)]}'
{"specs/kilo/keystone-federation.rst":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"b898245702be29aa002282d4dfbfc24c83c20243","unresolved":false,"context_lines":[{"line_number":31,"context_line":"* As an Administrator, in order to allow my users to utilize their Keystone"},{"line_number":32,"context_line":"  identity with other service providers, I should be able to establish a trust"},{"line_number":33,"context_line":"  relationship between my Keystone and a Service Provider Keystone via command"},{"line_number":34,"context_line":"  line \u0026 browser."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"* As an Administrator of multiple clouds, in order to provide identity"},{"line_number":37,"context_line":"  federation between my multiple clouds, I should be able to establish a trust"}],"source_content_type":"text/x-rst","patch_set":9,"id":"fa32b979_e4a8c479","line":34,"updated":"2015-06-23 07:15:36.000000000","message":"nit: command line or browser","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"103120a1ef83c7fa4e50946b9179136870325601","unresolved":false,"context_lines":[{"line_number":31,"context_line":"* As an Administrator, in order to allow my users to utilize their Keystone"},{"line_number":32,"context_line":"  identity with other service providers, I should be able to establish a trust"},{"line_number":33,"context_line":"  relationship between my Keystone and a Service Provider Keystone via command"},{"line_number":34,"context_line":"  line \u0026 browser."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"* As an Administrator of multiple clouds, in order to provide identity"},{"line_number":37,"context_line":"  federation between my multiple clouds, I should be able to establish a trust"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ba3cc151_d2c00c7f","line":34,"in_reply_to":"fa32b979_e4a8c479","updated":"2015-06-30 11:37:10.000000000","message":"Done","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"b898245702be29aa002282d4dfbfc24c83c20243","unresolved":false,"context_lines":[{"line_number":40,"context_line":""},{"line_number":41,"context_line":"* As an Administrator, in order to effectively map Identity Provider groups and"},{"line_number":42,"context_line":"  users to Service Provider roles, I should be able to simply define mappings"},{"line_number":43,"context_line":"  to Service Provider projects, domains and roles for given groups."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"* As a Deployer, in order to prevent downtime or interruption, I should be able"},{"line_number":46,"context_line":"  to setup my cloud as an Identity Provider without interruption to the data"}],"source_content_type":"text/x-rst","patch_set":9,"id":"fa32b979_c44900d2","line":43,"updated":"2015-06-23 07:15:36.000000000","message":"presently we can only map to domains and groups, not roles or projects","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":4,"name":"Dolph Mathews","email":"dolph.mathews@gmail.com","username":"dolph"},"change_message_id":"28915f618996f70b2e258cd396c14dc1581edfe7","unresolved":false,"context_lines":[{"line_number":40,"context_line":""},{"line_number":41,"context_line":"* As an Administrator, in order to effectively map Identity Provider groups and"},{"line_number":42,"context_line":"  users to Service Provider roles, I should be able to simply define mappings"},{"line_number":43,"context_line":"  to Service Provider projects, domains and roles for given groups."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"* As a Deployer, in order to prevent downtime or interruption, I should be able"},{"line_number":46,"context_line":"  to setup my cloud as an Identity Provider without interruption to the data"}],"source_content_type":"text/x-rst","patch_set":9,"id":"fa32b979_27f0d8fc","line":43,"in_reply_to":"fa32b979_c44900d2","updated":"2015-06-23 14:34:33.000000000","message":"That\u0027s true, but a mapping to a group conveys role-based authorization on projects; it\u0027s just not a direct mapping to roles+projects.","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"b898245702be29aa002282d4dfbfc24c83c20243","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  plane."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* As a User, in order to understand the resources available to me, I should be"},{"line_number":50,"context_line":"  able to retrieve a list of Service Providers which trust my identity provider"},{"line_number":51,"context_line":"  as well as a service catalog for the services offered by those Service"},{"line_number":52,"context_line":"  Providers."},{"line_number":53,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"fa32b979_640fd488","line":50,"updated":"2015-06-23 07:15:36.000000000","message":"s/identity provider/Identity Provider","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"103120a1ef83c7fa4e50946b9179136870325601","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  plane."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* As a User, in order to understand the resources available to me, I should be"},{"line_number":50,"context_line":"  able to retrieve a list of Service Providers which trust my identity provider"},{"line_number":51,"context_line":"  as well as a service catalog for the services offered by those Service"},{"line_number":52,"context_line":"  Providers."},{"line_number":53,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ba3cc151_12451416","line":50,"in_reply_to":"fa32b979_640fd488","updated":"2015-06-30 11:37:10.000000000","message":"Done","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":4,"name":"Dolph Mathews","email":"dolph.mathews@gmail.com","username":"dolph"},"change_message_id":"28915f618996f70b2e258cd396c14dc1581edfe7","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  plane."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* As a User, in order to understand the resources available to me, I should be"},{"line_number":50,"context_line":"  able to retrieve a list of Service Providers which trust my identity provider"},{"line_number":51,"context_line":"  as well as a service catalog for the services offered by those Service"},{"line_number":52,"context_line":"  Providers."},{"line_number":53,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"fa32b979_47ccfcba","line":50,"in_reply_to":"fa32b979_640fd488","updated":"2015-06-23 14:34:33.000000000","message":"i\u0027d argue the opposite: that Service Providers should not be capitalized either... but it\u0027s more an issue of consistency.","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"b898245702be29aa002282d4dfbfc24c83c20243","unresolved":false,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Dependencies"},{"line_number":108,"context_line":"------------"},{"line_number":109,"context_line":"TBD"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":9,"id":"fa32b979_2469cc25","line":109,"updated":"2015-06-23 07:15:36.000000000","message":"would depend on xmlsec1 http://packages.ubuntu.com/search?keywords\u003dxmlsec1\n\nand on mod_shib https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"103120a1ef83c7fa4e50946b9179136870325601","unresolved":false,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Dependencies"},{"line_number":108,"context_line":"------------"},{"line_number":109,"context_line":"TBD"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ba3cc151_9245a4b4","line":109,"in_reply_to":"fa32b979_2469cc25","updated":"2015-06-30 11:37:10.000000000","message":"Done","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":12807,"name":"Steve Lewis (stevelle)","email":"stevelle@gmail.com","username":"stevelle"},"change_message_id":"a5826aa0460442d831e0efa3235821a3c3c8cea5","unresolved":false,"context_lines":[{"line_number":119,"context_line":"throwing it out there to see who picks it up?"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"If more than one person is working on the implementation, please designate the"},{"line_number":122,"context_line":"primary author and contact."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"Primary assignee:"},{"line_number":125,"context_line":"  https://blueprints.launchpad.net/~miguelgrinberg (miguelgrinberg)"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ba3cc151_c3e2a19f","line":122,"updated":"2015-06-29 19:50:34.000000000","message":"please remove the template text in the next revision.","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"103120a1ef83c7fa4e50946b9179136870325601","unresolved":false,"context_lines":[{"line_number":119,"context_line":"throwing it out there to see who picks it up?"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"If more than one person is working on the implementation, please designate the"},{"line_number":122,"context_line":"primary author and contact."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"Primary assignee:"},{"line_number":125,"context_line":"  https://blueprints.launchpad.net/~miguelgrinberg (miguelgrinberg)"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ba3cc151_52087c91","line":122,"in_reply_to":"ba3cc151_c3e2a19f","updated":"2015-06-30 11:37:10.000000000","message":"Done","commit_id":"83930f4b435def767f3b8d13c0e6761bbb6a6c0b"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":27,"context_line":"* As a User, in order to utilize my Keystone identity to consume resources in"},{"line_number":28,"context_line":"  other Keystone backed Service Providers, I should be able to effectively"},{"line_number":29,"context_line":"  authenticate with those Service Providers using only my Keystone identity"},{"line_number":30,"context_line":"  credentials via the Service Provider\u0027s Horizon Dashboard and Command Line."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* As an Administrator, in order to allow my users to utilize their Keystone"},{"line_number":33,"context_line":"  identity with other Service Providers, I should be able to establish a trust"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_dd3df5c4","line":30,"updated":"2015-07-02 17:11:54.000000000","message":"For Keystone2Keystone in Kilo, WebSSO is not supported - so the only option will be CLI.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":29,"context_line":"  authenticate with those Service Providers using only my Keystone identity"},{"line_number":30,"context_line":"  credentials via the Service Provider\u0027s Horizon Dashboard and Command Line."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* As an Administrator, in order to allow my users to utilize their Keystone"},{"line_number":33,"context_line":"  identity with other Service Providers, I should be able to establish a trust"},{"line_number":34,"context_line":"  relationship between my Keystone and a Service Provider Keystone via command"},{"line_number":35,"context_line":"  line or browser."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_1d6d9dcb","line":32,"updated":"2015-07-02 17:11:54.000000000","message":"The establishment of trust will not be via browser - it will only be via CLI as that is all that\u0027s available at this time.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":44,"context_line":"  to Service Provider projects, domains and roles for given groups."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"* As a Deployer, in order to prevent downtime or interruption, I should be able"},{"line_number":47,"context_line":"  to setup my cloud as an Identity Provider with little or no interruption to"},{"line_number":48,"context_line":"  the data plane."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"* As a User, in order to understand the resources available to me, I should be"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_fdc23984","line":47,"updated":"2015-07-02 17:11:54.000000000","message":"or Service Provider","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":7217,"name":"Hugh Saunders","email":"hugh@wherenow.org","username":"hughsaunders"},"change_message_id":"5570fa2570c15897d4033f86c1ee19855ea5e8bd","unresolved":false,"context_lines":[{"line_number":60,"context_line":"Proposed change"},{"line_number":61,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. Enable and configure the Keystone Federation extension and implement the"},{"line_number":64,"context_line":"   IdP/SP configuration in a manner that is simple for deployers and requires"},{"line_number":65,"context_line":"   little or no data plane downtime."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_d7fb9e45","line":63,"updated":"2015-07-02 14:23:41.000000000","message":"Federation is now in keystone core","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":12606,"name":"Miguel Grinberg","email":"miguel.grinberg@gmail.com","username":"miguelgrinberg"},"change_message_id":"2b26fad360d7f46388c70e646b15be24b97acaca","unresolved":false,"context_lines":[{"line_number":75,"context_line":"   IdP and SP configuration entities."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"4. Change the Horizon configuration to allow it to consume the Keystone v3 API"},{"line_number":78,"context_line":"   and to provide the capability for a user to use Web Single-Sign-On (SSO)."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"5. Automate the registration of a trusted IdP to an SP."},{"line_number":81,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_a9394143","line":78,"updated":"2015-06-30 22:15:48.000000000","message":"Use of a third-party identity provider for Horizon is supported in Kilo., but note that Keystone as an IdP does not fully implemented the websso flow, so Horizon cannot do K2K yet. The ECP flow is implemented, so API access works in K2K.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":7217,"name":"Hugh Saunders","email":"hugh@wherenow.org","username":"hughsaunders"},"change_message_id":"5570fa2570c15897d4033f86c1ee19855ea5e8bd","unresolved":false,"context_lines":[{"line_number":77,"context_line":"4. Change the Horizon configuration to allow it to consume the Keystone v3 API"},{"line_number":78,"context_line":"   and to provide the capability for a user to use Web Single-Sign-On (SSO)."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"5. Automate the registration of a trusted IdP to an SP."},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"6. Automate the registration of a list of trusted SP\u0027s to an IdP."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_42126e58","line":80,"updated":"2015-07-02 14:23:41.000000000","message":"\"Automate\" may give the wrong impression here. We can provide the necessary configuration options for configuring remote SPs  \u0026 IDPs, but this process is not automatic. For example, when configuring a SP keystone, the administrator will have to define the correct attribute mapping.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":77,"context_line":"4. Change the Horizon configuration to allow it to consume the Keystone v3 API"},{"line_number":78,"context_line":"   and to provide the capability for a user to use Web Single-Sign-On (SSO)."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"5. Automate the registration of a trusted IdP to an SP."},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"6. Automate the registration of a list of trusted SP\u0027s to an IdP."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_94b2e9e3","line":80,"in_reply_to":"ba3cc151_42126e58","updated":"2015-07-02 17:11:54.000000000","message":"Agreed, but I\u0027m thinking that we could implement a \u0027default\u0027 setup as far as possible to help people kick the tyres. We\u0027d have to then document how to change the mappings if that was desired.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":9983,"name":"Richard Megginson","email":"rmeggins@redhat.com","username":"rmeggins"},"change_message_id":"f6f38e45450c2fbe9243e1d9241c7b41176b6fc5","unresolved":false,"context_lines":[{"line_number":82,"context_line":"6. Automate the registration of a list of trusted SP\u0027s to an IdP."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"7. Document and, if possible, automate the registration and mapping of"},{"line_number":85,"context_line":"   external identities to specified domains, projects and roles."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Alternatives"},{"line_number":88,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_5c11f55b","line":85,"updated":"2015-07-02 14:10:49.000000000","message":"In order for federation to work, is it required that Keystone is running not with eventlet, but using Apache mod_wsgi?","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":82,"context_line":"6. Automate the registration of a list of trusted SP\u0027s to an IdP."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"7. Document and, if possible, automate the registration and mapping of"},{"line_number":85,"context_line":"   external identities to specified domains, projects and roles."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Alternatives"},{"line_number":88,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_b42e0df9","line":85,"in_reply_to":"ba3cc151_5c11f55b","updated":"2015-07-02 17:11:54.000000000","message":"Yes, all the federation implementations for the SP are implemented as web server add-on configurations AFAIK. We already implement keystone behind Apache anyway, so this isn\u0027t too much of an issue.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":12606,"name":"Miguel Grinberg","email":"miguel.grinberg@gmail.com","username":"miguelgrinberg"},"change_message_id":"2b26fad360d7f46388c70e646b15be24b97acaca","unresolved":false,"context_lines":[{"line_number":92,"context_line":"Playbook/Role impact"},{"line_number":93,"context_line":"--------------------"},{"line_number":94,"context_line":"1. The os_keystone role will require changes to both tasks and templates in order"},{"line_number":95,"context_line":"   to facilitate the configuration of the IdP, SP, openstackclient and SSL."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"2. The os_horizon configuration will require changes to the templates in order to"},{"line_number":98,"context_line":"   facilitate the change to the Keystone v3 API and to use WebSSO."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_497995c7","line":95,"updated":"2015-06-30 22:15:48.000000000","message":"I believe we will not be implementing SSL at the keystone level. We\u0027ll continue to rely on the load balancer to accept and terminate secure connections.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":9983,"name":"Richard Megginson","email":"rmeggins@redhat.com","username":"rmeggins"},"change_message_id":"f6f38e45450c2fbe9243e1d9241c7b41176b6fc5","unresolved":false,"context_lines":[{"line_number":92,"context_line":"Playbook/Role impact"},{"line_number":93,"context_line":"--------------------"},{"line_number":94,"context_line":"1. The os_keystone role will require changes to both tasks and templates in order"},{"line_number":95,"context_line":"   to facilitate the configuration of the IdP, SP, openstackclient and SSL."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"2. The os_horizon configuration will require changes to the templates in order to"},{"line_number":98,"context_line":"   facilitate the change to the Keystone v3 API and to use WebSSO."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_571f8e5a","line":95,"in_reply_to":"ba3cc151_497995c7","updated":"2015-07-02 14:10:49.000000000","message":"Do you want to give people that option?  Because there are some people who may say that they do not want to use federation if it is a hard requirement that TLS is terminated by a load balancer/ha proxy.\n\nIf it is a requirement that, in order to use federation, that Keystone must use Apache mod_wsgi and not eventlet, then the SSL termination could be done by Apache using mod_ssl/mod_nss.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":92,"context_line":"Playbook/Role impact"},{"line_number":93,"context_line":"--------------------"},{"line_number":94,"context_line":"1. The os_keystone role will require changes to both tasks and templates in order"},{"line_number":95,"context_line":"   to facilitate the configuration of the IdP, SP, openstackclient and SSL."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"2. The os_horizon configuration will require changes to the templates in order to"},{"line_number":98,"context_line":"   facilitate the change to the Keystone v3 API and to use WebSSO."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_3a22e7a3","line":95,"in_reply_to":"ba3cc151_571f8e5a","updated":"2015-07-02 17:11:54.000000000","message":"Regardless of whether SSL termination is done on a load balancer, there are also deployers who want SSL on the back-end too. There\u0027s already some facilitation done here which just needs a little more work to round it out.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":95,"context_line":"   to facilitate the configuration of the IdP, SP, openstackclient and SSL."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"2. The os_horizon configuration will require changes to the templates in order to"},{"line_number":98,"context_line":"   facilitate the change to the Keystone v3 API and to use WebSSO."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"3. The openstack_openrc role may need to be changed in order to place a different"},{"line_number":101,"context_line":"   openrc file into the keystone and utility containers."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_da6bbbb5","line":98,"updated":"2015-07-02 17:11:54.000000000","message":"WebSSO will have to be left out for this spec as a Keystone IdP does not support this in Kilo, but we will include WebSSO in the ADFS federation spec which will follow this.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":12606,"name":"Miguel Grinberg","email":"miguel.grinberg@gmail.com","username":"miguelgrinberg"},"change_message_id":"2b26fad360d7f46388c70e646b15be24b97acaca","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"2. If an external IdP is configured, Horizon will show multiple methods of"},{"line_number":136,"context_line":"   authentication available via a drop-down list. The user will be able to"},{"line_number":137,"context_line":"   choose between \u0027credentials\u0027 and the available WebSSO sources."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Deployer impact"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_2903f110","line":137,"updated":"2015-06-30 22:15:48.000000000","message":"Noting again that for the Kilo release the external IdP cannot be another Keystone.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"2. If an external IdP is configured, Horizon will show multiple methods of"},{"line_number":136,"context_line":"   authentication available via a drop-down list. The user will be able to"},{"line_number":137,"context_line":"   choose between \u0027credentials\u0027 and the available WebSSO sources."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Deployer impact"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_fa1ebf0a","line":137,"in_reply_to":"ba3cc151_2903f110","updated":"2015-07-02 17:11:54.000000000","message":"Yep, I\u0027ll remove that from this blueprint and add it to the ADFS Federation Blueprint.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":9983,"name":"Richard Megginson","email":"rmeggins@redhat.com","username":"rmeggins"},"change_message_id":"f6f38e45450c2fbe9243e1d9241c7b41176b6fc5","unresolved":false,"context_lines":[{"line_number":146,"context_line":"Developer impact"},{"line_number":147,"context_line":"----------------"},{"line_number":148,"context_line":"1. The keystone Ansible module will be updated to make use of the keystone"},{"line_number":149,"context_line":"   v3 API."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_179a66b9","line":149,"updated":"2015-07-02 14:10:49.000000000","message":"Does the keystone ansible module already use the `openstack` command instead of the `keystone` command?","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":12892,"name":"Nolan Brubaker","email":"nolan.brubaker@rackspace.com","username":"nrb"},"change_message_id":"0a4815ba7337ae2f0ba5717c2ac64f0d765a4bd7","unresolved":false,"context_lines":[{"line_number":146,"context_line":"Developer impact"},{"line_number":147,"context_line":"----------------"},{"line_number":148,"context_line":"1. The keystone Ansible module will be updated to make use of the keystone"},{"line_number":149,"context_line":"   v3 API."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_7eb5c67b","line":149,"in_reply_to":"ba3cc151_179a66b9","updated":"2015-07-02 16:19:07.000000000","message":"It does not. See also: python-keystoneclient dependency in point 2 of the next section.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":9983,"name":"Richard Megginson","email":"rmeggins@redhat.com","username":"rmeggins"},"change_message_id":"40de00f641f127baf42f92eb264dd14522837008","unresolved":false,"context_lines":[{"line_number":146,"context_line":"Developer impact"},{"line_number":147,"context_line":"----------------"},{"line_number":148,"context_line":"1. The keystone Ansible module will be updated to make use of the keystone"},{"line_number":149,"context_line":"   v3 API."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_f919f022","line":149,"in_reply_to":"ba3cc151_7eb5c67b","updated":"2015-07-02 16:22:58.000000000","message":"Does the keystone ansible module use the command line tools `openstack` or `keystone`, or does it use the python-keystoneclient python API directly?  If the latter, I think you\u0027re good.  If it uses `keystone`, it will have to use `openstack` instead.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":153,"context_line":"------------"},{"line_number":154,"context_line":"1. Keystone IdP requires the following:"},{"line_number":155,"context_line":"   * xmlsec1: http://packages.ubuntu.com/search?keywords\u003dxmlsec1"},{"line_number":156,"context_line":"   * python-keystoneclient: https://pypi.python.org/pypi/python-keystoneclient"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"2. Keystone SP requires the following:"},{"line_number":159,"context_line":"   * xmlsec1: http://packages.ubuntu.com/search?keywords\u003dxmlsec1"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_bac27751","line":156,"updated":"2015-07-02 17:11:54.000000000","message":"Hmm, I meant to put python-openstackclient here.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":9983,"name":"Richard Megginson","email":"rmeggins@redhat.com","username":"rmeggins"},"change_message_id":"40de00f641f127baf42f92eb264dd14522837008","unresolved":false,"context_lines":[{"line_number":157,"context_line":""},{"line_number":158,"context_line":"2. Keystone SP requires the following:"},{"line_number":159,"context_line":"   * xmlsec1: http://packages.ubuntu.com/search?keywords\u003dxmlsec1"},{"line_number":160,"context_line":"   * libapache2-mod-shib2: http://packages.ubuntu.com/search?keywords\u003dlibapache2-mod-shib2"},{"line_number":161,"context_line":"   * python-keystoneclient: https://pypi.python.org/pypi/python-keystoneclient"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"3. Horizon requires the following:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_394f5838","line":160,"updated":"2015-07-02 16:22:58.000000000","message":"You can also use mod_auth_mellon: https://github.com/UNINETT/mod_auth_mellon","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":157,"context_line":""},{"line_number":158,"context_line":"2. Keystone SP requires the following:"},{"line_number":159,"context_line":"   * xmlsec1: http://packages.ubuntu.com/search?keywords\u003dxmlsec1"},{"line_number":160,"context_line":"   * libapache2-mod-shib2: http://packages.ubuntu.com/search?keywords\u003dlibapache2-mod-shib2"},{"line_number":161,"context_line":"   * python-keystoneclient: https://pypi.python.org/pypi/python-keystoneclient"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"3. Horizon requires the following:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_da7adbbc","line":160,"in_reply_to":"ba3cc151_394f5838","updated":"2015-07-02 17:11:54.000000000","message":"Good feedback, and I\u0027d like to include more options - but we may have to put this one on ice and revisit it a little later along with openid support too. Our resourcing is currently committed on the Shibboleth-based implementation.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":158,"context_line":"2. Keystone SP requires the following:"},{"line_number":159,"context_line":"   * xmlsec1: http://packages.ubuntu.com/search?keywords\u003dxmlsec1"},{"line_number":160,"context_line":"   * libapache2-mod-shib2: http://packages.ubuntu.com/search?keywords\u003dlibapache2-mod-shib2"},{"line_number":161,"context_line":"   * python-keystoneclient: https://pypi.python.org/pypi/python-keystoneclient"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"3. Horizon requires the following:"},{"line_number":164,"context_line":"   * django-openstack-auth v1.2.0 or higher: https://pypi.python.org/pypi/django_openstack_auth"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_1aaa8385","line":161,"updated":"2015-07-02 17:11:54.000000000","message":"Hmm, I meant to put python-openstackclient here.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"e95ed56e4f8ecad382c4015698fcd798facb6833","unresolved":false,"context_lines":[{"line_number":162,"context_line":""},{"line_number":163,"context_line":"3. Horizon requires the following:"},{"line_number":164,"context_line":"   * django-openstack-auth v1.2.0 or higher: https://pypi.python.org/pypi/django_openstack_auth"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"Implementation"},{"line_number":167,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":168,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_a310e45a","line":165,"updated":"2015-07-03 17:07:47.000000000","message":"This is key to understanding how mapping works: https://review.openstack.org/192850","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":170,"context_line":"-----------"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"Primary assignee:"},{"line_number":173,"context_line":"  https://blueprints.launchpad.net/~miguelgrinberg (miguelgrinberg)"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"Other contributors:"},{"line_number":176,"context_line":"  https://blueprints.launchpad.net/~hughsaunders (hughsaunders)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_fa5c7f4c","line":173,"updated":"2015-07-02 17:11:54.000000000","message":"Fix these URL\u0027s.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":12606,"name":"Miguel Grinberg","email":"miguel.grinberg@gmail.com","username":"miguelgrinberg"},"change_message_id":"2b26fad360d7f46388c70e646b15be24b97acaca","unresolved":false,"context_lines":[{"line_number":185,"context_line":""},{"line_number":186,"context_line":"2. Keystone SP software deployment, configuration and IdP registration"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"3. Keystone public endpoint SSL configuration"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"4. Keystone/Utility container implementation of python-openstackclient"},{"line_number":191,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_7b721caf","line":188,"updated":"2015-06-30 22:15:48.000000000","message":"I think we\u0027ll try to avoid this task for now, relying on SSL at the load balancer. We may need to add support for SSL connections in haproxy to help with our testing and gating.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"4. Keystone/Utility container implementation of python-openstackclient"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"4. Horizon WebSSO software deployment and configuration"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"7. Document and, if possible, automate the registration and mapping of"},{"line_number":195,"context_line":"   external identities to specified domains, projects and roles."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_fa0a3f25","line":192,"updated":"2015-07-02 17:11:54.000000000","message":"Move to ADFS spec.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"45a6d36876bc5cfaddc6bd484ae4b37abe13a51e","unresolved":false,"context_lines":[{"line_number":191,"context_line":""},{"line_number":192,"context_line":"4. Horizon WebSSO software deployment and configuration"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"7. Document and, if possible, automate the registration and mapping of"},{"line_number":195,"context_line":"   external identities to specified domains, projects and roles."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_ba003703","line":194,"updated":"2015-07-02 17:11:54.000000000","message":"Fix numbering.","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"},{"author":{"_account_id":6816,"name":"Jesse Pretorius","email":"jesse@odyssey4.me","username":"jesse-pretorius"},"change_message_id":"97f7edff1d1ad9e228818dd9666a77ae8cf3676f","unresolved":false,"context_lines":[{"line_number":210,"context_line":""},{"line_number":211,"context_line":"3. The specifics of registering and mapping external identities to"},{"line_number":212,"context_line":"   domains, projects and roles will need to be documented."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"References"},{"line_number":215,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":216,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba3cc151_a6079217","line":213,"updated":"2015-07-03 17:09:01.000000000","message":"Note that it appears that fernet tokens don\u0027t work right now, so uuid tokens must be used: https://bugs.launchpad.net/keystone/+bug/1471289","commit_id":"9acc179d33b8fb082bb08b383556c07145ea0d6a"}]}