openstack team mailing list archive

[Dolph Mathews <dolph.mathews@xxxxxxxxx>]

On Thu, Mar 7, 2013 at 2:38 PM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <mark.m.miller@xxxxxx> wrote:

>  Hello,****
>
> ** **
>
> I am sorry but I am still a tad bit confused with this email thread. ****
>
> ** **
>
> As of the Grizzly-3 release:****
>
> ** **
>
> **1.       **Do Grizzly-3 OpenStack services  like Nova accept and
> validate Keystone V3 tokens (both UUID and PKI) ?
>
It's not their responsibility; it's the responsibility of
keystoneclient.middleware.auth_token which supports both UUID w/ online
validation and PKI w/ offline validation.

> ****
>
> **2.       **Do Grizzly-3 OpenStack services use the Keystone v2.0 APIs
> or do they use the Keystone v3 APIs?
>
Horizon is the only core project that uses keystone's non-auth related
API's and will not be updated to consume v3 specific features as of Grizzly
(AFAIK-- someone correct me if I'm wrong).

> ****
>
> **3.       **Do the OpenStack services rely upon the keystoneclient? I
> thought the keystoneclient was a command line interface?
>
Indirectly, yes. keystoneclient.middleware.auth_token is deployed in the
pipelines of those services to handle auth. keystoneclient currently
provides command line exposure of v2.0 but we're looking forward to
deprecating these features in favor of a common 'openstack' CLI client. So,
creating a v2.0 tenant today looks like:

  $ keystone tenant-create ...

But given that we're adopting openstackclient and renaming 'tenants' to
'projects', an equivalent command will look like:

  $ openstack project-create ...

> ****
>
> ** **
>
> For the Grizzly final release:****
>
> ** **
>
> **1.       **Will the Grizzly OpenStack services  like Nova accept and
> validate Keystone V3 tokens (both UUID and PKI) ?
>
There are not essex/folsom/grizzly releases of clients; we're aiming to do
a release of keystoneclient (perhaps v0.3.0) around the time of Grizzly.

> ****
>
> **2.       **Will Grizzly OpenStack services use the Keystone v3 APIs?
>
See question 2 above; the answer is not changing between milestone 3 and
final release.

> ****
>
> **3.       **Will Grizzly OpenStack services use/implement new v3
> features like “domains” and “groups”?
>
keystoneclient.middleware.auth_token will be providing domain information
to consuming services via the X-Domain-Id / X-Domain-Name headers as it
does for user, project and role data, although no services will be
utilizing that additional data as of Grizzly. Role grants made to v3 groups
will be consumed by all services regardless of whether they're calling the
v2 or v3 API.

> ****
>
> **4.       **How will the v3 keystoneclient and the v3 openstackclient be
> used other than as command line interfaces?
>
I'm not sure I understand the question; python-keystoneclient primary
responsibility moving forward will be as a python API, and
python-openstackclient's primary responsibility will be as a CLI
implementation (which happens to consume and expose features from
python-keystoneclient, python-novaclient, python-glanceclient, etc).

> ****
>
> ** **
>
> Regards,****
>
> ** **
>
> Mark Miller****
>
> ** **
>
> ** **
>
> *From:* openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx[mailto:
> openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx] *On Behalf Of
> *Dolph Mathews
> *Sent:* Thursday, March 07, 2013 9:56 AM
> *To:* Aguiar, Glaucimar (Brazil R&D-ECL); openstack
>
> *Subject:* Re: [Openstack] Keystone v3 adoption****
>
>  ** **
>
> Yes, exactly. Until keystoneclient.middleware.auth_token is revised, v3
> tokens will basically only be useful against keystone.****
>
>
> ****
>
> ** **
>
> -Dolph****
>
> ** **
>
> On Thu, Mar 7, 2013 at 11:52 AM, Aguiar, Glaucimar (Brazil R&D-ECL) <
> glaucimar.aguiar@xxxxxx> wrote:****
>
> Hi Dolph,****
>
>  ****
>
> Thank you very much for your answer. I really appreciate it.****
>
>  ****
>
> Are you saying then, that I configure nova (for example) to use v3
> middleware, I should be able to call nova with a v3 token and this token
> will get validated?****
>
>  ****
>
> Glaucimar Aguiar****
>
>  ****
>
>  ****
>
> *From:* Dolph Mathews [mailto:dolph.mathews@xxxxxxxxx]
> *Sent:* quinta-feira, 7 de março de 2013 11:04
> *To:* Aguiar, Glaucimar (Brazil R&D-ECL)
> *Cc:* openstack@xxxxxxxxxxxxxxxxxxx
> *Subject:* Re: [Openstack] Keystone v3 adoption****
>
>  ****
>
> The v3 API is largely abstracted from other services (horizon being a
> major exception) using keystoneclient.middleware.auth_token, which is being
> revised here [1] and here [2].****
>
>  ****
>
> Because the clients do not necessarily follow the same release schedule as
> the services, we've obviously been focused on the API and it's server-side
> implementation. I expect we'll do a v3-compliant release of keystoneclient
> around the time of grizzly's release. openstackclient (providing CLI
> exposure) is in the works as well [3].****
>
>
> [1]: https://review.openstack.org/#/c/23401/****
>
> [2]: https://review.openstack.org/#/c/21942/****
>
> [3]:
> https://review.openstack.org/#/q/project:openstack/python-openstackclient+status:open,n,z
> ****
>
>
> ****
>
>  ****
>
> -Dolph****
>
>  ****
>
> On Thu, Mar 7, 2013 at 5:30 AM, Aguiar, Glaucimar (Brazil R&D-ECL) <
> glaucimar.aguiar@xxxxxx> wrote:****
>
> Hello,
>
> I would like to know the plans for nova, glance, etc to adopt keystone v3
> API. Is there an expectation that this happens in Havana timeframe?
>
> I am asking as the it seems the Domains feature is not useful until
> services are capable of validating a v3 token and move to keystone v3 API.
>
> Thanks in advance,
>
> Glaucimar Aguiar
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp****
>
>  ****
>
> ** **
>