[openstack-dev] Keystone OS-EP-FILTER descrepancy

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Tue Oct 8 23:07:08 UTC 2013 

Sorry to send this out again, but I wrote too soon. I was missing one driver entry in keystone.conf. Here are my working settings:

File keystone.conf:

[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
#driver = keystone.catalog.backends.sql.Catalog
driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog

# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog

template_file = default_catalog.templates

[endpoint_filter]
# extension for creating associations between project and endpoints in order to
# provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
return_all_endpoints_if_no_filter = False


File keystone-paste.ini:

[filter:endpoint_filter_extension]
paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory

and

[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension oauth1_extension endpoint_filter_extension service_v3



Updated Installation instructions:

To enable the endpoint filter extension:

1. Add the new filter driver to the catalog section to "keystone.conf".

Example:
[catalog]
driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog

2. Add the new [endpoint_filter] section  to ``keystone.conf``.

Example:

 [endpoint_filter]
# extension for creating associations between project and endpoints in order
to # provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True

optional: uncomment and set ``return_all_endpoints_if_no_filter`` 

3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``.

Example:

[filter:endpoint_filter_extension]
paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory

[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3

4. Create the endpoint filter extension tables if using the provided sql
backend.

Example::
    ./bin/keystone-manage db_sync --extension endpoint_filter

5.  Once you have done the changes restart the keystone-server to apply the
changes.

> -----Original Message-----
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Sent: Tuesday, October 08, 2013 1:51 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> 
> Slightly adjusted instructions after testing:
> 
> To enable the endpoint filter extension:
> 
> 1. Add the new [endpoin_ filter] section  ton ``keystone.conf``.
> example:
> 
>  [endpoint_filter]
> # extension for creating associations between project and endpoints in order
> to # provide a tailored catalog for project-scoped token requests.
> driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
> # return_all_endpoints_if_no_filter = True
> 
> optional: change ``return_all_endpoints_if_no_filter`` the
> ``[endpoint_filter]`` section
> 
> 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
> ``keystone-paste.ini``.
> example:
> 
> [filter:endpoint_filter_extension]
> paste.filter_factory =
> keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
> 
> [pipeline:api_v3]
> pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
> xml_body json_body ec2_extension s3_extension
> endpoint_filter_extension service_v3
> 
> 3. Create the endpoint filter extension tables if using the provided sql
> backend. example::
>     ./bin/keystone-manage db_sync --extension endpoint_filter
> 
> 4.  Once you have done the changes restart the keystone-server to apply the
> changes.
> 
> > -----Original Message-----
> > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> > Sent: Tuesday, October 08, 2013 1:30 PM
> > To: OpenStack Development Mailing List
> > Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> >
> > Here is the response from Fabio:
> >
> > Mark,
> >   Please have a look at the configuration.rst in the
> > contrib/endpoint-filter folder.
> > I pasted here for your convenience:
> >
> > ==================================
> > Enabling Endpoint Filter Extension
> > ==================================To enable the endpoint filter
> > extension:
> > 1. add the endpoint filter extension catalog driver to the ``[catalog]``
> section
> >    in ``keystone.conf``. example::
> >
> >     [catalog]
> >     driver =
> > keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa
> > talog 2. add the ``endpoint_filter_extension`` filter to the
> > ``api_v3`` pipeline in
> >    ``keystone-paste.ini``. example::
> >
> >     [pipeline:api_v3]
> >     pipeline = access_log sizelimit url_normalize token_auth
> > admin_token_auth xml_body json_body ec2_extension s3_extension
> > endpoint_filter_extension service_v3 3. create the endpoint filter
> > extension tables if using the provided sql backend. example::
> >     ./bin/keystone-manage db_sync --extension endpoint_filter 4. optional:
> > change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]``
> section
> >    in ``keystone.conf`` to return an empty catalog if no associations are
> made.
> > example::
> >     [endpoint_filter]
> >     return_all_endpoints_if_no_filter = False
> >
> >
> > Steps 1-3 are mandatory. Once you have done the changes restart the
> > keystone-server to apply the changes.
> >
> > The /v3/auth/tokens?nocatalog is to remove the catalog from the token
> > creation.
> > It is different from the filtering because it won't return any
> > endpoint in the service catalog. The endpoint filter will return only
> > the ones that you have associated with a particular project.
> > Please bear in mind that this works only with scoped token (meaning
> > where you pass a project id).
> >
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> > > Sent: Tuesday, October 08, 2013 1:21 PM
> > > To: OpenStack Development Mailing List
> > > Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> > >
> > > Hello,
> > >
> > > I am attempting to test the Havana v3  OS-EP-FILTER extension with
> > > the latest RC1 bits and I get a 404 error response.
> > >
> > > The documentation actually shows 2 different URIs for this API:
> > >
> > > 	- GET /OS-EP-FILTER/projects/{project_id}/endpoints and
> > > http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints
> > >
> > > I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result.
> > > Does anyone have information as to what I am missing?
> > >
> > > Regards,
> > >
> > > Mark Miller
> > >
> > > -------------
> > >
> > > From the online documentation:
> > >
> > > List Associations for Project: GET /OS-EP-
> > > FILTER/projects/{project_id}/endpoints
> > >
> > > Returns all the endpoints that are currently associated with a
> > > specific
> > project.
> > >
> > > Response:
> > > Status: 200 OK
> > > {
> > >     "endpoints":
> > >     [
> > >         {
> > >             "id": "--endpoint-id--",
> > >             "interface": "public",
> > >             "url": "http://identity:35357/",
> > >             "region": "north",
> > >             "links": {
> > >                 "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
> > >             },
> > >             "service_id": "--service-id--"
> > >         },
> > >         {
> > >             "id": "--endpoint-id--",
> > >             "interface": "internal",
> > >             "region": "south",
> > >             "url": "http://identity:35357/",
> > >             "links": {
> > >                 "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
> > >             },
> > >             "service_id": "--service-id--"
> > >         }
> > >     ],
> > >     "links": {
> > >         "self": "http://identity:35357/v3/OS-
> > > FILTER/projects/{project_id}/endpoints",
> > >         "previous": null,
> > >         "next": null
> > >     }
> > > }
> > >
> > >
> > > _______________________________________________
> > > OpenStack-dev mailing list
> > > OpenStack-dev at lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list