[openstack-dev] Keystone OS-EP-FILTER descrepancy

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Tue Oct 8 20:51:09 UTC 2013


Slightly adjusted instructions after testing:

To enable the endpoint filter extension:

1. Add the new [endpoin_ filter] section  ton ``keystone.conf``. 
example:

 [endpoint_filter]
# extension for creating associations between project and endpoints in order to
# provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True

optional: change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section

2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in ``keystone-paste.ini``. 
example:

[filter:endpoint_filter_extension]
paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory

[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension endpoint_filter_extension service_v3

3. Create the endpoint filter extension tables if using the provided sql backend. example::
    ./bin/keystone-manage db_sync --extension endpoint_filter

4.  Once you have done the changes restart the keystone-server to apply the changes.

> -----Original Message-----
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Sent: Tuesday, October 08, 2013 1:30 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> 
> Here is the response from Fabio:
> 
> Mark,
>   Please have a look at the configuration.rst in the contrib/endpoint-filter
> folder.
> I pasted here for your convenience:
> 
> ==================================
> Enabling Endpoint Filter Extension
> ==================================To enable the endpoint filter
> extension:
> 1. add the endpoint filter extension catalog driver to the ``[catalog]`` section
>    in ``keystone.conf``. example::
> 
>     [catalog]
>     driver =
> keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
> 2. add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
>    ``keystone-paste.ini``. example::
> 
>     [pipeline:api_v3]
>     pipeline = access_log sizelimit url_normalize token_auth
> admin_token_auth xml_body json_body ec2_extension s3_extension
> endpoint_filter_extension service_v3 3. create the endpoint filter extension
> tables if using the provided sql backend. example::
>     ./bin/keystone-manage db_sync --extension endpoint_filter 4. optional:
> change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section
>    in ``keystone.conf`` to return an empty catalog if no associations are made.
> example::
>     [endpoint_filter]
>     return_all_endpoints_if_no_filter = False
> 
> 
> Steps 1-3 are mandatory. Once you have done the changes restart the
> keystone-server to apply the changes.
> 
> The /v3/auth/tokens?nocatalog is to remove the catalog from the token
> creation.
> It is different from the filtering because it won't return any endpoint in the
> service catalog. The endpoint filter will return only the ones that you have
> associated with a particular project.
> Please bear in mind that this works only with scoped token (meaning where
> you pass a project id).
> 
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> > Sent: Tuesday, October 08, 2013 1:21 PM
> > To: OpenStack Development Mailing List
> > Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy
> >
> > Hello,
> >
> > I am attempting to test the Havana v3  OS-EP-FILTER extension with the
> > latest RC1 bits and I get a 404 error response.
> >
> > The documentation actually shows 2 different URIs for this API:
> >
> > 	- GET /OS-EP-FILTER/projects/{project_id}/endpoints and
> > http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints
> >
> > I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result.
> > Does anyone have information as to what I am missing?
> >
> > Regards,
> >
> > Mark Miller
> >
> > -------------
> >
> > From the online documentation:
> >
> > List Associations for Project: GET /OS-EP-
> > FILTER/projects/{project_id}/endpoints
> >
> > Returns all the endpoints that are currently associated with a specific
> project.
> >
> > Response:
> > Status: 200 OK
> > {
> >     "endpoints":
> >     [
> >         {
> >             "id": "--endpoint-id--",
> >             "interface": "public",
> >             "url": "http://identity:35357/",
> >             "region": "north",
> >             "links": {
> >                 "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
> >             },
> >             "service_id": "--service-id--"
> >         },
> >         {
> >             "id": "--endpoint-id--",
> >             "interface": "internal",
> >             "region": "south",
> >             "url": "http://identity:35357/",
> >             "links": {
> >                 "self": "http://identity:35357/v3/endpoints/--endpoint-id--"
> >             },
> >             "service_id": "--service-id--"
> >         }
> >     ],
> >     "links": {
> >         "self": "http://identity:35357/v3/OS-
> > FILTER/projects/{project_id}/endpoints",
> >         "previous": null,
> >         "next": null
> >     }
> > }
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list