[openstack-dev] [devstack][keystone][ironic] Use only Keystone v3 API in DevStack
Devananda van der Veen
devananda.vdv at gmail.com
Fri Sep 11 20:21:38 UTC 2015
This has been informal discussions at various times around how differently
privileged users might use Ironic for different things. It would be great
if our API supported policy settings that corresponded to, let's say, a
junior support engineer's read-only access, or a DC technician's need to
perform maintenance on a server without granting them admin access to the
whole cloud. Things like that... but nothing formal has been written yet.
On Fri, Sep 11, 2015 at 1:01 PM, Dolph Mathews <dolph.mathews at gmail.com>
wrote:
>
> On Fri, Sep 11, 2015 at 2:55 PM, Yee, Guang <guang.yee at hpe.com> wrote:
>
>> Can you please elaborate on "granularity of policy support within
>> Ironic."? Is there a blueprint/etherpad we can take a look?
>>
>
> See the lack of granularity expressed by Ironic's current policy file:
>
>
> https://github.com/openstack/ironic/blob/5671e7c2df455f97ef996c47c9c4f461a82e1c38/etc/ironic/policy.json
>
>
>>
>>
>> Guang
>>
>>
>> -----Original Message-----
>> From: Devananda van der Veen [mailto:devananda.vdv at gmail.com]
>> Sent: Friday, September 11, 2015 10:25 AM
>> To: OpenStack Development Mailing List (not for usage questions)
>> Subject: Re: [openstack-dev] [devstack][keystone][ironic] Use only
>> Keystone v3 API in DevStack
>>
>> We (the Ironic team) have talked a couple times about keystone /v3
>> support and about improving the granularity of policy support within
>> Ironic. No one stepped up to work on these specifically, and they weren't
>> prioritized during Liberty ... but I think everyone agreed that we should
>> get on with the keystone v3 relatively soon.
>>
>> If Ironic is the only integrated project that doesn't support v3 yet,
>> then yea, we should get on that as soon as M opens.
>>
>> -Devananda
>>
>> On Fri, Sep 11, 2015 at 9:45 AM, Davanum Srinivas <davanum at gmail.com>
>> wrote:
>> > Hi,
>> >
>> > Short story/question:
>> > Is keystone /v3 support important to the ironic team? For Mitaka i
>> guess?
>> >
>> > Long story:
>> > The previous discussion - guidance from keystone team on magnum
>> > (http://markmail.org/message/jchf2vj752jdzfet) motivated me to dig
>> > into the experimental job we have in devstack for full keystone v3 api
>> > and ended up with this review.
>> >
>> > https://review.openstack.org/#/c/221300/
>> >
>> > So essentially that rips out v2 keystone pipeline *except* for ironic
>> jobs.
>> > as ironic has some hard-coded dependencies to keystone /v2 api. I've
>> > logged a bug here:
>> > https://bugs.launchpad.net/ironic/+bug/1494776
>> >
>> > Note that review above depends on Jamie's tempest patch which had some
>> > hard coded /v2 dependency as well
>> > (https://review.openstack.org/#/c/214987/)
>> >
>> > follow up question:
>> > Does anyone know of anything else that does not work with /v3?
>> >
>> > Thanks,
>> > Dims
>> >
>> > --
>> > Davanum Srinivas :: https://twitter.com/dims
>> >
>> > ______________________________________________________________________
>> > ____ OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150911/96f585a6/attachment.html>
More information about the OpenStack-dev
mailing list