[openstack-dev] Keystone OS-EP-FILTER descrepancy

Adam Young ayoung at redhat.com
Wed Oct 9 20:35:08 UTC 2013 

We have imporved the extension enumeration in Keystone.  If you got to 
http://hostname:35357/v3 you should see a listing of the extensions that 
are enabled for that Keystone server


On 10/08/2013 07:07 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) 
wrote:
> Sorry to send this out again, but I wrote too soon. I was missing one driver entry in keystone.conf. Here are my working settings:
>
> File keystone.conf:
>
> [catalog]
> # dynamic, sql-based backend (supports API/CLI-based management commands)
> #driver = keystone.catalog.backends.sql.Catalog
> driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
>
> # static, file-based backend (does *NOT* support any management commands)
> # driver = keystone.catalog.backends.templated.TemplatedCatalog
>
> template_file = default_catalog.templates
>
> [endpoint_filter]
> # extension for creating associations between project and endpoints in order to
> # provide a tailored catalog for project-scoped token requests.
> driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
> return_all_endpoints_if_no_filter = False
>
>
> File keystone-paste.ini:
>
> [filter:endpoint_filter_extension]
> paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
>
> and
>
> [pipeline:api_v3]
> pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension oauth1_extension endpoint_filter_extension service_v3
>
>
>
> Updated Installation instructions:
>
> To enable the endpoint filter extension:
>
> 1. Add the new filter driver to the catalog section to "keystone.conf".
>
> Example:
> [catalog]
> driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
>
> 2. Add the new [endpoint_filter] section  to ``keystone.conf``.
>
> Example:
>
>   [endpoint_filter]
> # extension for creating associations between project and endpoints in order
> to # provide a tailored catalog for project-scoped token requests.
> driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
> # return_all_endpoints_if_no_filter = True
>
> optional: uncomment and set ``return_all_endpoints_if_no_filter``
>
> 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``.
>
> Example:
>
> [filter:endpoint_filter_extension]
> paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
>
> [pipeline:api_v3]
> pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
> xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3
>
> 4. Create the endpoint filter extension tables if using the provided sql
> backend.
>
> Example::
>      ./bin/keystone-manage db_sync --extension endpoint_filter
>
> 5.  Once you have done the changes restart the keystone-server to apply the
> changes.
>
>> -----Original Message-----
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Sent: Tuesday, October 08, 2013 1:51 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
>>
>> Slightly adjusted instructions after testing:
>>
>> To enable the endpoint filter extension:
>>
>> 1. Add the new [endpoin_ filter] section  ton ``keystone.conf``.
>> example:
>>
>>   [endpoint_filter]
>> # extension for creating associations between project and endpoints in order
>> to # provide a tailored catalog for project-scoped token requests.
>> driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
>> # return_all_endpoints_if_no_filter = True
>>
>> optional: change ``return_all_endpoints_if_no_filter`` the
>> ``[endpoint_filter]`` section
>>
>> 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
>> ``keystone-paste.ini``.
>> example:
>>
>> [filter:endpoint_filter_extension]
>> paste.filter_factory =
>> keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
>>
>> [pipeline:api_v3]
>> pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
>> xml_body json_body ec2_extension s3_extension
>> endpoint_filter_extension service_v3
>>
>> 3. Create the endpoint filter extension tables if using the provided sql
>> backend. example::
>>      ./bin/keystone-manage db_sync --extension endpoint_filter
>>
>> 4.  Once you have done the changes restart the keystone-server to apply the
>> changes.
>>
>>> -----Original Message-----
>>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>>> Sent: Tuesday, October 08, 2013 1:30 PM
>>> To: OpenStack Development Mailing List
>>> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
>>>
>>> Here is the response from Fabio:
>>>
>>> Mark,
>>>    Please have a look at the configuration.rst in the
>>> contrib/endpoint-filter folder.
>>> I pasted here for your convenience:
>>>
>>> ==================================
>>> Enabling Endpoint Filter Extension
>>> ==================================To enable the endpoint filter
>>> extension:
>>> 1. add the endpoint filter extension catalog driver to the ``[catalog]``
>> section
>>>     in ``keystone.conf``. example::
>>>
>>>      [catalog]
>>>      driver =
>>> keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa
>>> talog 2. add the ``endpoint_filter_extension`` filter to the
>>> ``api_v3`` pipeline in
>>>     ``keystone-paste.ini``. example::
>>>
>>>      [pipeline:api_v3]
>>>      pipeline = access_log sizelimit url_normalize token_auth
>>> admin_token_auth xml_body json_body ec2_extension s3_extension
>>> endpoint_filter_extension service_v3 3. create the endpoint filter
>>> extension tables if using the provided sql backend. example::
>>>      ./bin/keystone-manage db_sync --extension endpoint_filter 4. optional:
>>> change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]``
>> section
>>>     in ``keystone.conf`` to return an empty catalog if no associations are
>> made.
>>> example::
>>>      [endpoint_filter]
>>>      return_all_endpoints_if_no_filter = False
>>>
>>>
>>> Steps 1-3 are mandatory. Once you have done the changes restart the
>>> keystone-server to apply the changes.
>>>
>>> The /v3/auth/tokens?nocatalog is to remove the catalog from the token
>>> creation.
>>> It is different from the filtering because it won't return any
>>> endpoint in the service catalog. The endpoint filter will return only
>>> the ones that you have associated with a particular project.
>>> Please bear in mind that this works only with scoped token (meaning
>>> where you pass a project id).
>>>
>>>
>>>
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>>>> Sent: Tuesday, October 08, 2013 1:21 PM
>>>> To: OpenStack Development Mailing List
>>>> Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy
>>>>
>>>> Hello,
>>>>
>>>> I am attempting to test the Havana v3  OS-EP-FILTER extension with
>>>> the latest RC1 bits and I get a 404 error response.
>>>>
>>>> The documentation actually shows 2 different URIs for this API:
>>>>
>>>> 	- GET /OS-EP-FILTER/projects/{project_id}/endpoints and
>>>> http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints
>>>>
>>>> I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result.
>>>> Does anyone have information as to what I am missing?
>>>>
>>>> Regards,
>>>>
>>>> Mark Miller
>>>>
>>>> -------------
>>>>
>>>>  From the online documentation:
>>>>
>>>> List Associations for Project: GET /OS-EP-
>>>> FILTER/projects/{project_id}/endpoints
>>>>
>>>> Returns all the endpoints that are currently associated with a
>>>> specific
>>> project.
>>>> Response:
>>>> Status: 200 OK
>>>> {
>>>>      "endpoints":
>>>>      [
>>>>          {
>>>>              "id": "--endpoint-id--",
>>>>              "interface": "public",
>>>>              "url": "http://identity:35357/",
>>>>              "region": "north",
>>>>              "links": {
>>>>                  "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
>>>>              },
>>>>              "service_id": "--service-id--"
>>>>          },
>>>>          {
>>>>              "id": "--endpoint-id--",
>>>>              "interface": "internal",
>>>>              "region": "south",
>>>>              "url": "http://identity:35357/",
>>>>              "links": {
>>>>                  "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
>>>>              },
>>>>              "service_id": "--service-id--"
>>>>          }
>>>>      ],
>>>>      "links": {
>>>>          "self": "http://identity:35357/v3/OS-
>>>> FILTER/projects/{project_id}/endpoints",
>>>>          "previous": null,
>>>>          "next": null
>>>>      }
>>>> }
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list