<div dir="ltr">Perhaps I am misunderstanding, but doesn't the OSC support for pluggable auth just come for free from Neutron's perspective? (i.e. we don't have to make any Neutron-specific changes for that to work)<div><br></div><div>What I was hoping here was that we could get something in the Neutron client that works with the older auth plugins written for the Nova client to support setups not using OSC (specifically the Nova->Neutron interactions). I didn't mean that I didn't want to support OSC at all.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 18, 2015 at 11:16 AM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-GB" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Asking on the operators mailing list may yield more examples where people are using the Neutron client.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">From the CERN perspective, we use OSC heavily now it has Kerberos and X.509 support. With the new support of Keystone V3 in the Nova
python client, we are interested in extending this support to these methods.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">While we are in the process of planning our Nova network to Neutron migration (and thus our Neutron usage is limited to testing currently),
it would be attractive if the OSC support Neutron operations with these authentication methods. Worst case, following the same structure as Nova would allow us to work with others interested in Kerberos and X.509 for a single set of patches so we would strongly
prefer the same plug in approach for Neutron as used by Nova (compared to re-inventing the wheel).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Tim<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Kevin Benton [mailto:<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>]
<br>
<b>Sent:</b> 18 February 2015 20:01<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] Pluggable Auth for clients and where should it go<u></u><u></u></span></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">This is something I have been working on internally as well. I've been trying to find a way to make the changes to the python neutronclient in the least invasive way to support pluggable authentication. I would be happy to help review the
changes you submit upstream if you have something already well-tested.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">>W<span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">ould you benefit from pluggable auth?</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Yes.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">>What are you looking for in auth?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Parity with the nova client.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">>W<span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">ould you benefit from the python-neutronclient getting nova's auth capabilities?</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">Yes</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I have a similar constraint with waiting for the move to OSC/SDK. Even if the support for auth was merged into OSC/SDK, it wouldn't work with existing scripts and (more importantly) existing Icehouse/Juno Nova deployments that use the neutron
client for the notifications to Neutron.<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Wed, Feb 18, 2015 at 8:52 AM, Justin Hammond <<a href="mailto:justin.hammond@rackspace.com" target="_blank">justin.hammond@rackspace.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">Just starting this discussion…<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">This is in reference to <a href="https://blueprints.launchpad.net/python-neutronclient/+spec/pluggable-neutronclient-auth" target="_blank">https://blueprints.launchpad.net/python-neutronclient/+spec/pluggable-neutronclient-auth</a><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">Originally the blueprint was for python-neutronclient only, but pluggable auth is a wide-reaching issue. With OSC/SDK on the horizon (however far), we should probably
begin the discussion of how to best do this (if it hasn't been done).<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">A request: We have an immediate need to add pluggable auth to the python-neutronclient, modeled after python-novaclient's pluggable auth system, to maintain a consistent
workflow for our users. After the discussion in the neutron-drivers meeting (<a href="http://eavesdrop.openstack.org/meetings/neutron_drivers/2015/neutron_drivers.2015-02-18-15.31.log.html" target="_blank">http://eavesdrop.openstack.org/meetings/neutron_drivers/2015/neutron_drivers.2015-02-18-15.31.log.html</a>)
it is clear that python-neutronclient will survive for Kilo +12 months, at least. During that timeframe we'd like to have pluggable auth supported so we can bridge that gap. Beyond that immediate need, we are dedicated to making OSC/SDK the way to go in the
future, and will gladly assist in adding said features.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">We have a solution for our immediate solution but that may not apply to OSC/SDK. So my questions are:<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<ul type="disc">
<li class="MsoNormal" style="color:black">
<span style="font-size:9.0pt;font-family:"Calibri",sans-serif">Would you benefit from pluggable auth?<u></u><u></u></span></li><li class="MsoNormal" style="color:black">
<span style="font-size:9.0pt;font-family:"Calibri",sans-serif">What are you looking for in auth?<u></u><u></u></span></li><li class="MsoNormal" style="color:black">
<span style="font-size:9.0pt;font-family:"Calibri",sans-serif">Would you benefit from the python-neutronclient getting nova's auth capabilities?<u></u><u></u></span></li></ul>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">Thank you for your time!<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black">- Justin (roaet)<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">Kevin Benton<u></u><u></u></p>
</div>
</div>
</div>
</div></div></div>
</div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div>Kevin Benton</div></div>
</div>