to-v3-trans
On Tue, Sep 23, 2014 at 3:51 AM, Thierry Carrez
wrote:
> Adam Young wrote:
> > OpenStack owes you more than most people realize.
>
> +1
>
> Dolph did a great job of keeping the fundamental piece that is Keystone
> safe from a release management perspective, by consistently hitting all
> the deadl
You can add me to this list as well.
Thanks!
Lance
On Wed, Sep 24, 2014 at 9:41 AM, Alex Xu wrote:
> I'm interesting in the group too!
>
>
> On 2014年09月24日 18:01, Salvatore Orlando wrote:
>
> Please keep me in the loop.
>
> The importance of ensuring consistent style across Openstack APIs
>
On Mon, Sep 29, 2014 at 11:25 AM, Jay Pipes wrote:
> On 09/29/2014 12:15 PM, Julien Danjou wrote:
>
>> On Mon, Sep 29 2014, Jay Pipes wrote:
>>
>> What if we wrote a token driver in Keystone that uses Swift for backend
>>> storage?
>>>
>>
>> Yay! I already wrote a PoC to that:
>>
>>https://r
I found a couple of free times available for a weekly meeting if people are
interested:
https://review.openstack.org/#/c/128332/2
Not sure if a meeting time has been hashed out already or not, and if it
has I'll change the patch accordingly. If not, we can iterate on possible
meeting times in the
On Tue, Oct 14, 2014 at 4:29 PM, Christopher Yeoh wrote:
> On Tue, 14 Oct 2014 10:29:34 -0500
> Lance Bragstad wrote:
>
> > I found a couple of free times available for a weekly meeting if
> > people are interested:
> >
> > https://review.openstack.org/#/c/12833
On Thu, Oct 30, 2014 at 6:30 AM, Eoghan Glynn wrote:
>
>
> > Hi everyone,
> >
> > Before we start the larger discussion at summit next week about the
> future of
> > testing in OpenStack - specifically about spinning up functional testing
> and
> > how
> > it relates to tempest - I would like to
On Tue, Nov 11, 2014 at 3:30 PM, Douglas Mendizabal <
douglas.mendiza...@rackspace.com> wrote:
> I think it would also be interesting to hear for the Keystone folks that
> are interested in attending OSSG and/or Barbican.
We did record some of our plans for the Keystone mid-cycle meetup during
o
Keystone has a notifications module that is based on this idea. When
implementing notification in Keystone, we wanted it to be easy to deliver
notifications on new resources and extensions [1], which is where the idea
of the wrapper came from. With that framework in place, we wrap our CRUD
methods
I think one of the benefits of the current model was touched on earlier by
dstanek. If someone is working on something for their organization, they
typically bounce ideas of others they work with closely. This tends to be
people within the same organization. The groups developing the feature
might
On Tue, Dec 1, 2015 at 6:05 AM, Sean Dague wrote:
> On 12/01/2015 01:57 AM, Steve Martinelli wrote:
> > Trying to summarize here...
> >
> > - There isn't much interest in keeping eventlet around.
> > - Folks are OK with running keystone in a WSGI server, but feel they are
> > constrained by Apach
Congratulations Rodrigo!
Thank you for all the continued and consistent reviews.
On Tue, May 24, 2016 at 1:28 PM, Morgan Fainberg
wrote:
> I want to welcome Rodrigo Duarte (rodrigods) to the keystone core team.
> Rodrigo has been a consistent contributor to keystone and has been
> instrumental
On Fri, Jun 3, 2016 at 3:20 AM, Henry Nash wrote:
>
> On 3 Jun 2016, at 01:22, Adam Young wrote:
>
> On 06/02/2016 07:22 PM, Henry Nash wrote:
>
> Hi
>
> As you know, I have been working on specs that change the way we handle
> the uniqueness of project names in Newton. The goal of this is to be
Hey all,
I have been curious about impact of providing performance feedback as part
of the review process. From what I understand, keystone used to have a
performance job that would run against proposed patches (I've only heard
about it so someone else will have to keep me honest about its timefra
On Fri, Jun 3, 2016 at 11:20 AM, Henry Nash wrote:
>
> On 3 Jun 2016, at 16:38, Lance Bragstad wrote:
>
>
>
> On Fri, Jun 3, 2016 at 3:20 AM, Henry Nash wrote:
>
>>
>> On 3 Jun 2016, at 01:22, Adam Young wrote:
>>
>> On 06/02/2016 07:22 PM, Henry N
erformance published publicly (nice to have)
On Fri, Jun 3, 2016 at 3:16 PM, Brant Knudson wrote:
>
>
> On Fri, Jun 3, 2016 at 2:35 PM, Lance Bragstad
> wrote:
>
>> Hey all,
>>
>> I have been curious about impact of providing performance feedback as
>> part of the
nce/issues
[2]
https://github.com/lbragstad/keystone-performance/issues?utf8=%E2%9C%93&q=is%3Aissue
[3] https://review.openstack.org/#/c/326246/
On Mon, Jun 6, 2016 at 12:45 PM, Clint Byrum wrote:
> Excerpts from Brant Knudson's message of 2016-06-03 15:16:20 -0500:
> > On Fri,
help to develop any Rally plugin or even review the
>Rally test cases that we proposed to them
>
>
> Best regards,
> Boris Pavlovic
>
> On Mon, Jun 6, 2016 at 10:45 AM, Clint Byrum wrote:
>
>> Excerpts from Brant Knudson's message of 2016-06-03 15:16:20 -0500:
>
There are several upstream deployment projects that have SSL support baked
in [0] [1], in case you want to pick through and see exactly how they
deploy keystone with SSL.
[0] https://github.com/openstack/openstack-ansible-os_keystone
[1] https://github.com/openstack/puppet-keystone
On Mon, Jul 1
In response to point 2.2, the progress with Fernet in the last year has
exposed performance pain points in keystone. Finding sensible solutions for
those issues is crucial in order for people to adopt Fernet. In Mitaka we
had a lot of discussion that resulted in landing several performance
related
Keystone's credential API pre-dates barbican. We started talking about
having the credential API back to barbican after it was a thing. I'm not
sure if any work has been done to move the credential API in this
direction. From a security perspective, I think it would make sense for
keystone to back
I think we need to ask who we are lowering the barrier of entry for. Are we
going down this path because we want developers to have less things to do
to stand up a development environment? Or do we want to make it easy for
people to realistically test? If you're going to realistically vet magnum,
w
++ Nice to see this planning happening early!
R-14 would probably be a no-go for me. R-12 and R-11 fit my schedule.
On Thu, Apr 14, 2016 at 9:11 AM, Henry Nash wrote:
> Hi Morgan,
>
> Great to be planning this ahead of time!!!
>
> For me either of the July dates are fine - I would have a proble
It looks like it does [0].
[0]
https://github.com/openstack-dev/devstack/blob/4e7804431ada7e2cc0db63bd4c52b17782d33b5b/lib/keystone#L494-L497
On Mon, Apr 18, 2016 at 10:20 AM, Matt Fischer wrote:
> On Mon, Apr 18, 2016 at 8:29 AM, Brant Knudson wrote:
>
>>
>>
>> On Fri, Apr 15, 2016 at 9:04 P
If we were to write a uuid/fernet hybrid provider, it would only be
expected to support something like stable/liberty to stable/mitaka, right?
This is something that we could contribute to stackforge, too.
On Tue, May 3, 2016 at 9:21 AM, Adam Young wrote:
> On 05/03/2016 09:55 AM, Clint Byrum wr
Interesting. The paper says that the implementation was based on the Havana
release. Just out of curiosity, does anyone know if the code is public?
On Mon, Dec 14, 2015 at 6:38 PM, darren wang
wrote:
> Hi Dolph,
>
>
>
> Here it is,
> http://profsandhu.com/confrnc/misconf/nss14-preprint-
t; I'm in! And hope I can put some other folks in too.
>
> Em sáb, 10 de out de 2015 às 12:03, Lance Bragstad
> escreveu:
>
>> On Sat, Oct 10, 2015 at 8:07 AM, Boris Bobrov
>> wrote:
>>
>>> On Saturday 10 October 2015 08:42:10 Shinobu Kinjo wrote:
>&
++
I'm happy to see this go through! Samuel and Dave have been helping me out
a lot lately. Both make great additions to the team!
On Thu, Jan 28, 2016 at 9:12 AM, Brad Topol wrote:
> CONGRATULATIONS Dave and Samuel. Very well deserved!!!
>
> --Brad
>
>
> Brad Topol, Ph.D.
> IBM Distinguished E
When trusts were implemented, they were designed to work as an extension
under the version 3 API. The implementation didn't prevent the use of a
trust to authenticate against version 2.0, which was never officially
documented in the v2.0 API docs.
The keystone team is curious if there is anyone cr
On Wed, Jul 22, 2015 at 10:06 PM, Adam Young wrote:
> On 07/22/2015 05:39 PM, Adam Young wrote:
>
> On 07/22/2015 03:41 PM, Morgan Fainberg wrote:
>
> This is an indicator that the bottleneck is not the db strictly speaking,
> but also related to the way we match. This means we need to spend som
On Mon, Aug 3, 2015 at 7:03 AM, David Stanek wrote:
>
> On Mon, Aug 3, 2015 at 7:14 AM, Davanum Srinivas
> wrote:
>
>> agree. "Native HA solution" was already ruled out in several email
>> threads by keystone cores already (if i remember right). This is a
>> devops issue and should be handled as
On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov wrote:
> On Monday 03 August 2015 21:05:00 David Stanek wrote:
>
> > On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov
> wrote:
>
> > > On Sat, Aug 1, 2015 at 3:41 PM, Clint Byrum wrote:
>
> > > > This too is overly complex and will cause failures. If you
On Tue, Aug 4, 2015 at 9:28 AM, Boris Bobrov wrote:
> On Tuesday 04 August 2015 08:06:21 Lance Bragstad wrote:
> > On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov
> wrote:
> > > On Monday 03 August 2015 21:05:00 David Stanek wrote:
> > > > On Sat, Aug
On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish wrote:
> Hi David,
>
> This is a cool looking UI. I've made a minor comment on it in InVision.
>
> I'm curious if this is an implementable idea - does keystone support large
> numbers of 3rd party idps? is there an API to retreive the list of idps or
n the key rotation be done upon
>> Barbican? And if we use Barican as the repository, then it’s easier for Key
>> distribution and rotation in multiple KeyStone deployment scenario, the
>> database replication (sync. or async.) capability could be leveraged.
>>
>>
>
orded as - a new policy/engine
>that
>allows public access to be a bona fide policy rule
>
>
> The existing policy simply seems wrong. Why protect the list of IdPs?
>
>
>
>regards
>
>David
>
>>
>> Thanks,
>>
>>
Login
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <
>> d.w.chadw...@kent.ac.uk >
>> > wrote:
>> >
>> > On 04/08/2015 18:59, Steve Martinelli wrote: > Right, but that API
>&
On Wed, Aug 12, 2015 at 12:06 PM, David Chadwick
wrote:
>
>
> On 11/08/2015 01:46, Jamie Lennox wrote:
> >
> >
> > - Original Message -
> >> From: "Jamie Lennox" To: "OpenStack
> >> Development Mailing List (not for usage questions)"
> >> Sent: Tuesday, 11 August, 2015
> >> 10:09:33 AM
Hey all,
I'd like to propose a spec proposal freeze exception for IDP Specific
WebSSO [0].
This topic has been discussed, in length, on the mailing list [1], where
this spec has been referenced as a possible solution [2]. This would allow
for multiple Identity Providers to use the same protocol.
the ML to cover justifications etc.
>
> --Morgan
>
> Sent via mobile
>
> On Aug 12, 2015, at 16:20, Lance Bragstad wrote:
>
> Hey all,
>
>
> I'd like to propose a spec proposal freeze exception for IDP Specific
> WebSSO [0].
>
> This topic has been discuss
Best of luck in your new adventures, and thanks for all your hard work!
On Thu, Sep 10, 2015 at 5:28 PM, Dolph Mathews
wrote:
> Thank you for all your work, Morgan! Good luck with the opportunity to
> write some code again :)
>
> On Thu, Sep 10, 2015 at 4:40 PM, Morgan Fainberg <
> morgan.fainb.
On Fri, Sep 11, 2015 at 8:04 AM, David Stanek wrote:
> On Fri, Sep 11, 2015 at 8:26 AM, Christian Berendt
> wrote:
>
>> At the moment it is possible to create new users with invalid mail
>> addresses. I pasted the output of my test at
>> http://paste.openstack.org/show/456642/. (the listing of i
On Sat, Oct 10, 2015 at 8:07 AM, Boris Bobrov wrote:
> On Saturday 10 October 2015 08:42:10 Shinobu Kinjo wrote:
> > So what's the procedure?
>
> You go to #openstack-keystone on Friday, choose a bug, talk to someone of
> the
> core reviewers. After talking to them fix the bug.
>
Wash, rinse, re
I feel if we allowed group ids to be an attribute of the Fernet's core
payload, we continue to open up the possibility for tokens to be greater
than the initial "acceptable" size limit for a Fernet token (which I
believe was 255 bytes?). With this, I think we need to provide guidance on
the number
y#L977
>
> On Thu, Jun 4, 2015 at 2:36 AM, Morgan Fainberg > wrote:
>
>> For Fernet, the groups would only be populated on validate as Dolph
>> outlined. They would not be added to the core payload. We do not want to
>> expand the payload in this manner.
>>
&g
Hi Adam,
Do you have any more information on the Boston University dorm situation?
On Tue, Jun 9, 2015 at 1:25 PM, Adam Young wrote:
> Keystone Liberty Midcycle Meetup
>
> Time and Location
>
> When: July 15-17 (Wed-Fri)
>
> Where: Boston University, Boston, MA, USA
>
>
> Keystone Midcycle Wi
On Mon, Jun 15, 2015 at 5:00 AM, Feng Xi BJ Yan
wrote:
> Hi, Keystone guys,
>
> Could we have a talk about DB2 CI enablement on this Monday, 8PM central
> US time? which is Tuesday 9AM beijeing time?
>
Works for me, I'll make a note to be in the channel at 8 PM central.
Thanks for the update.
>
On Tue, Mar 8, 2016 at 10:58 AM, Adam Young wrote:
> On 03/08/2016 11:06 AM, Matt Fischer wrote:
>
> This would be complicated to setup. How would the Openstack services
> validate the token? Which keystone node would they use? A better question
> is why would you want to do this?
>
> On Tue, Mar
Keystone introduced TOTP authentication this release [0]. Like Adam said,
in Newton we will build multi-factor authentication on top of TOTP and
existing plugins.
[0]
http://specs.openstack.org/openstack/keystone-specs/specs/mitaka/totp-auth.html
On Sun, Mar 13, 2016 at 4:05 PM, Adam Young wrot
+1
On Tue, Feb 10, 2015 at 11:56 AM, David Stanek wrote:
> +1
>
> On Tue, Feb 10, 2015 at 12:51 PM, Morgan Fainberg <
> morgan.fainb...@gmail.com> wrote:
>
>> Hi everyone!
>>
>> I wanted to propose Marek Denis (marekd on IRC) as a new member of the
>> Keystone Core team. Marek has been instrumen
Hello all,
I'm proposing the Authenticated Encryption (AE) Token specification [1] as
an SPFE. AE tokens increases scalability of Keystone by removing token
persistence. This provider has been discussed prior to, and at the Paris
summit [2]. There is an implementation that is currently up for rev
encrypting.
On Sun, Feb 15, 2015 at 12:03 AM, Morgan Fainberg wrote:
> On February 14, 2015 at 9:53:14 PM, Adam Young (ayo...@redhat.com) wrote:
>
> On 02/13/2015 04:19 PM, Morgan Fainberg wrote:
>
> On February 13, 2015 at 11:51:10 AM, Lance Bragstad (lbrags...@gmail.com)
> wro
On Mon, Feb 16, 2015 at 1:21 PM, Samuel Merritt wrote:
> On 2/14/15 9:49 PM, Adam Young wrote:
>
>> On 02/13/2015 04:19 PM, Morgan Fainberg wrote:
>>
>>> On February 13, 2015 at 11:51:10 AM, Lance Bragstad
>>> (lbrags...@gmail.com <mailto:lbrags..
On Sat, Feb 25, 2017 at 12:47 AM, Clint Byrum wrote:
> Excerpts from joehuang's message of 2017-02-25 04:09:45 +:
> > Hello, Matt,
> >
> > Thank you for your reply, just as what you mentioned, for the slow
> changed data, aync. replication should work. My concerns is that the impact
> of repl
Nice! Thanks for revisiting this, Brant.
Was this a cross-project goal/discussion at the PTG?
On Fri, Feb 24, 2017 at 9:24 AM, Brant Knudson wrote:
>
> At the PTG there was some discussion about changing services to not listen
> on ports[0]. I'd been working on this for devstack keystone off an
I took some time to consolidate my notes from the PTG [0]. Let me know if
there are big things I've missed, or if you have summaries of your own.
Thanks to everyone who attended and participated!
[0] http://lbragstad.com/keystone-pike-ptg-summary/
_
On Tue, Feb 28, 2017 at 7:04 PM, Clark Boylan wrote:
> On Tue, Feb 28, 2017, at 04:53 PM, Lance Bragstad wrote:
> > I took some time to consolidate my notes from the PTG [0]. Let me know if
> > there are big things I've missed, or if you have summaries of your own.
> >
FWIW - There was a lengthy discussion in #openstack-dev yesterday regarding
this [0].
[0]
http://eavesdrop.openstack.org/irclogs/%23openstack-dev/%23openstack-dev.2017-02-28.log.html#t2017-02-28T17:39:48
On Wed, Mar 1, 2017 at 5:42 AM, John Garbutt wrote:
> On 27 February 2017 at 21:18, Matt R
During the PTG, Morgan mentioned that there was the possibility of keystone
removing the v2.0 API [0]. This thread is a follow up from that discussion
to make sure we loop in the right people and do everything by the books.
The result of the session [1] listed the following work items:
- Figure ou
Post PTG there has been some discussion regarding quotas as well as limits.
While most of the discussion has been off and on in #openstack-dev, we also
have a mailing list thread on the topic [0].
I don't want to derail the thread on quotas and limits with this thread,
but today's discussion [1] h
>From a keystone-perspective, I'm fine killing keystone.openstack.org.
Unless another team member with more context/history has a reason to keep
it around.
On Wed, Mar 8, 2017 at 9:12 AM, Monty Taylor wrote:
> Hey all,
>
> We have a set of old vanity redirect URLs from back when we made a URL
>
On Thu, Mar 9, 2017 at 3:46 PM, Doug Hellmann wrote:
> Excerpts from Andrea Frittoli's message of 2017-03-09 20:53:54 +:
> > Hi folks,
> >
> > I'm trying to figure out what's the best approach to fade out testing of
> > deprecated API versions.
> > We currently host in Tempest API tests for G
On Fri, Mar 10, 2017 at 8:49 AM, Andrea Frittoli
wrote:
>
>
> On Fri, Mar 10, 2017 at 2:24 PM Doug Hellmann
> wrote:
>
>> Excerpts from Ghanshyam Mann's message of 2017-03-10 10:55:25 +0900:
>> > On Fri, Mar 10, 2017 at 7:23 AM, Lance Bragstad
>> wrote
Rodrigo,
Isn't what you just described the reseller use case [0]? Was that work ever
fully finished? I thought I remember having discussions in Tokyo about it.
[0]
http://specs.openstack.org/openstack/keystone-specs/specs/keystone/mitaka/reseller.html
On Tue, Mar 14, 2017 at 7:38 AM, Rodrigo Du
Hello,
Sending out a quick announcement that we've merged our project-specific
deadlines for the Pike release schedule [0]. Our first deadline this
release is spec proposal freeze which is going to be R-20 (April 14th).
Thanks!
[0] https://releases.openstack.org/pike/schedule.html
__
Hi all,
With the forum approaching, I threw together a slide deck that incorporates
the new mascot. I wanted to send this out in enough advance for folks to
use them at the forum.
This is in no way our *official* deck and you're not required to use it for
keystone related talks or presentations.
Of course I would make changes to the template *right* after sending this
email. I'll just share the presentation that I have [0].
https://docs.google.com/presentation/d/1s9BNHI4aHs_fEcCYuekDCFwMg1VTsKCHMkSko92Gqco/edit?usp=sharing
On Tue, Mar 14, 2017 at 8:54 PM, Lance Bragstad wrote:
I would love to have one for on-boarding new identity developers.
On Wed, Mar 15, 2017 at 1:43 PM, Michał Jastrzębski
wrote:
> One for Kolla too please:)
>
> On 15 March 2017 at 11:35, Чадин Александр (Alexander Chadin)
> wrote:
> > +1 for Watcher
> >
> > Best Regards,
> > _
On Thu, Mar 16, 2017 at 8:07 AM, Jeremy Stanley wrote:
> On 2017-03-15 13:46:42 +1300 (+1300), Adrian Turjak wrote:
> > See, subdomains I can kind of see working, but the problem I have with
> > all this in general is that it is kind of silly to try and stop access
> > down the tree. If you have
I think the success of this, or a revived fernet-backend spec, is going to
have a hard requirement on the outcome of the configuration opts discussion
[0]. When we attempted to introduce an abstraction for fernet keys
previously, it led down a rabbit hole of duplicated work across
implementations,
On Thu, Mar 16, 2017 at 12:46 PM, Morgan Fainberg wrote:
>
>
> On Mar 16, 2017 07:28, "Jeremy Stanley" wrote:
>
> On 2017-03-16 08:34:58 -0500 (-0500), Lance Bragstad wrote:
> [...]
> > These security-related corner cases have always come up in the past when
&
1:02 PM, Davanum Srinivas wrote:
> Lance,
>
> in the other thread, we have not been talking about having any kind of
> security for the fernet keys. Isn't that a requirement since if we
> throw that in etcd it may be vulnerable?
>
> Thanks,
> Dims
>
> On Thu,
Hey folks,
The reseller use case [0] has been popping up frequently in various
discussions [1], including unified limits.
For those who are unfamiliar with the reseller concept, it came out of
early discussions regarding hierarchical multi-tenancy (HMT). It
essentially allows a certain level of o
not, would it be a
nice-to-have?
>
> Thanks,
> Kevin
>
> --
> *From:* Lance Bragstad [lbrags...@gmail.com]
> *Sent:* Thursday, March 16, 2017 2:10 PM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* [openstack-
On Thu, Mar 16, 2017 at 4:31 PM, John Dickinson wrote:
>
>
> On 16 Mar 2017, at 14:10, Lance Bragstad wrote:
>
> Hey folks,
>
> The reseller use case [0] has been popping up frequently in various
> discussions [1], including unified limits.
>
> For those who ar
I have a couple questions in addition to Matt's.
The keystone group is still trying to figure out what this means for us and
we discussed it in today's meeting [0]. Based on early feedback, we're
going to have less developer presence at the Forum than we did at the PTG.
Are these formal sessions i
Posting a keystone update here as well. We are iterating on it in review as
well as in IRC. There are a few things we're doing within keystone that
raised some questions as to how we should handle some of the new changes in
WebOb.
I'll post another update once we make some more progress.
On Wed,
Following up again. Today we merged the fixes for some WebOb 1.7
compatibility issues we were having [0]. Thanks to David (dstanek) and John
(jdennis) for digging in and getting this squared away.
[0] https://review.openstack.org/#/c/422234/
On Wed, Mar 22, 2017 at 1:37 PM, Lance Bragstad wrote
The TC meeting today [0] had some discussion on an interpretation of
OpenStack's mission statement [1]. The purpose of this note is two-fold.
First, it would be great to get some keystone folks to review that change,
especially paragraph four. Second, is an overall request for any last
minute comme
Hey folks,
The schedule for today's meeting is pretty empty [0] so we will go ahead
and cancel. There are several policy patches in keystone and nova that are
working their way through review. Instead of meeting, a better use of that
time might be reviewing what we have in the pipeline (detailed b
With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and
Morgan!), I did some poking at the usage in keystonemiddleware [1].
The usage is built into auth_token middleware for encrypting and decrypting
things stored in cache [2], but it is conditional based on configuration
[3] and whe
d.net/keystonemiddleware/+bug/1677308
On Wed, Mar 29, 2017 at 10:41 AM, Lance Bragstad
wrote:
> With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and
> Morgan!), I did some poking at the usage in keystonemiddleware [1].
>
> The usage is built into auth_token middleware f
The keystone gate is currently broken [0]. This seems related to a previous
change we made to be compatible with webob 1.7 [1]. Looks like we missed a
couple spots in the original patch that are failing now that we're using a
newer version of webob.
There is a solution up for review [2] that shoul
We ended up cancelling today's policy meeting, but policy discussions
carried on throughout the day in #openstack-keystone [0]. We have several
specs up for review [1][2][3][4]. Some are nova specs and a couple are
proposed to keystone. With keystone's spec proposal freeze coming up next
week [5],
If you chill in #openstack-keystone, we had a little mishap today that
resulted in people getting accidentally kicked from the channel. Everything
is back to normal and if you haven't already done so, feel free to hop back
in.
Thanks!
__
references they've found useful for RBAC
discussions, feel free to drop them here.
[0] http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf
On Wed, Apr 5, 2017 at 4:45 PM, Lance Bragstad wrote:
> We ended up cancelling today's policy meeting, but policy discussions
> carrie
Sending out a heads up that the initial spec [0] merged.
[0] https://review.openstack.org/#/c/440815/
On Thu, Mar 30, 2017 at 1:44 PM, Tim Bell wrote:
>
> For those that are interested in nested quotas, there is proposal on how
> to address this forming in openstack-dev (and any comments on the
On Tue, Apr 11, 2017 at 1:21 PM, Matt Riedemann wrote:
> On 4/11/2017 2:52 AM, Alex Xu wrote:
>
>> We talked about remove the quota-class API for multiple times
>> (http://lists.openstack.org/pipermail/openstack-dev/2016-July/099218.html
>> )
>>
>> I guess we can deprecate the entire quota-class
On Wed, Apr 12, 2017 at 9:42 AM, Amrith Kumar
wrote:
> Hmm, all the cool kids didn’t receive the email but I did. Now I feel bad
> ☹
>
>
>
> -amrith
>
>
>
> *From:* Morgan Fainberg [mailto:morgan.fainb...@gmail.com]
> *Sent:* Wednesday, April 12, 2017 9:53 AM
> *To:* OpenStack Development Mailing
1 - 100 of 499 matches
Mail list logo
