Much of the future work we need to do on Keystone falls into issued of scope. I’m going to merely try and define the problems here, and avoid talking about solutions. I’ll try to address more specific aspects in future posts. Continue reading
Category Archives: Software
Using the Openstack common client with Keystone
2
My last post showed how to load the user data using curl. This is only interesting if you love curl. Its pretty easy to do the same thing from the command line. Now, we at Keystone central hate responsibility. We have no desire to do more than we have to. That includes wrint the Command Line Client.
There is an effort afoot to move to a unified command line. Here is a sneak peek:
To get this to work took a little finagling: When a user gets a token, it contains the URL for the Keystone admin port, and the CLI uses this to perform the user create action. There is work going to to do better discoverability (figure out which version of the API is supported), but until then, you can do the following hack (not recommended for production)
Edit the database
mysql --user keystone --password=keystone keystone
Make the admin URL V3 specific:
update endpoint set url='http://127.0.0.1:35357/v3' where url like 'http://127.0.0.1:35357/%';
Restart Keystone.
And you can use the command:
export OS_AUTH_URL=http://127.0.0.1:5000/v3 export OS_USERNAME=admin export OS_PASSWORD=freeipa4all export OS_TENANT_NAME=admin openstack --os-identity-api-version=3 user create testname2 --password=testme --project=demo --domain=default
So my previous example would be reduced to:
while read USERNAME ; do openstack --os-identity-api-version=3 user create $USERNAME --password=changeme --project=demo ; done < usernames.txt
Load up the Keystone User Table
In the past I have created scripts for loading test data into FreeIPA. I’ve started doing the same thing for Keystone, using the Web API. Here is the first. It uses a list of usernames generated from my FreeIPA sample data, based on first initial-last name of a bunch of the most popular names in the country. The list is here. Here is the script I use to load it. Once again, I use jq to parse the JSON.
Note that HTML hates heredocs: I had to replace the here doc double-less-than-sign with a comment:
#insert two less than signs here#
To make this format correctly. Reverse this change before running this file, or fetch the clean source from here.
Token Revocations in Keystone
Keystone explicitly lists the token identifiers for the revoked tokens if the token revocation lists. This lends itself to simple revocation checking: is the ID on the list? No? Token is still good. However, the number of drawbacks in this approach overwhelm the simplicity of it, and indicate a need for a better solution.
Policy Enforcement in OpenStack
How can I delegate the ability to delegate?
Keystone’s Roles are the primary indicator of authority in an Open Stack system; the roles a user has determine what operations they can perform. The primary function of Keystone is to map a user to a role in a project. In a system with millions of users, one person, or even a small subset of people, cannot be responsible for assigning all roles to all people. I want to be able to delegate the authority to assign people to roles.
The following article walks through the process of assigning roles to users, and adjusting policy to perform more specific checks in an Open Stack service. To work through this example, all you will need is a working Keystone server.
Third of three articles: Examples. More Examples.
More Keystone V3 API Examples
My previous example showed how to create a user using the V3 API. But what if you don’t even have an admin user in your database? How are you going to perform admin operations in a bootstrap scenario? Here’s how to do operations with no user in the database, and to get the database up to the point where you can perform operations directly.
Expect the Minus One
We want your patches for OpenStack, Keystone. Just don’t be surprised when it gets a minus one rating.
Continue reading
Obamacare Website Inspired Rant
I’ve been in tech a while now, and been through a couple of Web site launches, though not for a long time. Technology has glitches, and they get fixed, and then you find the next round. You find out problems when you have users. So, go to the ACA web site, beat the snot out of that thing and report it.
But I will say this: it should be an open source code base. There are a lot of people that want to see this thing succeed, and being able to look at the code is the best way to make that happen. Linus Torvalds, of Linux fame, once said “With enough eyes, all bugs are shallow.” We’ve lived for a long time with the effects of having technology handed to us and being commanded to consume it. “Would you buy a car with the hood welded shut?” And yet, time and time again, that is what we are asked to do.
Why do I make my life harder by using only Linux? Because there is nothing more important to Freedom than information, and nothing more important to free information than having control over the machine that controls your information. Yes, I have to deal with Android, which is sort of Linux, and sort of a black box. I used WebOS (Palm) as long as I could. I do not use Apple products and I do not Use Microsoft products because, when it comes down to it, I want access to my tools.
I wood carve because I like the ability to take a raw material and make something out of it. For thousands of years, we only had simple things that came from the earth. The magic of the smith was available to any that would learn it. Or of the wainwright, or the carpenter. We could fashion our environment with only the tools from our environment. Now we live in a world where these tools are three and for layers abstracted from us. The primary tool that does all this abstraction is the computer. A simple tool that does little more than fetches two numbers from memory, performs basic arithmetic on those numbers, and stores them back in memory. And from this simplest of rules we have machines that can keep us safe , or that can manipulate a tool to fashion a block of wood into whatever shape we can dream of…or anyone can.
Apples was a has-been company until it gave up on trying to write its own preemptive multitasking operating system and decided to build on top of an Open Source one. Its biggest competitor, Microsoft, once capable of putting the final nail in the coffin, bailed it out. Now that same competitor finds itself being edged out of the very market it dominated. At the low end and at the high end, machines built on a foundation of Open Source have ushered in an era of greater stability in computing. Do we forget how we railed against the blue-screen-of-death?
And the Web, that greatest of communication mediums that we have found to date, what made it successful? Open Standards and Open Source. On the server side, sites were powered by Apache, and a slew of nascent new programming languages. Not all was open source. The browser was not, and we saw huge browser incompatibilities. The Netscape/Microsoft battle left Netscape in ruins, but the code that they posted, the Mozilla browser, finally gave us a completely Open Source stack, from Operating System, to user interface, to server, for so many services.
So, yeah, the website that is a key piece of the ACA has problems. Most major web sites do when they are launched. Most minor ones do to. And by most, I mean all. The opponents of the ACA point to it as an example of Government incompetence. Nah. I see it as the latest example of a poor approach to information management. You want security? Use publicly analyzed algorithms and keep your keys secret. You want a solid web site…open the code, and build the security measures on top of best practices. doesn’t matter if you are huge or tiny, if you are doing something brand new, or just exposing your pictures to your friends over the internet.
Of course, as I type this, I realize it is much too long as a rant for Facebook status, and it is something I want to keep. It is mine; I will post it on my blog, running Word Press, on a Linux system running Debian (a competitor to where I work in all the right ways) and finish editing it in emacs. Only then will post it on Facebook.
SAML Example
Everyone can read the specs for a protocol. But real understanding often requires a real world example. I’ve been trying to understand SAML. Here’s a “real” SAML assertion, somewhat modified for public consumption. I’ll annotate:
Linking Launchpad and Bugzilla
While the Bugzilla command line tool does a lot of useful things, one feature it is missing is the ability to link a bug to an upstream bug in a remote tracker. Working with the Web UI can be slow. Martin Kozek, of FreeIPA fame, wrote a simple Python program to link them together for me using direct XML-API calls. Thanks Martin:
#!/usr/bin/python
#
# Authors:
# Martin Kosek: mkosek@redhat.com
#
# Copyright (C) 2013 Red Hat
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
import bugzilla
import sys
import xmlrpclib
URL = 'https://bugzilla.redhat.com/xmlrpc.cgi'
USER = 'user@redhat.com'
PASSWORD = 'bar'
try:
bz_id = int(sys.argv[1])
launchpad_id = int(sys.argv[2])
except Exception:
sys.exit("Usage: bz_lp_link bz_id lp_id")
proxy = bugzilla.RHBugzilla3(url=URL, user=USER, password=PASSWORD)
proxy.connect(URL)
LAUNCHPAD_TRACKER_ID = 29
try:
proxy._proxy.ExternalBugs.add_external_bug(
{'bug_ids':[bz_id],
'external_bugs': [{'ext_type_id': LAUNCHPAD_TRACKER_ID,
'ext_bz_bug_id': launchpad_id}]
})
except xmlrpclib.Fault, e:
sys.exit(e.faultString)