[Openstack] [Keystone] How to restrict the returned service endpoints to client ?

Kuo Hugo tonytkdk at gmail.com
Thu Aug 15 03:04:45 UTC 2013


Hi Miller,


Got it. It's the same way with swift client tool to invoke --region
parameter.

So that the mask must be on the client tool instead of prevent it from
keystone server. That make sense for the architecture of OpenStack project.


Appreciate for your response in details.


+Hugo Kuo+
hugo at swiftstack.com
tonytkdk at gmail.com
+886 935004793


2013/8/15 Miller, Mark M (EB SW Cloud - R&D - Corvallis) <
mark.m.miller at hp.com>

>  I was referring to the GET endpoint API. You specify the service_id and
> the region is optional.****
>
> ** **
> Endpoints: /v3/endpoints ****
>
> Endpoint entities represent URL endpoints for OpenStack web services.****
>
> Additional required attributes:****
>
> **·         **service_id (string)****
>
> References the service to which the endpoint belongs.****
>
> **·         **interface (string)****
>
> Describes the visibility of the endpoint according to one of the following
> values:****
>
>     - public: intended for consumption by end users, generally on a
>       publicly available network interface****
>       - internal: intended for consumption by end users, generally on an
>       unmetered internal network interface****
>       - admin: intended only for consumption by those needing
>       administrative access to the service, generally on a secure network
>       interface****
>
>  **·         **url (string)****
>
> Fully qualified URL of the service endpoint.****
>
> Optional attributes:****
>
> **·         **region (string)****
>
> Represents the geographic location of the service endpoint, if relevant to
> the deployment. The value of this attribute is intended to be
> implementation specific in meaning.****
>
> **·         **enabled (boolean)****
>
> Setting this value to false prevents the endpoint from appearing in the
> service catalog.****
>
> Example entity:****
>
> {****
>
>     "endpoint": {****
>
>         "enabled": true,****
>
>         "id": "6fedc0",****
>
>         "interface": "internal",****
>
>         "links": {****
>
>             "self": "http://identity:35357/v3/endpoints/6fedc0"****
>
>         },****
>
>         "region": "north",****
>
>         "service_id": "ee057c",****
>
>         "url": "http://identity:35357/"****
>
>     }****
>
> }****
>
>  * *
>
> *Endpoints*
>
> *List endpoints: **GET /endpoints** *
>
> query filter for "interface" and "service_id" (optional)****
>
> Response:****
>
> Status: 200 OK****
>
> ** **
>
> {****
>
>     "endpoints": [****
>
>         {****
>
>             "id": "--endpoint-id--",****
>
>             "interface": "public",****
>
>             "links": {****
>
>                 "self": "
> http://identity:35357/v3/endpoints/--endpoint-id--"****
>
>             },****
>
>             "name": "the public volume endpoint",****
>
>             "region": "--region--",****
>
>             "service_id": "--service-id--"****
>
>         },****
>
>         {****
>
>             "id": "--endpoint-id--",****
>
>             "interface": "internal",****
>
>             "links": {****
>
>                 "self": "
> http://identity:35357/v3/endpoints/--endpoint-id--"****
>
>             },****
>
>             "name": "the internal volume endpoint",****
>
>             "region": "--region--",****
>
>             "service_id": "--service-id--"****
>
>         }****
>
>     ],****
>
>     "links": {****
>
>         "self": "http://identity:35357/v3/endpoints",****
>
>         "previous": null,****
>
>         "next": null****
>
>     }****
>
> }****
>
> ** **
>
> ** **
>
> *From:* Kuo Hugo [mailto:tonytkdk at gmail.com]
> *Sent:* Wednesday, August 14, 2013 10:12 AM
> *To:* Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [Keystone] How to restrict the returned
> service endpoints to client ?****
>
> ** **
>
> Hi Miller, ****
>
> ** **
>
> Do you mean the enabled (boolean) optional attribute  in this section
> Endpoints<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#endpoints-v3endpoints>
> ? ****
>
> If so, that's for disabling a particular endpoint rather than masking an
> endpoint for particular user/tenant. ****
>
> ** **
>
> Thanks****
>
> Hugo****
>
> ** **
>
>
> ****
>
> +Hugo Kuo+****
>
> hugo at swiftstack.com****
>
> tonytkdk at gmail.com
> ****
>
> +886 935004793****
>
> ** **
>
> 2013/8/15 Miller, Mark M (EB SW Cloud - R&D - Corvallis) <
> mark.m.miller at hp.com>****
>
> Yes there is. Refer the endpoint section of the Identity v3 documentation:
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md
> ****
>
>  ****
>
> Mark****
>
>  ****
>
> *From:* Kuo Hugo [mailto:tonytkdk at gmail.com]
> *Sent:* Wednesday, August 14, 2013 1:37 AM
> *To:* openstack at lists.openstack.org
> *Subject:* [Openstack] [Keystone] How to restrict the returned service
> endpoints to client ?****
>
>  ****
>
> Hi folks, ****
>
>  ****
>
> Is there a way to specify the particular service endpoints been returned
> to user? ****
>
>  ****
>
>  ****
>
> *[Scenario 1]*****
>
>  There're Nova / Glance / Swift / Keystone services defined in service
> table. ****
>
> Also the relevant endpoints for each service. ****
>
> Let's say ****
>
>  User:foo****
>
>  Tenant: tenant-foo****
>
>    ****
>
> Is it possible to return only Nova's endpoint in the json to the user foo
> ? I don't want foo to get other service's endpoint. ****
>
>   ****
>
>  ****
>
> *[Scenario 2] *****
>
>  There're multiple Swift clusters authenticate users by a single
> keystone. ****
>
>  ****
>
> Swift clusters: ****
>
> name:swift1  ****
>
>  name:swift2  ****
>
>  Let's say ****
>
> User:foo ****
>
>  Tenant: tenant-foo****
>
>   ****
>
>  User:bar****
>
>  Tenant: tenant-bar****
>
>   ****
>
> Is there a way to return swift1's endpoint to foo and swift2's endpoint to
> bar ? ****
>
> I'm not sure if keystoneI should have two regions of endpoints for each
> swift cluster or two services.****
>
>   ****
>
>  ****
>
> Appreciate~****
>
>  ****
>
> +Hugo Kuo+****
>
> hugo at swiftstack.com****
>
> tonytkdk at gmail.com
> ****
>
> +886 935004793****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130815/8ed85e07/attachment.html>


More information about the Openstack mailing list