Kerberos is a cryptographically secure authentication mechanism in use in many large organizations. Developers may want to make their applications work with Kerberos while developing inside containers. Here is a quick proof-of-concept that shows how to set up a container to work with mod_auth_gssapi., the Apache module that makes use of Kerberos.Continue reading
While it is always tempting to run a program as root, we know we should not do it. When developing, you want to make the process as non-root as possible. Here is what I am doing to write mod_wsgi code and run it as a non root user.Continue reading
The Python world has long since embraced Python3. However, the stability guarantees of RHEL have limited it to Python2.7 as the base OS. Now that I am running RHEL on my laptop, I have to find a way to work with Python 3.5 in order to contribute to OpenStack. To further constrain myself, I do not want to “pollute” the installed python modules by using PIP to mix and match between upstream and downstream. The solution is the Software Collections version of Python 3.5. Here’s how I got it to work.
Once I know a starting point for a call, I want to track the other functions that it calls. pycallgraph will generate an image that shows me that.
What Policy is enforced when you call a Keystone API? Right now, there is no definitive way to say. However, with some programmatic help, we might be able to figure it out from the source code. Lets start by getting a complete list of the Keystone routes.
If you change the public signature of an API, or add a new API in Keystone, there is a good chance the Tests that confirm JSON home layout will break. And that test is fairly unfriendly: It compares a JSON doc with another JSON doc, and spews out the entirety of both JSON docs, without telling you which section breaks. Here is how I deal with it:
Just because Icehouse is EOL does not mean no one is running it. One part of my job is back-porting patches to older versions of Keystone that my Company supports.
A dirty secret is that we only package the code needed for the live deployment, though, not the unit tests. In the case of I need to test a bug fix against a version of Keystone that was, essentially, Upstream Icehouse.
SAML is usually thought of as a WebSSO mechanism, but it can be made to work for command line operations if you use the Extended Client Protocol (ECP). When we did the Rippowam demo last year, we were successful in getting an Unscoped token by using ECP, but that was not sufficient to perform operations on other services that need a scoped token.