[openstack-dev] Keystone OS-EP-FILTER descrepancy
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Wed Oct 9 20:56:45 UTC 2013
Adam,
Thank you for the reply. The extension document is pretty good. The configuration instructions on the other hand need some help and I had to combine information from multiple sources to get OS-EP-FILTERing up and running. Following are the final steps that I used.
Mark
---------------
To enable the endpoint filter extension:
1. Add the new filter driver to the catalog section to "keystone.conf".
Example:
[catalog]
driver = keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
2. Add the new [endpoint_filter] section to ``keystone.conf``.
Example:
[endpoint_filter]
# extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True
optional: uncomment and set ``return_all_endpoints_if_no_filter``
3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``.
Example:
[filter:endpoint_filter_extension]
paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3
4. Create the endpoint filter extension tables if using the provided sql backend.
Example::
./bin/keystone-manage db_sync --extension endpoint_filter
5. Once you have done the changes restart the keystone-server to apply the changes.
> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: Wednesday, October 09, 2013 1:35 PM
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
>
> We have imporved the extension enumeration in Keystone. If you got to
> http://hostname:35357/v3 you should see a listing of the extensions that are
> enabled for that Keystone server
>
>
> On 10/08/2013 07:07 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> wrote:
> > Sorry to send this out again, but I wrote too soon. I was missing one driver
> entry in keystone.conf. Here are my working settings:
> >
> > File keystone.conf:
> >
> > [catalog]
> > # dynamic, sql-based backend (supports API/CLI-based management
> > commands) #driver = keystone.catalog.backends.sql.Catalog
> > driver =
> > keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa
> > talog
> >
> > # static, file-based backend (does *NOT* support any management
> > commands) # driver =
> > keystone.catalog.backends.templated.TemplatedCatalog
> >
> > template_file = default_catalog.templates
> >
> > [endpoint_filter]
> > # extension for creating associations between project and endpoints in
> > order to # provide a tailored catalog for project-scoped token requests.
> > driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
> > return_all_endpoints_if_no_filter = False
> >
> >
> > File keystone-paste.ini:
> >
> > [filter:endpoint_filter_extension]
> > paste.filter_factory =
> > keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.facto
> > ry
> >
> > and
> >
> > [pipeline:api_v3]
> > pipeline = access_log sizelimit url_normalize token_auth
> > admin_token_auth xml_body json_body ec2_extension s3_extension
> > oauth1_extension endpoint_filter_extension service_v3
> >
> >
> >
> > Updated Installation instructions:
> >
> > To enable the endpoint filter extension:
> >
> > 1. Add the new filter driver to the catalog section to "keystone.conf".
> >
> > Example:
> > [catalog]
> > driver =
> > keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa
> > talog
> >
> > 2. Add the new [endpoint_filter] section to ``keystone.conf``.
> >
> > Example:
> >
> > [endpoint_filter]
> > # extension for creating associations between project and endpoints in
> > order to # provide a tailored catalog for project-scoped token requests.
> > driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
> > # return_all_endpoints_if_no_filter = True
> >
> > optional: uncomment and set ``return_all_endpoints_if_no_filter``
> >
> > 3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
> ``keystone-paste.ini``.
> >
> > Example:
> >
> > [filter:endpoint_filter_extension]
> > paste.filter_factory =
> > keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.facto
> > ry
> >
> > [pipeline:api_v3]
> > pipeline = access_log sizelimit url_normalize token_auth
> > admin_token_auth xml_body json_body ec2_extension s3_extension
> > endpoint_filter_extension service_v3
> >
> > 4. Create the endpoint filter extension tables if using the provided
> > sql backend.
> >
> > Example::
> > ./bin/keystone-manage db_sync --extension endpoint_filter
> >
> > 5. Once you have done the changes restart the keystone-server to
> > apply the changes.
> >
> >> -----Original Message-----
> >> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> >> Sent: Tuesday, October 08, 2013 1:51 PM
> >> To: OpenStack Development Mailing List
> >> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> >>
> >> Slightly adjusted instructions after testing:
> >>
> >> To enable the endpoint filter extension:
> >>
> >> 1. Add the new [endpoin_ filter] section ton ``keystone.conf``.
> >> example:
> >>
> >> [endpoint_filter]
> >> # extension for creating associations between project and endpoints
> >> in order to # provide a tailored catalog for project-scoped token requests.
> >> driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
> >> # return_all_endpoints_if_no_filter = True
> >>
> >> optional: change ``return_all_endpoints_if_no_filter`` the
> >> ``[endpoint_filter]`` section
> >>
> >> 2. Add the ``endpoint_filter_extension`` filter to the ``api_v3``
> >> pipeline in ``keystone-paste.ini``.
> >> example:
> >>
> >> [filter:endpoint_filter_extension]
> >> paste.filter_factory =
> >> keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.fact
> >> ory
> >>
> >> [pipeline:api_v3]
> >> pipeline = access_log sizelimit url_normalize token_auth
> >> admin_token_auth xml_body json_body ec2_extension s3_extension
> >> endpoint_filter_extension service_v3
> >>
> >> 3. Create the endpoint filter extension tables if using the provided
> >> sql backend. example::
> >> ./bin/keystone-manage db_sync --extension endpoint_filter
> >>
> >> 4. Once you have done the changes restart the keystone-server to
> >> apply the changes.
> >>
> >>> -----Original Message-----
> >>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> >>> Sent: Tuesday, October 08, 2013 1:30 PM
> >>> To: OpenStack Development Mailing List
> >>> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> >>>
> >>> Here is the response from Fabio:
> >>>
> >>> Mark,
> >>> Please have a look at the configuration.rst in the
> >>> contrib/endpoint-filter folder.
> >>> I pasted here for your convenience:
> >>>
> >>> ==================================
> >>> Enabling Endpoint Filter Extension
> >>> ==================================To enable the endpoint
> filter
> >>> extension:
> >>> 1. add the endpoint filter extension catalog driver to the
> >>> ``[catalog]``
> >> section
> >>> in ``keystone.conf``. example::
> >>>
> >>> [catalog]
> >>> driver =
> >>> keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilter
> >>> Ca talog 2. add the ``endpoint_filter_extension`` filter to the
> >>> ``api_v3`` pipeline in
> >>> ``keystone-paste.ini``. example::
> >>>
> >>> [pipeline:api_v3]
> >>> pipeline = access_log sizelimit url_normalize token_auth
> >>> admin_token_auth xml_body json_body ec2_extension s3_extension
> >>> endpoint_filter_extension service_v3 3. create the endpoint filter
> >>> extension tables if using the provided sql backend. example::
> >>> ./bin/keystone-manage db_sync --extension endpoint_filter 4.
> optional:
> >>> change ``return_all_endpoints_if_no_filter`` the
> >>> ``[endpoint_filter]``
> >> section
> >>> in ``keystone.conf`` to return an empty catalog if no
> >>> associations are
> >> made.
> >>> example::
> >>> [endpoint_filter]
> >>> return_all_endpoints_if_no_filter = False
> >>>
> >>>
> >>> Steps 1-3 are mandatory. Once you have done the changes restart the
> >>> keystone-server to apply the changes.
> >>>
> >>> The /v3/auth/tokens?nocatalog is to remove the catalog from the
> >>> token creation.
> >>> It is different from the filtering because it won't return any
> >>> endpoint in the service catalog. The endpoint filter will return
> >>> only the ones that you have associated with a particular project.
> >>> Please bear in mind that this works only with scoped token (meaning
> >>> where you pass a project id).
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> >>>> Sent: Tuesday, October 08, 2013 1:21 PM
> >>>> To: OpenStack Development Mailing List
> >>>> Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> >>>>
> >>>> Hello,
> >>>>
> >>>> I am attempting to test the Havana v3 OS-EP-FILTER extension with
> >>>> the latest RC1 bits and I get a 404 error response.
> >>>>
> >>>> The documentation actually shows 2 different URIs for this API:
> >>>>
> >>>> - GET /OS-EP-FILTER/projects/{project_id}/endpoints and
> >>>> http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints
> >>>>
> >>>> I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result.
> >>>> Does anyone have information as to what I am missing?
> >>>>
> >>>> Regards,
> >>>>
> >>>> Mark Miller
> >>>>
> >>>> -------------
> >>>>
> >>>> From the online documentation:
> >>>>
> >>>> List Associations for Project: GET /OS-EP-
> >>>> FILTER/projects/{project_id}/endpoints
> >>>>
> >>>> Returns all the endpoints that are currently associated with a
> >>>> specific
> >>> project.
> >>>> Response:
> >>>> Status: 200 OK
> >>>> {
> >>>> "endpoints":
> >>>> [
> >>>> {
> >>>> "id": "--endpoint-id--",
> >>>> "interface": "public",
> >>>> "url": "http://identity:35357/",
> >>>> "region": "north",
> >>>> "links": {
> >>>> "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
> >>>> },
> >>>> "service_id": "--service-id--"
> >>>> },
> >>>> {
> >>>> "id": "--endpoint-id--",
> >>>> "interface": "internal",
> >>>> "region": "south",
> >>>> "url": "http://identity:35357/",
> >>>> "links": {
> >>>> "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
> >>>> },
> >>>> "service_id": "--service-id--"
> >>>> }
> >>>> ],
> >>>> "links": {
> >>>> "self": "http://identity:35357/v3/OS-
> >>>> FILTER/projects/{project_id}/endpoints",
> >>>> "previous": null,
> >>>> "next": null
> >>>> }
> >>>> }
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OpenStack-dev mailing list
> >>>> OpenStack-dev at lists.openstack.org
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>> _______________________________________________
> >>> OpenStack-dev mailing list
> >>> OpenStack-dev at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list