Keystone Tokens are bearer tokens, and bearer tokens are vulnerable to replay attacks. What if we wanted to get rid of them?
Tokenless Keystone
1
Category Archives: Software
Template for a KeystoneV3.rc
If you are moving from Keystone v2 to v3 call, you need more variables in your environment. Here is a template for an update keystone.rc for V3, in jinja format:
export OS_AUTH_URL=http://{{ keystone_hostname }}:5000/v3
export OS_USERNAME={{ username }}
export OS_PASSWORD={{ password }}
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_PROJECT_NAME={{ project_name }}
export OS_IDENTITY_API_VERSION=3
Getting a Keystone Token in Rust
Python is a great language, but sometimes I miss type safety. While I was always comfortable with C++, I know that the lanugague has it’s warts. Lately, I’ve been taking an interest in Rust, which seems to be set to address many of the shortcomiings of C++. What better way to learn it than to try and use on problems I already know well; OpenStack and Keystone? So, I wrote my first non-trivial program, which gets a Keystone token.
Install FreeIPA via Ansible
No better way to learn some more details of Ansible than to automate a task I need to do on a regular basis: ipa-server-install.
Resetting a Known Host for SSH
I often create and destroy a virtual machine multiple times in development. SSH records the host and key and often complains about a changed value for a given key. As I am attempting to automate more and more, I need to be able to communicate with these recreated hosts without dealing with the warning messages.
Continue reading
Dynamic Policy and Microversions
Both Core APIs and Policy have been static for a long part of OpenStack’s lifespan. While I’ve been working on Dynamic Policy, the Nova team has been looking to use microversions to allow the API to morph more quickly. Are the two approaches going to interoperate, or are they going to conflict?
Setting up an RDO deployment to be Identity V3 Only
The OpenStack Identity API Version 3 provides support for many features that are not available in version 2. Much of the installer code from Devstack, Puppet Modules, and Packstack, all assumes that Keystone is operating with the V2 API. In the interest of hastening the conversion, I set up a deployment that is V3 only. Here is how I did it.
Continue reading
Automating Kerberos Authentication
Sometimes you need unattended authentication. Sometimes you are just lazy. Whatever the reason, if a user (human or otherwise) wants to fetch a Ticket Granting Ticket (TGT) from a Kerberos Key Distribution Center (KDC) automatically, the Global Security Services API (GSSAPI) library shipped with most recent distributions support it.
Creating Hierarchical Projects in Keystone
Hierarchical Multitenancy is coming. Look busy.
Creating a new Network for a dual NIC VM
I need a second network for testing a packstack deployment. Here is what I did to create it, and then to boot a new VM connected to both networks.
Continue reading