<div dir="ltr"><div class="gmail_extra"><div><div><br></div></div><div class="gmail_quote">On Thu, Mar 7, 2013 at 2:38 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <span dir="ltr"><<a href="mailto:mark.m.miller@hp.com" target="_blank">mark.m.miller@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hello,<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I am sorry but I am still a tad bit confused with this email thread.
<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">As of the Grizzly-3 release:<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>1.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Do Grizzly-3 OpenStack services like Nova accept and validate Keystone V3 tokens (both UUID and PKI) ?</span></p>
</div></div></blockquote><div style>It's not their responsibility; it's the responsibility of keystoneclient.middleware.auth_token which supports both UUID w/ online validation and PKI w/ offline validation.<br></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>2.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Do Grizzly-3 OpenStack services use the Keystone v2.0 APIs or do they use the Keystone v3 APIs?</span></p></div>
</div></blockquote><div style>Horizon is the only core project that uses keystone's non-auth related API's and will not be updated to consume v3 specific features as of Grizzly (AFAIK-- someone correct me if I'm wrong).<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p>
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>3.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Do the OpenStack services rely upon the keystoneclient? I thought the keystoneclient was a command line interface?</span></p>
</div></div></blockquote><div style>Indirectly, yes. keystoneclient.middleware.auth_token is deployed in the pipelines of those services to handle auth. keystoneclient currently provides command line exposure of v2.0 but we're looking forward to deprecating these features in favor of a common 'openstack' CLI client. So, creating a v2.0 tenant today looks like:<br>
</div><div style><br></div><div style> $ keystone tenant-create ...</div><div style><br></div><div style>But given that we're adopting openstackclient and renaming 'tenants' to 'projects', an equivalent command will look like:</div>
<div style><br></div><div style> $ openstack project-create ...</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">For the Grizzly final release:<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>1.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Will the Grizzly OpenStack services like Nova accept and validate Keystone V3 tokens (both UUID and PKI) ?</span></p>
</div></div></blockquote><div style>There are not essex/folsom/grizzly releases of clients; we're aiming to do a release of keystoneclient (perhaps v0.3.0) around the time of Grizzly. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>2.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Will Grizzly OpenStack services use the Keystone v3 APIs?</span></p></div></div></blockquote><div style>See question 2 above; the answer is not changing between milestone 3 and final release. <br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p>
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>3.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Will Grizzly OpenStack services use/implement new v3 features like “domains” and “groups”?</span></p></div></div>
</blockquote><div style>keystoneclient.middleware.auth_token will be providing domain information to consuming services via the X-Domain-Id / X-Domain-Name headers as it does for user, project and role data, although no services will be utilizing that additional data as of Grizzly. Role grants made to v3 groups will be consumed by all services regardless of whether they're calling the v2 or v3 API.<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p>
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>4.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">How will the v3 keystoneclient and the v3 openstackclient be used other than as command line interfaces?</span></p>
</div></div></blockquote><div style>I'm not sure I understand the question; python-keystoneclient primary responsibility moving forward will be as a python API, and python-openstackclient's primary responsibility will be as a CLI implementation (which happens to consume and expose features from python-keystoneclient, python-novaclient, python-glanceclient, etc).<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p>
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Regards,<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Mark Miller<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in">
<p class=""><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> openstack-bounces+mark.m.miller=<a href="mailto:hp.com@lists.launchpad.net" target="_blank">hp.com@lists.launchpad.net</a> [mailto:<a href="mailto:openstack-bounces%2Bmark.m.miller" target="_blank">openstack-bounces+mark.m.miller</a>=<a href="mailto:hp.com@lists.launchpad.net" target="_blank">hp.com@lists.launchpad.net</a>]
<b>On Behalf Of </b>Dolph Mathews<br>
<b>Sent:</b> Thursday, March 07, 2013 9:56 AM<br>
<b>To:</b> Aguiar, Glaucimar (Brazil R&D-ECL); openstack</span></p><div><div class="h5"><br>
<b>Subject:</b> Re: [Openstack] Keystone v3 adoption<u></u><u></u></div></div><p></p>
</div><div><div class="h5">
<p class=""><u></u> <u></u></p>
<div>
<p class="">Yes, exactly. Until keystoneclient.middleware.auth_token is revised, v3 tokens will basically only be useful against keystone.<u></u><u></u></p>
</div>
<div>
<p class=""><br clear="all">
<u></u><u></u></p>
<div>
<div>
<p class=""><u></u> <u></u></p>
</div>
<p class="">-Dolph<u></u><u></u></p>
</div>
<p class="" style="margin-bottom:12pt"><u></u> <u></u></p>
<div>
<p class="">On Thu, Mar 7, 2013 at 11:52 AM, Aguiar, Glaucimar (Brazil R&D-ECL) <<a href="mailto:glaucimar.aguiar@hp.com" target="_blank">glaucimar.aguiar@hp.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hi Dolph,</span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Thank you very much for your answer. I really appreciate it.</span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Are you saying then, that I configure nova (for example) to use v3 middleware, I should be able to
call nova with a v3 token and this token will get validated?</span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Glaucimar Aguiar</span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u></u><u></u></p>
<p class=""><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Dolph Mathews [mailto:<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>]
<br>
<b>Sent:</b> quinta-feira, 7 de março de 2013 11:04<br>
<b>To:</b> Aguiar, Glaucimar (Brazil R&D-ECL)<br>
<b>Cc:</b> <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
<b>Subject:</b> Re: [Openstack] Keystone v3 adoption</span><u></u><u></u></p>
<div>
<div>
<p class=""> <u></u><u></u></p>
<div>
<p class="">The v3 API is largely abstracted from other services (horizon being a major exception) using keystoneclient.middleware.auth_token, which is being revised here [1] and here [2].<u></u><u></u></p>
<div>
<p class=""> <u></u><u></u></p>
</div>
<div>
<div>
<p class="">Because the clients do not necessarily follow the same release schedule as the services, we've obviously been focused on the API and it's server-side implementation. I expect we'll
do a v3-compliant release of keystoneclient around the time of grizzly's release. openstackclient (providing CLI exposure) is in the works as well [3].<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=""><br>
[1]: <a href="https://review.openstack.org/#/c/23401/" target="_blank">https://review.openstack.org/#/c/23401/</a><u></u><u></u></p>
</div>
<div>
<p class="">[2]:
<a href="https://review.openstack.org/#/c/21942/" target="_blank">https://review.openstack.org/#/c/21942/</a><u></u><u></u></p>
</div>
<div>
<p class="">[3]: <a href="https://review.openstack.org/#/q/project:openstack/python-openstackclient+status:open,n,z" target="_blank">https://review.openstack.org/#/q/project:openstack/python-openstackclient+status:open,n,z</a><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=""><br clear="all">
<u></u><u></u></p>
<div>
<div>
<p class=""> <u></u><u></u></p>
</div>
<p class="">-Dolph<u></u><u></u></p>
</div>
<p class="" style="margin-bottom:12pt"> <u></u><u></u></p>
<div>
<p class="">On Thu, Mar 7, 2013 at 5:30 AM, Aguiar, Glaucimar (Brazil R&D-ECL) <<a href="mailto:glaucimar.aguiar@hp.com" target="_blank">glaucimar.aguiar@hp.com</a>> wrote:<u></u><u></u></p>
<p class="">Hello,<br>
<br>
I would like to know the plans for nova, glance, etc to adopt keystone v3 API. Is there an expectation that this happens in Havana timeframe?<br>
<br>
I am asking as the it seems the Domains feature is not useful until services are capable of validating a v3 token and move to keystone v3 API.<br>
<br>
Thanks in advance,<br>
<br>
Glaucimar Aguiar<br>
<br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><u></u><u></u></p>
</div>
<p class=""> <u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=""><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div></div>