[openstack-dev] [tc][appcat] The future of the App Catalog

Fox, Kevin M Kevin.Fox at pnnl.gov
Wed Mar 15 22:11:57 UTC 2017


Interesting. Thanks for the info.

Kevin
________________________________________
From: Boris Bobrov [breton at cynicmansion.ru]
Sent: Wednesday, March 15, 2017 2:07 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [tc][appcat] The future of the App Catalog

On 03/15/2017 10:06 PM, Jay Pipes wrote:
> +Boris B
>
> On 03/15/2017 02:55 PM, Fox, Kevin M wrote:
>> I think they are. If they are not, things will break if federation is
>> used for sure. If you know that it is please let me know. I want to
>> deploy federation at some point but was waiting for dashboard support.
>> Now that the dashboard supports it, I may try it soon. Its a no-go
>> still though if heat doesn't work with it.
>
> We had a customer engagement recently that had issues with Heat not
> being able to execute certain actions in a federated Keystone
> environment. I believe we learned that Keystone trusts and federation
> were not compatible during this engagement.
>
> Boris, would you mind refreshing memories on this?

They are still broken when user gets roles from groups membership.
At the PTG session the decision was to document that it is fine and that
user should get concrete role assignments before using heat via
federation. Now there are 2 ways to do it.

1. New auto-provisioning capabilities, which make role assignments
persistent [0]. Which is funny, because group membership is not
persistent.

2. Ask project admin to assign the roles.

[0]https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning

I don't like it though and wanted to talk about it at keystone
meeting. But we didn't make it on time so it will be discussed next
Tuesday. I want this: https://review.openstack.org/#/c/437533/

> Best,
> -jay
>
>> ________________________________________
>> From: Jay Pipes [jaypipes at gmail.com]
>> Sent: Wednesday, March 15, 2017 11:41 AM
>> To: openstack-dev at lists.openstack.org
>> Subject: Re: [openstack-dev] [tc][appcat] The future of the App Catalog
>>
>> On 03/15/2017 01:21 PM, Fox, Kevin M wrote:
>>> Other OpenStack subsystems (such as Heat) handle this with Trusts. A
>>> service account is made in a different, usually SQL backed Keystone
>>> Domain and a trust is created associating the service account with
>>> the User.
>>>
>>> This mostly works but does give the trusted account a lot of power,
>>> as the roles by default in OpenStack are pretty coarse grained. That
>>> should be solvable though.
>>
>> I didn't think Keystone trusts and Keystone federation were compatible
>> with each other, though? Did that change recently?
>>
>> Best,
>> -jay
>>
>> __________________________________________________________________________
>>
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __________________________________________________________________________
>>
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list