Improving Auditing in Keystone

Keystone has supported entity notifications since Havana. The original implementation scoped the notification payload to the entity type and its unique ID. The original idea was that the application consuming the notification would know what type of resource changed and could then ask Keystone for more information using the ID. For example, an application could ...

Drill Sequence Generator

18. April 2016 drills, firearms 0
  Generate a shooting sequence Travis Haley has a shooting exercise where you have to process a series of targets in the right order. Part of the fun is that he draws the shooting sequence from a hat, takes 10 seconds to process the sequence, then turns around and does the drill. Instead of writing ...

OpenStack Keystone Mitaka Summit Summary

Here are some of my general notes on the outcomes of the keystone specific OpenStack Mitaka Design sessions. Tokens and Authentication The keystone team will continue working towards making Fernet tokens the default. We have patches in flights to Tempest and Devstack to move in that direction. There also seems to be quite a bit of confusion ...

The Future of Fernet Tokens

The Future of Fernet During the OpenStack Mitaka design summit, we had several discussions on getting Fernet to be set as keystone’s default token provider. The goal of this post is to document that path and see what it looks like for keystone and related projects. What is needed to get Fernet set as the ...

.270 vs .308 Caliber Debate

19. June 2015 firearms 0
After moving to Texas, I rediscovered a passion of mine that allows me to step away from the mental confinements of my day job – guns. Growing up, I was consumed by them. I’d count the days until opener. I’d meticulously prepare hunting gear. I’d jump at the chance to clean shotguns after dad and ...

Fernet tokens and key distribution (part 2)

Based on yet another previous post, this post outlines more of the workflow required to get 0 wait time for validating tokens between Keystone servers. We can use the following ansible inventory to help us: [db] <keystone-1-ip> [app] <keystone-1-ip> <keystone-2-ip> <keystone-3-ip> [app:vars] sql_connection_string=mysql://keystone:keystone@<keystone-1-ip>/keystone Which assumes that we’re going to be using keystone-deploy‘s Fernet Token branch ...

Fernet tokens and key distribution

In a previous post, I attempted to shed light on the key rotation method used in Keystone for Fernet tokens, shortly after the implementation landed. This segment is targeted towards understanding how the key rotation mechanism benefits deployments with multiple Keystone servers. In an multi-Keystone OpenStack deployment, we must address replication. When using a persistent token ...

Fernet tokens and key rotation

Keystone recently merged a new token provider that gives deployers the ability to use non-persistent tokens. These non-persistent tokens have been known by a few different names during the landing process (Authenticated Encryption tokens, Keystone Lightweight tokens, etc). For the duration of this post, they’ll be referred to as Fernet tokens. For those unfamiliar with ...

Baked Pasta Primavera

26. December 2014 cooking 0
1 lb. pasta 1 c. snap peas 1 1/2 c. broccoli florets 1 c. zucchini, diced 2 carrots, sliced in 2 inch cuts 1 red bell pepper, sliced olive oil 4 cloves garlic, diced 8 – 10 cherry tomatoes 1/2 tsp. red pepper flakes 1/2 c. chopped parsley 1/2 c. grated parmesan cheese Kosher salt ...

Keystone API Validation with JSD

19. December 2014 keystone, openstack, python 0
This post is an attempt to capture some information about JSD. After a few attempts to standardize a validation schema for the Keystone API, it was clear the schema could become unmanageable. I don’t believe the unmanageability stemmed from defining different resource properties but more so the edge cases that a schema had to check for. ...