Tripleo HA Federation Proof-of-Concept

Posted on August 11, 2016 by Adam Young

Keystone has supported identity federation for several releases. I have been working on aÂ proof-of-concept integration of identity federation in a TripleO deployment. I was able to successfully login to Horizon via WebSSO, and want to share my notes.

A federation deployment requires changes to theÂ network topology,Â Keystone, the HTTPD service, and Horizon. The various OpenStack deploymentÂ tools will haveÂ their own ways of applying these changes. While this proof-of-concept can’t be called production-ready, it does demonstrate that TripleO can support Federation using SAML. From this proof-of-concept, we should be to deduce the necessary steps neededÂ for a production deployment.

Continue reading →

Customizing a Tripleo Quickstart Deploy

Posted on August 2, 2016 by Adam Young

Tripleo Heat Templates allow the deployer to customize the controller deployment by setting values in the controllerExtraConfig section of the stack configuration. However, Quickstart already makes use of this in the file /tmp/deploy_env.yaml, so if you want to continue to customize, you need to work with this file.

Continue reading →

ControllerExtraConfig and Tripleo Quickstart

Posted on July 28, 2016 by Adam Young

Once I have the undercloud deployed, I want to be able to quickly deploy and redeploy overclouds.Â However, my last attempt to affect change on the overcloud did not modify the Keystone config file the way I intended.Â Once again, Steve Hardy helped me to understand what I was doing wrong.

Continue reading →

Liveness

Posted on July 9, 2016 by Adam Young

The term Liveness here refers to theÂ need to ensure that the data used to make an authorization check is valid at the time of the check.

The mistake I made with PKI tokens was in not realizing how important Liveness was.Â The mistake was based on the age old error of confusing authentication with authorization.Â Since a Keystone token is used for both, I was confused into thinking that the primary importance was on authentication, but the reality is that the most important thing a token tells you is information essential to making an authorization decision. Continue reading →

Tokens without revocation

Posted on July 9, 2016 by Adam Young

PKI tokens in Keystone suffered from many things, most essentially the trials due to the various forms of revocation. I never wanted revocation in the first place. What could we have done differently? It just (I mean moments ago) came to me.
Continue reading →

Bypassing Version Discovery in Keystoneauth1

Posted on July 8, 2016 by Adam Young

I’ve been a happy Dreamhost customer for many years.Â So I was thrilled when I heard that they had upgrade Dreamcompute to Mitaka.Â So, like the good Keystoner that I am, I went to test it out.Â Of course, I tried to use the V3 API.Â Â And it failed.

What?Â Dreamhost wouldn’t let me down, would they?

No.Â V3 works fine, it is discovery that is misconfigured.
Continue reading →

Merging FreeIPA and Tripleo Undercloud Apache installs

Posted on July 8, 2016 by Adam Young

My Experiment yesterday left me with a broken IPA install. I aim to fix that.
Continue reading →

De-conflicting Swift-Proxy with FreeIPA

Posted on July 7, 2016 by Adam Young

Port 8080 is a popular port. Tomcat uses it as the default port for unencrypted traffic. FreeIA, installs Dogtag which runs in Tomcat. Swift proxy also chose that port number for its traffic. This means that if one is run on that port, the other cannot. Of the two, it is easier to change FreeIPA, as the port is only used for internal traffic, where as Swift’s port is in the service catalog and the documentation.
Continue reading →

Launching a Centos VM in Tripleo Overcloud

Posted on July 5, 2016 by Adam Young

My Overcloud deploy does not have any VM images associates with it. I want to test launching a VM.
Continue reading →

Clearing the Keystone Environment

Posted on July 1, 2016 by Adam Young

If you spend a lot of time switching between different cloud, different users, or even different projects for the same user when working with openstack, you’ve come across the problem where one environment variable from an old sourceing pollutes the current environment.Â I’ve been hit by that enough times that I wrote a small script to clear the environment.

I call it clear_os_env
Continue reading →

Adam Young's Web Log

The Notebook of a Programmer Climber Musician Ex-Soldier Woodworker and a few other things

Category Archives: Software

Tripleo HA Federation Proof-of-Concept

Customizing a Tripleo Quickstart Deploy

ControllerExtraConfig and Tripleo Quickstart

Liveness

Tokens without revocation

Bypassing Version Discovery in Keystoneauth1

Merging FreeIPA and Tripleo Undercloud Apache installs

De-conflicting Swift-Proxy with FreeIPA

Launching a Centos VM in Tripleo Overcloud

Clearing the Keystone Environment