Open Stack

On Oct 25, 2011, at 12:54 PM, Jesse Andrews wrote:

> I'm not an expert ... adding some comments
> 
> On Tue, Oct 25, 2011 at 12:05 PM, Joseph Heck <heckj at me.com> wrote:
>> I've just dropped in place a bunch of developer documentation (RST) for
>> Keystone - one in, one pending (https://review.openstack.org/#change,1089).
>> Making these docs  brought up a number of questions that I wasn't able to
>> answer. I want to put more context around the commands and concepts for the
>> reader prior to updating the docbook documentaiton. Joe Savak suggested on
>> IRC that I just drop them out here to the list, so here goes:
>> If any of these are "just bugs", let me know and I'll file them.
>> 
>> Q: Why is an administrative service token bound to a tenant?
>> Right now, keystone-manage to create an administrative service token, the
>> token which in turn is configured into nova, swift, glance, and dashboard,
>> requires a tenant - but as I understand tenant that doesn't make sense - as
>> the various services all serve more than one tenant.
> 
> we create a tenant for services and then create the long lived validation for

missed some of this.... create long lived validation for what?

>> Q: How do you remove a service?
> 
> You can invalidate the token - which means the service can no longer
> validate user tokens
> You can remove the service from the catalog

Is there an API for removing the service from the catalog? There isn't a keystone-manage command for it (that I found)

>> Q: How do you remove an EndpointTemplate?
> 
> not sure through the api, but can you via keystone-manage?  If not you
> can remove via the database.

I think that's direct database manipulation then. Ziad/Dolph/Yogi - can you confirm? Should be a bug?

>> Q: What's the purpose of a "role" prior to RBAC
>> Is it really just relevant for the Keystone administrative API, but more
>> coming online later with the RBAC work? Does any role based link between a
>> user and a tenant allow that user to get a scoped token for that tenant?
> 
> Currently as specified a token validation can return roles, which then
> can allow services to implement rbac.  The session on "can haz" was
> talking about how nova can do that without any changes in keystone.

Ziad/Yogi/Dolph - is there anything that role does *today* (i.e. Diablo release) other than authorizing access to the Keystone Admin API?

>> Q: How do you remove a role?
> 
> Not sure how to - I think this should be another extension since in an
> enterprise deployment the roles would be set by mapping ldap/ad groups
> into roles

Missing? Should be a bug?

>> Q: What's the keystone-manage command for "credential add" do? There's also
>> no corresponding delete or disable - is this password update for the
>> passwords that are set on "keystone-manage user add"? If not, how are those
>> passwords updated?
>> Q: What are "type" and "key" as related to "credential add" command, and
>> what are they intended to do?
>> Q: Why isn't there a "user delete" and a "tenant delete"? Is this a "just
>> haven't gotten to it yet" bug?
> 
> Those should probably be in the user/tenant extension.  Not sure if
> they are there or not.