Re: [openstack-dev] [keystone] Service scoped role definition

-Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Monday, November 25, 2013 12:12 PM To: Tiwari, Arvind; OpenStack Development Mailing List Cc: Henry Nash; ayo...@redhat.com; dolph.math...@gmail.com; Yee, Guang Subject: Re: [openstack-dev] [keystone] Service

Re: [openstack-dev] [keystone] Service scoped role definition

your idea. Feel free to update the etherpad. Regards, Arvind -Original Message----- From: Tiwari, Arvind Sent: Tuesday, November 26, 2013 4:08 PM To: David Chadwick; OpenStack Development Mailing List Subject: Re: [openstack-dev] [keystone] Service scoped role definition Hi David, Thank

Re: [openstack-dev] [keystone] Service scoped role definition

which can fit in my Plan B and I think Adam is cool with plan B. Please let me know if David's proposal for role-def scoping is cool for everybody? Thanks, Arvind -Original Message- From: Adam Young [mailto:ayo...@redhat.com] Sent: Wednesday, November 27, 2013 8:44 AM To: Tiwari, A

Re: [openstack-dev] [keystone] Service scoped role definition

Hi David, I have added my comments underneath line # 97 till line #110, it is mostly aligned with your proposal with some modification. https://etherpad.openstack.org/p/service-scoped-role-definition Thanks for your time, Arvind -Original Message- From: Tiwari, Arvind Sent

Re: [openstack-dev] [keystone] Service scoped role definition

from resource on which the assignment is created. This also open doors to have service and/or endpoint scoped token as I mentioned in https://etherpad.openstack.org/p/1Uiwcbfpxq. David, I have updated https://etherpad.openstack.org/p/service-scoped-role-definition line #118 explaining the rationale behind the

Re: [openstack-dev] [keystone] Service scoped role definition

://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens BP. Thanks, Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Wednesday, December 04, 2013 2:16 AM To: Tiwari, Arvind; OpenStack Development Mailing List (not for usage questions); Adam

Re: [openstack-dev] [keystone] Service scoped role definition

] Sent: Wednesday, December 04, 2013 10:41 AM To: Adam Young; Tiwari, Arvind; OpenStack Development Mailing List (not for usage questions) Cc: Henry Nash; dolph.math...@gmail.com Subject: Re: [openstack-dev] [keystone] Service scoped role definition Hi Adam I understand your problem: having

Re: [openstack-dev] [keystone] Service scoped role definition

rds, Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Wednesday, December 04, 2013 11:42 AM To: Tiwari, Arvind; Adam Young Cc: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [keystone] Service scoped rol

Re: [openstack-dev] [keystone] Service scoped role definition

Hi David, Let me capture these details in ether pad. I will drop an email after adding these details in etherpad. Thanks, Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Thursday, December 05, 2013 4:15 AM To: Tiwari, Arvind; Adam Young; OpenStack

Re: [openstack-dev] [keystone] Service scoped role definition

are right now and open questions along with my thoughts. Please take a look and share your comments/suggestion. Regards, Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Thursday, December 05, 2013 5:45 AM To: Tiwari, Arvind; Adam Young Cc: OpenStack

Re: [openstack-dev] [keystone] Service scoped role definition

Thanks David, Let me update the etherpad with this proposal. Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Friday, December 06, 2013 2:44 AM To: Tiwari, Arvind; Adam Young; OpenStack Development Mailing List (not for usage questions) Cc: Henry

Re: [openstack-dev] [keystone] Service scoped role definition

in etc.", "endpoint":"---endpoint---" } "domain_id" = "--id--",(optional) "project_id" = "--id--"(optional) } } Fields name, scope.id, domain_id and project_id makes the composite key. -Original Mess

Re: [openstack-dev] [keystone] Service scoped role definition

ot; = "--id--" (optional) } } Q. what if two (or more) endpoints want to have same role_name for a service (nova.east.admin, nova.west.admin, nova.north.admin .)? Regards, Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Monday,

Re: [openstack-dev] [keystone] Service scoped role definition

service_id or (any other attribute) for role name uniqueness. So in particular deployment want to keep just the role name unique, this model will not restrict you. Thoughts? Thanks, Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Tuesday, December 10

Re: [openstack-dev] [keystone] Service scoped role definition

otherwise we are locked. I am asking for endpoint_id extension in role data model to support endpoint scoped tokens which you mentioned in IRC around a week back. 1. https://blueprints.launchpad.net/keystone/+spec/service-scoped-role-definition 2. https://blueprints.launchpad.net/keysto

Re: [openstack-dev] [keystone] Service scoped role definition

My Comments in line. Arvind -Original Message- From: Adam Young [mailto:ayo...@redhat.com] Sent: Tuesday, December 10, 2013 2:54 PM To: David Chadwick; Tiwari, Arvind; OpenStack Development Mailing List (not for usage questions) Cc: Henry Nash; dolph.math...@gmail.com; Yee, Guang

[openstack-dev] API spec for OS-NS-ROLES extension

Hi Adam, I would like to request you to revisit the below link and provide your opinion, so that we can move forward and try to find a common ground where everyone. https://review.openstack.org/#/c/61897 Below is my justification for service_id in role model: In a public cloud deployment model

Re: [openstack-dev] Domain ID in Policy_dict

cal.com [mailto:boun...@canonical.com] On Behalf Of Telles Mota Vidal Nóbrega Sent: Thursday, January 16, 2014 6:30 AM To: Tiwari, Arvind Subject: Domain ID in Policy_dict Hi, i'm working on some new features for openstack and this merge that you submitted https://review.openstack.org/#/c/50488/ do

Re: [openstack-dev] [keystone][nova] Re: Hierarchicical Multitenancy Discussion

Hi Vish, I am sorry as I am proposing just a solution approach below but no code so far. ### Problem and Requirement ### As per the problem description it seems to me that "Martha, the owner of ProductionIT" is not a cloud provider (correct me if wrong) and she uses someone else cloud infrastr

Re: [openstack-dev] [keystone][nova] Re: Hierarchicical Multitenancy Discussion

Hi Chris, Looking at your requirements, seems my solution (see attached email) is pretty much aligned. What I am trying to propose is 1. One root domain as owner of "virtual cloud". Logically linked to "n" leaf domains. 2. All leaf domains falls under admin boundary of "virtual cloud" owner. 3

Re: [openstack-dev] VPC Proposal

Hi JC, I have proposed BP to address VPC using domain hierarchy and hierarchical administrative boundary. https://blueprints.launchpad.net/keystone/+spec/hierarchical-administrative-boundary Thanks, Arvind -Original Message- From: Martin, JC [mailto:jch.mar...@gmail.com] Sent: Friday,

Re: [openstack-dev] [Nova] Including Domains in Nova

Hi Henrique, I agree with your thoughts and in my opinion every OpenStack service has to be Domain aware. Specially it will be more helpful in large scale OpenStack deployments where IAM resources are scoped to a domain but other services (e.g. Nova) are just not aware of domains. Thanks, Arvi

Re: [openstack-dev] [barbican] Atlanta Summit Etherpads for Review

Hi Chad, We are working on following topics and expecting some time to discuss in the summit. Can we accommodate them in the summit? https://blueprints.launchpad.net/barbican/+spec/secret-isolation-at-user-level (We are working on POC + API change proposal) https://blueprints.launchpad.net/barb

Re: [openstack-dev] [barbican] Atlanta Summit Etherpads for Review

Chad, Please let me know if you want me to start etherpads for them? Regards, Arvind From: Tiwari, Arvind Sent: Monday, May 05, 2014 10:22 AM To: openstack-dev@lists.openstack.org Subject: RE: [openstack-dev] [barbican] Atlanta Summit Etherpads for Review Hi Chad, We are working on following

[openstack-dev] Hierarchical administrative boundary [keystone]

Hi All, Below is my proposal to address VPC use case using hierarchical administrative boundary. This topic is scheduled in Hierarchical Multitenancy session of Atlanta design summit. https://wiki.openstack.

Re: [openstack-dev] Hierarchical administrative boundary [keystone]

v@lists.openstack.org> Subject: Re: [openstack-dev] Hierarchical administrative boundary [keystone] On 05/08/2014 07:55 PM, Tiwari, Arvind wrote: Hi All, Below is my proposal to address VPC use case using hierarchical administrative boundary. This topic is scheduled in Hierarc

[openstack-dev] [keystone] [barbican] Protecting user specific secrets in Barbican

Barbcan will be used as secret store (or Key Manager) in Open Stack deployments. That means users can store any kind for secrets (ssh keys , access keys, password .) in Barbican these secrets are not shared secrets. In below scenario it seems secrets are not well protected in Barbican 1.

Re: [openstack-dev] [Neutron][LBaaS] Barbican Neutron LBaaS Integration Ideas

As per current implementation, containers are immutable. Do we have any use case to make it mutable? Can we live with new container instead of updating an existing container? Arvind -Original Message- From: Samuel Bercovici [mailto:samu...@radware.com] Sent: Monday, June 09, 2014 1:31

Re: [openstack-dev] Message level security plans. [barbican]

Some thoughts out of the context of this email thread. As per my understanding of Kite, it is a subset of Barbican or there might be minor gaps. If that is the true statement then what is the point of having a services with duplicate feature set? Why not port all the Kite feature to Barbican an

Re: [openstack-dev] Message level security plans. [barbican]

/12/2014 03:16 PM, Tiwari, Arvind wrote: > Some thoughts out of the context of this email thread. > > As per my understanding of Kite, it is a subset of Barbican or there might be > minor gaps. If that is the true statement then what is the point of having a > services with duplic

Re: [openstack-dev] [all] [tc] Multi-clouds integration by OpenStack cascading

Hi Chaoyi, Thanks for sharing these information. Sometime back I have stared a project called “Alliance” which trying to address the same concerns (see the link below). Alliance service is designed to provide "Inter-Cloud Resource Federation" which will enable resource sharing across cloud in

Re: [openstack-dev] [all] [tc] Multi-clouds integration by OpenStack cascading

for deep diving. PoC team will stay at Paris from Oct.29 to Nov.8. Best Regards Chaoyi Huang ( joehuang ) ________ From: Tiwari, Arvind [arvind.tiw...@hp.com] Sent: 02 October 2014 0:42 To: OpenStack Development Mailing List (not for usage questions) Subject: Re:

[openstack-dev] Inter Cloud Resource Federation (Alliance)

All, I am working on a new service to address the problems of "Inter Cloud Resource Federation" use cases (e.g. multi region, cloud bursting, resource sharing across clouds, etc . ). The new service will integrate multiple OpenStack cloud to work in alliance to provide resource federation

[openstack-dev] Inter cloud resource federation [Alliance]

Hi All, I am investigating on inter cloud resource federation across OS based cloud deployments, this is needed to support multi regions, cloud bursting, VPC and more use cases. I came up with a design (link below) which advocate a new service (a.k.a. Alliance), this service sits close to Keyst

Re: [openstack-dev] Inter cloud resource federation [Alliance]

://review.openstack.org/#/c/100023/<https://blueprints.launchpad.net/keystone/+spec/keystone-to-keystone-federation> The federation will be migrated to this new service? Regards, 2014-07-09 14:33 GMT-03:00 Tiwari, Arvind mailto:arvind.tiw...@hp.com>>: Hi All, I am investigating on inter cl

Re: [openstack-dev] Inter cloud resource federation [Alliance]

Matt Riedemann [mailto:mrie...@linux.vnet.ibm.com] Sent: Wednesday, July 09, 2014 2:30 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] Inter cloud resource federation [Alliance] On 7/9/2014 12:33 PM, Tiwari, Arvind wrote: > Hi All, > > I am investigating on inter

[openstack-dev] [barbican] Need opinion on bug 1347101

I have logged below bug to enforce 'content-type' check before RBAC enforcement on POST requests, but seems we have difference in opinion. https://bugs.launchpad.net/barbican/+bug/1347101 Please look at the above bug and share your thoughts. "IMO" - "content-type" enforcement is concern of REST

[openstack-dev] [keystone] Service scoped role definition

Hi, Based on our discussion in design summit , I have redone the service_id binding with roles BP. I have added a new BP (link below) along with detailed use case to support this BP. https://blueprints.laun

Re: [openstack-dev] [keystone] Inherited domain roles: Options for Havana and beyond

Thanks Henry for putting it all together. In my opinion we should go with option "a" (role-assignment as a first class citizen) which seems correct to me, looking in to time constraint, option 'b' is OK as an EXTENSION but SHOULD NOT BE implemented as part of core API. Thoughts??? Arvind ---

Re: [openstack-dev] [keystone] Inherited domain roles

I think we need to revisit the problem in the Henry's BP, as per the BP "cloud provider would like to ensure that they maintain some specific admin roles across all their customers' projects" and as per David's scenario that is exactly what mentioned in BP's scope. So AFA cloud admin front is co

[openstack-dev] New BP - ServiceId binding with role definition

All, I have added a new BP, which advocates service id binding with role definition https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition Please look at it and share your comments. Arvind ___ OpenStack-dev mailing li

Re: [openstack-dev] New BP - ServiceId binding with role definition

All, Added etherpad link, please share your comments or suggestion https://etherpad.openstack.org/serviceid-binding-with-role-definition Arvind From: Tiwari, Arvind Sent: Wednesday, June 19, 2013 4:42 PM To: OpenStack Development Mailing List Subject: New BP - ServiceId binding with role

Re: [openstack-dev] New BP - ServiceId binding with role definition

All, I have added my comments to the questions raised in below etherpad, please take a look and share your feedback. Arvind From: Tiwari, Arvind Sent: Monday, June 24, 2013 4:19 PM To: 'OpenStack Development Mailing List' Subject: RE: New BP - ServiceId binding with role defin

Re: [openstack-dev] Move keypair management out of Nova and into Keystone?

Hi Simo, I am lost. Does Barbican is product came out of https://wiki.openstack.org/wiki/KeyManager BP? If yes, then why it is deviating from the BP which says Key Manager will be separate service but not a part of Keystone. If no, then why we are thinking about new Key manager (which seems

[openstack-dev] [barbican]

Hi All, I am following Barbican project and I have some question around it, I would appreciate if someone can answer them or point me to the correct resource 1. What is the state of the project, is it in the state where it can be utilized in production deployments? 2.Dose Barbi

Re: [openstack-dev] [barbican]

be happy to help do the work to integrate it into Barbican. We just released our M2 milestone and we are on track for our 1.0 release for Havana. I would encourage anyone interested to check our what we are working on and come help us out. We use this list for most of our discussions and we h

Re: [openstack-dev] [keystone] Extending policy checking to include target entities

Hi Henry, Do you have etherpad to capture these stuff? Arvind -Original Message- From: Henry Nash [mailto:hen...@linux.vnet.ibm.com] Sent: Tuesday, July 23, 2013 4:48 PM To: David Chadwick Cc: OpenStack Development Mailing List Subject: Re: [openstack-dev] [keystone] Extending policy

Re: [openstack-dev] [keystone] Extending policy checking to include target entities

I have added my proposal @ https://etherpad.openstack.org/api_policy_on_target. Thanks, Arvind -Original Message- From: Henry Nash [mailto:hen...@linux.vnet.ibm.com] Sent: Wednesday, July 24, 2013 8:46 AM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] [keystone] Exte

[openstack-dev] [keystone] Does authorization not needed on “/auth/tokens” API??

pment Mailing List Cc: Tiwari, Arvind Subject: Re: [openstack-dev] [keystone] Extending policy checking to include target entities I have responded to your post, as I dont think it solves the identified problem regards David On 24/07/2013 23:26, Tiwari, Arvind wrote: > I have added my

Re: [openstack-dev] [keystone] Does authorization not needed on “/auth/tokens” API??

Thanks David for your comments. I will try to fix it as per my suggestion in bug. Arvind -Original Message- From: David Chadwick [mailto:d.w.chadw...@kent.ac.uk] Sent: Thursday, July 25, 2013 10:27 AM To: Tiwari, Arvind Cc: OpenStack Development Mailing List Subject: Re: [openstack