Ask Your Question

How do different components react to keystone v3 api?

asked 2014-05-15 05:16:12 -0500

aj-- gravatar image

We are using havana in prod and looking at enabling keystone v3 api. I am not sure how that is going to turn out. If the concept of domain, group is only internal to keystone only, other components shouldn't be affected.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-05-20 11:02:34 -0500

None of the openstack service can talk v3 as of now. Most probably next release. All the clients are being upgraded to use keystoneclient library instead of their custom auth code

edit flag offensive delete link more


What do you mean by "none of the openstack service can talk v3"? As per the keystone developers keystone v3 api is fairly stable and production ready. And as I understand it, concepts such as domains and groups shouldn't be known to other components.

ajayaa gravatar imageajayaa ( 2014-05-27 13:05:58 -0500 )edit

How do you get a v3 token? None of the clients(novclient,swiftclient,glanceclient etc) can't make v3 token call?
In v2.0 tenant name is globally unique, whereas in v3 it is unique within a domain so if you create a tenant using v3 api, it is not going work unless you qualify with domain assuming you are using tenant name to make a service request. If you are using tenantid then it will work since it is globally unique. Same goes for username.

If you create a v3 user, how will you login to horizon using that user? Horizon console has only username/password. I agree about the services, but the clients need to know about domaains.

Haneef Ali gravatar imageHaneef Ali ( 2014-05-29 21:37:30 -0500 )edit

All the clients are being replaced by one openstack client, right? From the openstack client I can make a v3 api call.
If I restrict all the users only to use default domain, then it should be fine. Project names would also be unique in that case.

In our cloud we want to introduce the concept of project_admin which isn't posssible with keystone v2 api. Keystone v3 supports RBAC policies. So we need to enable keystone v3 I guess and allow project_admins to create projects in default domain only.

ajayaa gravatar imageajayaa ( 2014-05-30 00:29:43 -0500 )edit

As far as I know only CLI is going to openstack client. What you are trying to do will work, but you may be seeing some loopholes. 1) Even if you add RBAC, v2 calls will bypass RBAC.. So if you add "admin" role to any user to allow token validation, they can use v2 to do anything they want

Haneef Ali gravatar imageHaneef Ali ( 2014-05-30 11:31:50 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-05-15 05:16:12 -0500

Seen: 236 times

Last updated: May 20 '14