Ask Your Question

kevin.purcell's profile - activity

2014-11-25 17:09:50 -0600 received badge  Famous Question (source)
2014-11-25 17:09:50 -0600 received badge  Notable Question (source)
2014-11-25 17:09:50 -0600 received badge  Popular Question (source)
2014-07-02 19:16:59 -0600 received badge  Enthusiast
2014-07-01 18:22:45 -0600 received badge  Famous Question (source)
2014-06-30 03:03:54 -0600 commented question Can keystone integrate with Azure AD or ADFS?

I wanted to add another comment here as I just recently noticed that I installed my lab with Havana so I upgraded it to IceHouse. I see that keystone has a new v3 API, but I can't seen to find much documentation about it. For instance I found this: http://docs.openstack.org/developer/keystone/configure_federation.html (http://docs.openstack.org/developer/k...)

The documentation seems to want you to install httpd on your keystone server? I can't make sense of this.

My thought is that it would work like: User goes to a frontend website and attempts to login with an @gmail.com address. This isn't an account we store locally so the password option would grey out and redirect the user to the external identity provider and then the correct authentication page would be displayed (google) so that they can login with their account and ... (more)

2014-06-27 05:32:22 -0600 received badge  Notable Question (source)
2014-06-24 01:39:58 -0600 asked a question Can keystone integrate with Azure AD or ADFS?

I saw that you can integrate keystone with AD, but it looks like this is looking for a particular OU and Group structure. Azure AD doesn't have an OU structure.

I was thinking to integrate keystone with Azure AD in order to use 3rd party identity providers such as google/facebook. Can this be done with keystone? If you can't use Azure AD would this be possible with an on prem ADFS installation that syncs up with Azure?

I read this document which seems to indicate that they are at least thinking about keystone and identity federation. https://wiki.openstack.org/wiki/Keystone_Virtual_Identity_Providers (https://wiki.openstack.org/wiki/Keyst...)

Can anyone provide thoughts or insights?

2014-06-19 22:11:47 -0600 received badge  Popular Question (source)
2014-06-19 02:00:42 -0600 received badge  Scholar (source)
2014-06-19 01:27:08 -0600 commented answer Invalid user token - deferring reject downstream (swift proxy)

If you look at the diagram here:

http://docs.openstack.org/icehouse/install-guide/install/yum/content/example-object-storage-installation-architecture.html (http://docs.openstack.org/icehouse/in...)

It shows the proxy as the client connection method. This doesn't show the authentication server and doesn't imply that keystone and proxy are on the same server.

I guess I am a bit concerned that you would present your accounts database to the internet and then the auth server does it's own hand off to the proxy servers once you are authenticated. I assumed the user connected to the proxy and that the proxy would authenticate in the background and not the other way around where the user connects to keystone and keystone hands off the connection once you are authenticated.

2014-06-18 23:00:48 -0600 asked a question Invalid user token - deferring reject downstream (swift proxy)

My test environment looks like:

 - controller (keystone) - 10.10.1.111
 - swift (proxy) - 10.10.1.112
 - storage(cluster1) - 10.10.1.113
 - storage(cluster2) - 10.10.1.115

I, finally, got everything working (or so I thought). From my proxy server I was able to run the "test" commands and get a result back from keystone: (using http://10.10.1.111:35357/v2.0 )

[root@openstack_swift ~(swift)]# swift --debug list
DEBUG:keystoneclient.session:REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "swift", "password": "swift"}}}'
INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 1136
DEBUG:keystoneclient.session:RESP: [200] {'date': 'Thu, 19 Jun 2014 03:51:03 GMT', 'content-type': 'application/json', 'content-length': '1136', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2014-06-19T03:51:03.586599", "expires": "2014-06-19T04:51:03Z", "id": "8a53f47c41e54eb3b807b6dbd806903e", "tenant": {"description": "Service Tenant", "enabled": true, "id": "f1458b9e3c8c4d1388671a322d145799", "name": "service"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.10.1.112:8080/v1", "region": "regionOne", "internalURL": "http://10.10.1.112:8080/v1/AUTH_f1458b9e3c8c4d1388671a322d145799", "id": "72ebd90eb8fb4b629445acd1cbca2152", "publicURL": "http://10.10.1.112:8080/v1/AUTH_f1458b9e3c8c4d1388671a322d145799"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "aae73a88b50a4886990521677f494890", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "swift", "roles_links": [], "id": "184c513932514611a0b0d6175a6a9167", "roles": [{"name": "admin"}], "name": "swift"}, "metadata": {"is_admin": 0, "roles": ["d6fef3ca810c485ca1dadc675d102442"]}}}

DEBUG:iso8601.iso8601:Parsed 2014-06-19T04:51:03Z into {'tz_sign': None, 'second_fraction': None, 'hour': u'04', 'daydash': u'19', 'tz_hour': None, 'month': None, 'timezone': u'Z', 'second': u'03', 'tz_minute': None, 'year': u'2014', 'separator': u'T', 'monthdash': u'06', 'day': None, 'minute': u'51'} with default timezone <iso8601.iso8601.Utc object at 0x134da10>
DEBUG:iso8601.iso8601:Got u'2014' for 'year' with default None
DEBUG:iso8601.iso8601:Got u'06' for 'monthdash' with default 1
DEBUG:iso8601.iso8601:Got 6 for 'month' with default 6
DEBUG:iso8601.iso8601:Got u'19' for 'daydash' with default 1
DEBUG:iso8601.iso8601:Got 19 for 'day' with default 19
DEBUG:iso8601.iso8601:Got u'04' for 'hour' with default None
DEBUG:iso8601.iso8601:Got u'51' for 'minute' with default None
DEBUG:iso8601.iso8601:Got u'03' for 'second' with default None
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 10.10.1.112
DEBUG:urllib3.connectionpool:"GET /v1/AUTH_f1458b9e3c8c4d1388671a322d145799?format=json HTTP/1.1" 200 51
DEBUG:swiftclient:REQ: curl -i http://10.10.1.112:8080/v1/AUTH_f1458b9e3c8c4d1388671a322d145799?format=json -X GET -H "X-Auth-Token: 8a53f47c41e54eb3b807b6dbd806903e"
DEBUG:swiftclient:RESP STATUS: 200 OK
DEBUG:swiftclient:RESP HEADERS: [('content-length', '51'), ('accept-ranges', 'bytes'), ('x-timestamp', '1402916327.54569'), ('x-trans-id', 'txc7649b843c8a481cb7d71-0053a25df7'), ('date', 'Thu, 19 Jun 2014 03:50:17 GMT'), ('x-account-bytes-used', '24996082'), ('x-account-container-count', '1'), ('content-type', 'application/json; charset=utf-8'), ('x-account-object-count', '5')]
DEBUG:swiftclient:RESP BODY: [{"count": 5, "bytes": 24996082, "name": "backup"}]
backup
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 10.10.1.112
DEBUG:urllib3.connectionpool:"GET ...
(more)