Dramatis Personae:
Adam Young, Jamie Lennox: Keystone core.
Scene: #openstack-keystone chat room.
The difference between auth_uri and auth_url in auth_token
2
Learning about the Overcloud Deploy Process
The process of deploying the overcloud goes through several technologies. Here’s what I’ve learned about tracing it.
Continue reading
Custom Overcloud Deploys
I’ve been using Tripleo Quickstart. I need custom deploys. Start with modifying the heat templates. I’m doing a mitaka deploy
SAML Federated Auth Plugin
SAML is usually thought of as a WebSSO mechanism, but it can be made to work for command line operations if you use the Extended Client Protocol (ECP). When we did the Rippowam demo last year, we were successful in getting an Unscoped token by using ECP, but that was not sufficient to perform operations on other services that need a scoped token.
Continue reading
Reviews for RDO packages
We are in the process of getting the docs straightened out for reviewing RDO packages. As we do, I want to record what I have working.
Reproducing an Open vSwitch Bridge Configuration
In the previous post, I described the setup for installing FreeIPA on a VM parallel to the undercloud VM setup by Tripleo Quickstart. The network on the undercloud VM has been setup up by Ironic and Neutron to listen on a network defined for the overcloud. I want to reproduce this on a second machine that is not enrolled in the undercloud. How can I reproduce the steps?
Continue readingInstalling FreeIPA on a Tripleo undercloud
I’ve been talking about using FreeIPA to secure OpenStack since the Havana summit in Portland. I’m now working with Tripleo to install OpenStack. To get the IPA server installed along with Tripleo Quickstart requires a VM accessible from the Ansible playbook.
Lessons Learned writing a certmonger helper for Anchor
Certmonger logging for debugging
Certmonger is split into 3 parts
- getcert or comparable helper app which the user calls to make requests. The request is put on dbus and and sent to
- The certmonger binary. This reads the request off of dbus and makes a call to
- The help application which makes calls to the remote service.
Debugging this process is much easier if you run the certmonger service from the command line and tell it to log debugging output. Make sure no certmonger-session processes are running:
Testing Fernet Tokens on Tripleo
Not the way to do it long term, but this will give you a chance to play with it.
From the controller node:
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone sudo crudini --set /etc/keystone/keystone.conf token provider fernet sudo systemctl restart httpd.service
Test it
$ openstack token issue -f shell expires="2016-05-05T05:21:44Z" id="gAAAAABXKspYhz7Ti5ldwi0mU4D69NqTINEU_t-e8MoxqVkVhR40w1E7GOmgai-9lanr2Z6bnoyQSgNWIhD63UOm1Mlsm9_hw5oTCqVO_pWJZwTomlWM2BrG5LqTOyp6PNqYz2pZ0DIaSTOnOQPeVqKp4ot8S3B6oA4Xy1JZo3305DPiApCzOyQ" project_id="b383d314cc344639939f2a9a381a6945" user_id="4e154e7d166d4bd6b8199dfd3a6f2468"