Haneef Ali's profile - activity

2020-08-30 17:31:16 -0500 received badge  Nice Answer (source)
2017-12-15 23:08:41 -0500 received badge  Good Answer (source)
2017-03-10 11:26:47 -0500 received badge  Nice Answer (source)
2016-10-06 15:02:44 -0500 received badge  Nice Answer (source)
2016-06-24 08:45:22 -0500 received badge  Nice Answer (source)
2015-12-01 04:49:57 -0500 received badge  Nice Answer (source)
2015-09-29 23:43:23 -0500 answered a question why keystone CLI client is deprecated

Every service is supposed to deprecate thier respective clients and CLI for openstack servics should migrate to openstack client. Only keystone migrated thier CLI to openstack client. All the other services are way behind in thier support for openstack client. Ultimate goal is to deprecate nova/glance/heat/.. cli and move all their functionality to openstack cli client. As an enduser, you need to have only one cli client installed in your system


2015-08-17 00:29:43 -0500 answered a question Keystone Domains: Policy.json not enforced properly!?

First thing to remember when doing per_domain_backend is, there is no api called list_users. It is always list_users per domain. Pass domain_id of the domain whose users you want to list

2015-08-07 10:59:20 -0500 answered a question Python-KeystoneClient add_user_role successful but not visible to keystone user-role-list

IMO, that v2.0 API is not correct There is nothing called user-role-list. It is always user-role-list for a tenant. So you should add a role to a (user,tenant) pair and list the user's role on a tenant.

2015-07-29 12:38:41 -0500 answered a question Why can't neutron get a keystone token

Your credentials in adminrc is fine. Check the keystone service credential in neutron.conf. Most probably they are wrong.

2015-07-29 12:36:21 -0500 edited question Why can't neutron get a keystone token


I'm following the OpenStack install guide and I hit the first snag I can't work out. I've gone back and traced each step and everything looks right. I'm trying to configure neturon on the controller node and am running the verification steps. When trying to run

neutron ext-list

I get "Unauthorized (HTTP 401)".

Keystone and nova command run fine (so the variables set by the admin-openrc.sh file is obv working). If I run the command with --debug I get the trace below. Any help greatly appreciated.

blackspy21@controller:~$ neutron ext-list --debug
DEBUG: keystoneclient.session REQ: curl -i -X GET http://controller:35357/v2.0 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
DEBUG: keystoneclient.session RESP: [200] {'date': 'Wed, 29 Jul 2015 15:14:19 GMT', 'vary': 'X-Auth-Token', 'content-length': '421', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'}
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://controller:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: stevedore.extension found extension EntryPoint.parse('table = cliff.formatters.table:TableFormatter')
DEBUG: stevedore.extension found extension EntryPoint.parse('csv = cliff.formatters.commaseparated:CSVLister')
DEBUG: neutronclient.neutron.v2_0.extension.ListExt get_data(Namespace(columns=[], fields=[], formatter='table', max_width=0, quote_mode='nonnumeric', request_format='json', show_details=False))
DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://controller:35357/v2.0/tokens
DEBUG: keystoneclient.session REQ: curl -i -X GET http://controller:9696/v2.0/extensions.json -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: 808fcc3f9efc4e39bc50011e801437a1"
DEBUG: keystoneclient.session RESP:
DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://controller:35357/v2.0/tokens
DEBUG: keystoneclient.session RESP:
DEBUG: keystoneclient.session Request returned failure status: 401
ERROR: neutronclient.shell Unauthorized (HTTP 401) (Request-ID: req-33cdd9ee-1838-42e3-b2c8-f2bf2e24400e)
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/neutronclient/shell.py", line 691, in run_subcommand
    return run_command(cmd, cmd_parser, sub_argv)
  File "/usr/lib/python2.7/dist-packages/neutronclient/shell.py", line 90, in run_command
    return cmd.run(known_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/common/command.py", line 29, in run
    return super(OpenStackCommand, self).run(parsed_args)
  File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 91, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/common/command.py", line 35, in take_action
    return self.get_data(parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/neutron/v2_0/__init__.py", line 669, in get_data
    data = self.retrieve_list(parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/neutron/v2_0/__init__.py", line 638, in retrieve_list
    data = self.call_server(neutron_client, search_opts, parsed_args)
  File "/usr/lib/python2.7/dist-packages/neutronclient/neutron/v2_0/__init__.py", line 610, in call_server
    data = obj_lister(**search_opts)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 99, in with_params
    ret = self.function(instance, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line ...
2015-07-28 11:07:54 -0500 answered a question listing users based on description

It is not supported and it won't be supported. Only the following filters are supported.

'domain_id', 'enabled', 'name'

2015-07-27 04:03:25 -0500 received badge  Nice Answer (source)
2015-07-13 13:51:34 -0500 commented answer which is correct ssl section for kilo version

I don't think it is correct. signing section is for PKI certificates. If you still want to use eventlet with ssl, you need to use ssl section

2015-07-13 10:37:18 -0500 answered a question can admin role in tenant 1 be admin in tenant 2?

No. Role assignment is a tuple ( user, tenant, role) . If you wan't "admin" role for another tenant for the same user, you need to explictly assign it. This is the most commonly used pattern.

Having said that, there is a way to inherit roles if you have tenant hieracrhy. It is an experimental feature in Kilo

2015-07-07 12:14:41 -0500 answered a question how to migrate keystone identity api version 3 to 2.0?

Keystone-paste.ini just lists the supported apis. (ie.) it supports both v2 and v3. If you are using opensackclient to invoke v3 api, whatever in catalog doesn't matter as openstackclietn doesn't use any values from catalog..

To summarize, With your settings, you can still use V2.0 APIs and V3 APIs. You don't need to change anything

2015-07-07 12:10:09 -0500 edited question how to migrate keystone identity api version 3 to 2.0?


Currently my endpoint is created in following way.

Service: identity
|   Property  |              Value               |
|   adminURL  |  |
|      id     | 4115f50e6b1c4afd81437eab5cf772af |
| internalURL |   |
|  publicURL  |   |
|    region   |            RegionOne             |

Here i am pointing to v2.0 but if you see keystone-paste.ini it is pointing to v3.

paste.app_factory = keystone.service:v3_app_factory

pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3

use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api

use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api

So i am totally confused between this . Please guide me how can i use idenity v2.0 api's?

2015-07-07 12:09:10 -0500 answered a question locked out situation with default domain?

Who can disable cloud_admin domain? Only cloud_admin can do it. That means you know what you are doing and its implicaitons. Isn't this same as diabling root password/ssh and trying to login via root/ssh.

To answer your question, you can do this in many ways

1) You can change the enabled attribute for domain in database directly

2) Keystone has AdminTokenMiddleware, if you have this middleware enabled, you can change it to enabled via REST API. The value of admin_token is configured in keystone.conf

3) Change the policy file to make other domain "cloud_admin" domain and restart keystone. Using that credential now you can enable "default" domain

2015-07-06 10:24:24 -0500 answered a question Not authorized to list projects with keystone v3?

Did you replace domain_id in "domain_id:%(domain_id)s" rule with a valid domain+id ? I believe you haven't done that. list_projects is allowed only for "cloud_admin" as per that policy file.

In first case, since the token's domain_id doesn't match the domain_id in the rule, it throws authorization error.

In the second case, If you remove that entry, then cloud_admin is anyone who has "admin" role. Since your user has "admin" role it works.

2015-07-03 21:14:09 -0500 commented answer use of [oauth1] section in keystone.conf ?

If you really intersted in the usecase, how can you ask heat to spawn/terminate vms on behalof of you. You really don't want to give your credetnails to heat, instead you deletate certain capabilities

2015-07-03 21:11:05 -0500 commented answer use of [oauth1] section in keystone.conf ?

Yes. That link has everything about sepcification. Before going with keystone implementation read link to the OAUTH spec given there. One of the main goal of implemnting OAUTH in keystone is to replace the keystone trusts api with OAUTH ( which is a standard way to doing trusts).

2015-07-02 17:50:16 -0500 answered a question use of [oauth1] section in keystone.conf ?

It is for oauth1 protocol. Keystone supports oauth1 and you an use oauth1 for delegation instead of trusts

2015-06-24 11:33:59 -0500 answered a question User tenants in keystone v2

Assuming you have a valid token you can do

curl -ki - H "X-Auth-Token:UsersToken" http://<keystone_endpoint>:5000/v2.0/tenants will list all the tenants available for that user

curl -ki - H "X-Auth-Token:UsersToken" http://<keystone_endpoint>:35357/v2.0/tenants will list all the tenants available in the system.

Note: Depenending on the port the response changes

2015-06-24 11:30:45 -0500 commented answer What are implication of using both v2.0 and v3 endpoint of keystone

Don't use keystone CLI. Use openstack CLI. If you use keystone CLI ( which is v2), you need to have endpont with v2.0 as version. Please use openstack cli. http://docs.openstack.org/developer/p...

2015-06-18 09:48:56 -0500 answered a question How does keystone token get to swift?

     1. If a user wants to invoke a REST calll 'X' in swift, he gets  the token from keystone and then invoke the REST call by  passing user's token
    2) Now swift needs to validate the  user's token.
    3) Swift will  send the user's token to keystone to validate.  But for this to work, swift needs to validate itself.  If you look at swfit.conf, it will have  a servie account. Swift uses this account to identify itself to keystone.  (ie.) Using  the service account it gets a token ( caches it), and when it  needs to validate user's toket, it asks keystone to to validate user's token, by passing  both its  token and user's token
  5) Upon successful response, it proceeds

To answer your questions

1)  Keystone middeware uses the config setting to get service token and catches it. While trying to validate user's token, it passes swift's token in X-Auth-Header along with  user's token
2015-06-17 21:54:27 -0500 commented answer ERROR: openstack The resource could not be found. (HTTP 404) openstack user list

If you are using keystone v3, then it doesn't matter, both the ports expose all the operations. But if you are using v2 api, only few operations are exposed via 5000. Setting API_VERSION=3, defaults you to v3 api. In your original example, you are using v2 apis.

2015-06-17 14:44:20 -0500 answered a question ERROR: openstack The resource could not be found. (HTTP 404) openstack user list

No, you didn't. Those operations are not avialble at port 5000 and they are available only at port 35357. In your first case, you are hitting port 5000

2015-06-17 11:38:34 -0500 received badge  Nice Answer (source)
2015-06-08 11:01:52 -0500 commented answer Keystone: unable to use the public endpoint

Yes. This is only for keystone client. All other clients use public endpoint

2015-06-07 23:27:49 -0500 answered a question Keystone: unable to use the public endpoint

You can't use the public endpoint as keystone client is hardcoded to use admin endpoint. OS_AUTH_URL is only used to get the initial token, after that the admin endpoint in the catalog is used.

If you want a work around , you can do

 keystone token-get
 Once you get the token, do 
keystone --os-token token_got_in_previous_step  --os-service-endpoint  your_public_endpoint user-list 

BTW please use openstack client as keystone command line client is deprecated.

BTW we are working on fixing this by adding one more environment variable which can be used to select the endpoint. This will be available only for keystone v3 apis using openstack client. I will update once that fix lands.


2015-06-03 13:57:37 -0500 commented answer difference between keystone port 5000 and 35357 ?

Backward compatibility. Since v2 listens on 2 ports, v3 too has to listen on both the ports till v2 is removed fully. By default there is no difference, that doesn't mean you can't customize which apis are allowed in each ports.

2015-06-03 10:47:49 -0500 received badge  Nice Answer (source)
2015-06-02 21:07:31 -0500 answered a question Difference between Identity API v2.0 and Identity Admin API v2.0

Keystone has already deprecated v2 api. In future releases it won't be enabled by default. Most probably you need to edit keystone-paste.ini to enable it. There is no point in using v2 api as it's feature set is bare minimum

In case you are interested, check this link http://developer.openstack.org/api-re...

2015-06-02 11:46:31 -0500 answered a question difference between keystone port 5000 and 35357 ?

If you are using keystone v3, it doesn' t matter as all the operations are available in both port 5000 and 35357. In v2 only few operations are available at port 5000



That link is missing couple of apis.

2015-05-29 10:14:07 -0500 commented answer HTTP 401 error on role add with Keystone V3 API

Updated my answer

2015-05-29 10:12:04 -0500 answered a question which is correct ssl section for kilo version

Running under eventlet is depreacted. Run under apache and configure SSL in apache.

2015-05-29 01:09:30 -0500 commented answer Developing authentication or authorization Keystone Module

Unfortunately authorization is done via decorators, So unless you monkeypatch the decorator or override the controller, you can't do it. I don't think there is a driver for authorization Dirvers are for backend, and authorizaion is done in controller layer. You can only override backend drivers

2015-05-27 23:15:29 -0500 commented answer Developing authentication or authorization Keystone Module

What do you want to do? Assignment is bit complicated as refactoring is going on. If you want to try, check identity driver. You can inehit from sql identity driver and just over ride create_user method and test it to get an idea how it works

2015-05-27 16:24:36 -0500 answered a question HTTP 401 error on role add with Keystone V3 API

There are couple of problems, all of them are due to admintoken. Certain api calls try to get user's domain_id from the token and since you using admin token, they are going to fail.

Openstack client command is trying to be smart. It doesn't know whether the user has given "id" or "name". It assumes the input as "id" and if it fails assumes it as "name". If both fails errors out.

Your Openstack command does the following

1)   Get domain by domain_id using the domain_id default . This will work
2)   Get user by user_id using user_id as "admin". This won't work. So it will once again try to list all the users and filter by name where name is "admin".  Most probably you are getting 401 here

So your options are  to use  Id for username 
2015-05-22 11:36:03 -0500 answered a question What are implication of using both v2.0 and v3 endpoint of keystone

Depends on what version you have. Kilo won't have any problem. Better approach is to use version less endpoint in keystone. (i.e) You need only one endpoint which doesn't have any version. Keystone client library will automatically discover versions

ie. http://dgnode:35357

2015-05-21 12:53:12 -0500 answered a question Developing authentication or authorization Keystone Module

Yes. that is possible. You just add the class and keystone will load it. It is preferable to write write any plugin using stevedore