← Back to team overview

openstack team mailing list archive

Re: [keystone] Keystone on port 5000 - proposing change default port to 8770

 

While I think we could merge the two together and control access with RBAC now, I expect we'll keep separate ports for the use case that Matt Joyce specifically mentions. I've made a blueprint to implement RBAC into keystone, using Keystone (https://blueprints.launchpad.net/keystone/+spec/rbac-keystone-api), but there will still be a need to bootstrap into the system, which may reside only on the admin port.

The V3 draft API doesn't distinguish between public and private, somewhat intentionally, as that's something I expect to wrap behind RBAC for most access. That said, having an admin-functions-only running on a private port and potentially disabled is clearly something that Matt (and others?) want to keep available, so I expect we will.

-joe

On Jun 21, 2012, at 12:36 PM, Gabriel Hurley wrote:
> The port change is fine with me since we're trampling on an already-registered port number.
> 
> However, I'd like to ask again about the admin vs. standard ports in the Keystone v3 API. There was no mention of the differentiation between the two or how they would be used. Especially in a post-RBAC/policy.json world, what is an "admin" API call? Does Keystone really need two ports (Matt Joyce suggests it does) or could they be one?
> 
>    - Gabriel
> 
>> -----Original Message-----
>> From: openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx
>> [mailto:openstack-
>> bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of
>> Nguyen, Liem Manh
>> Sent: Thursday, June 21, 2012 10:40 AM
>> To: Joseph Heck; Vaze, Mandar
>> Cc: openstack@xxxxxxxxxxxxxxxxxxx
>> Subject: Re: [Openstack] [keystone] Keystone on port 5000 - proposing
>> change default port to 8770
>> 
>> +1 for an IANA-registered public port.  I wonder why we registered the
>> admin port, but not the public port in the first place.
>> 
>> Liem
>> 
>> -----Original Message-----
>> From: openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx
>> [mailto:openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx]
>> On Behalf Of Joseph Heck
>> Sent: Thursday, June 21, 2012 1:28 AM
>> To: Vaze, Mandar
>> Cc: openstack@xxxxxxxxxxxxxxxxxxx
>> Subject: Re: [Openstack] [keystone] Keystone on port 5000 - proposing
>> change default port to 8770
>> 
>> Honestly the only reason is that I've heard some fairly direct feedback that
>> port 5000 is that MS uPnP port and hence blocked by many corporate
>> entities, so it's just a matter of a PITA and a slight bump in setup for those
>> groups. Thought to honestly register another port with IANA like 35357 and
>> put it in place - wanted to see if anyone screamed first.
>> 
>> -joe
>> 
>> On Jun 20, 2012, at 8:49 PM, Vaze, Mandar wrote:
>>> "public_port" is configurable via keystone.conf - so if port 5000 is blocked in
>> specific setup, it is trivial to change it to some other port.
>>> 
>>> why make so many changes (REST docs, XML docs, devstack, and the code)
>> for a parameter that can be easily tweaked ?
>>> 
>>> -Mandar
>>> 
>>> -----Original Message-----
>>> From: openstack-bounces+mandar.vaze=nttdata.com@xxxxxxxxxxxxxxxxxxx
>> [mailto:openstack-bounces+mandar.vaze=nttdata.com@xxxxxxxxxxxxxxxxxxx]
>> On Behalf Of Joseph Heck
>>> Sent: Thursday, June 21, 2012 4:46 AM
>>> To: openstack@xxxxxxxxxxxxxxxxxxx (openstack@xxxxxxxxxxxxxxxxxxx)
>>> Subject: [Openstack] [keystone] Keystone on port 5000 - proposing change
>> default port to 8770
>>> 
>>> At the risk of a terrible public tar and feathering...
>>> 
>>> I've learned that port 5000 (which Keystone is using for it's default public-
>> token-auth stuff) is commonly blocked by many firewalls, as it's been
>> registered as a Microsoft uPnP port.
>>> 
>>> I thought I'd go ahead and propose changing the default to 8770. I picked
>> this number because it's close to the Nova ports in common use (8773, 8774,
>> 8775, and 8776).
>>> 
>>> And yes, I'll submit updates to all REST docs, XML docs, devstack, and the
>> code.
>>> 
>>> So... how many people do I need to worry about murdering me for this
>> next design summit?
>>> 
>>> -joe
>>> 
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>> 
>>> 
>> __________________________________________________________
>> ____________
>>> Disclaimer:This email and any attachments are sent in strictest confidence
>> for the sole use of the addressee and may contain legally privileged,
>> confidential, and proprietary data.  If you are not the intended recipient,
>> please advise the sender by replying promptly to this email and then delete
>> and destroy this email and any attachments without any further use, copying
>> or forwarding
>> 
>> 
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>> 
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
> 
> 



References