Nectar Identity service now upgraded to Queens

We're please to announce that the Nectar Identity service (Keystone) has now been upgraded to the Queens release.
Normally an upgrade like this wouldn't require a blog post, but there's a couple of significant changes that users should be aware of.

Keystone API v2.0 deprecation

The Keystone v2.0 API has actually been removed from the Queens release, but we're aware that many users are still using it. We are now actively requesting that any users still using the v2.0 API to move over to the v3 API that has been available since 2016.
We plan to keep the v2.0 API running until April 2019, at which time, it will no longer be available.
See our Keystone v2.0 to v3 migration guide on how you can switch over.

Application Credentials

The long awaited application credentials are finally available in the Queens release. Application credentials allow users to generate their own OpenStack credentials suitable for applications to authenticate to the Identity service, without having to expose their main credentials.
Application credentials can be easily revoked or rotated with little or no application downtime, or can even have an automatic expiry time.
To manage application credentials on the command line, you'll need recent versions of the python-openstackclient and python-keystoneclient packages and your main credentials loaded.
The simplest example for creating an application credential is to just pass a name:
$ openstack application credential create mydemo
+--------------+-----------------------------------------+
| Field        | Value                                   |
+--------------+-----------------------------------------+
| description  | None                                    |
| expires_at   | None                                    |
| id           | 0cfa2baa33f546b7bec27f1b7461a1c5        |
| name         | mydemo                                  |
| project_id   | 6d23beae28fc41958a2ba5d5d68eb87f        |
| roles        | Member                                  |
| secret       | ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ |
| unrestricted | False                                   |
+--------------+-----------------------------------------+
If you wanted to use this new application credential to run OpenStack CLI commands, your environment would require:
OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v3/
OS_AUTH_TYPE=v3applicationcredential
OS_APPLICATION_CREDENTIAL_ID=0cfa2baa33f546b7bec27f1b7461a1c5
OS_APPLICATION_CREDENTIAL_SECRET=ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ
For more details about application credentials, or for information about how to use application credentials in the python-keystoneclient API, see OpenStack's Application Credentials user guide.

Comments

Post a Comment

Popular posts from this blog

Understanding telemetry services in Nectar cloud

Intro Openstack telemetry service is to reliably collect data on the utilization of the physical and virtual resources comprising deployed clouds, persist these data for subsequent retrieval and analysis, and trigger actions when defined criteria are met.  Ceilometer project was the only piece of telemetry services in openstack, but since it was dumped into too many functions, it got split into several subprojects: Aodh (alarm evaluation functionality), Panko (events storage) and Ceilometer (data collection - more about ceilometer  history  from ex-PTL). The original storage and API function of ceilometer had been deprecated and moved to the other projects. The latest telemetry architecture could refer to openstack  system architecture . In Nectar cloud, we are using the Ceilometer for the metric data collection, Aodh for the alarm services, Gnocchi for the metric API services, and Influxdb as the time series database backend of Gnocchi. Influxdb backend driver is Nectar impleme
Read more

Getting capacity and usage information out of Openstack Placement

Image
One of the problems we have in Nectar is reporting on capacity and usage of nova. We have ~1000 compute nodes and these come and go. The Openstack Placement service seems like a good place to extract capacity and usage information from nova so I thought I'd see what it could do. First problem is there is no placement client. I found the osc-placment project but this isn't that useful as it is just an openstack client plugin and not a python library like the other clients. I've written a custom client before for an internal project so I created a very simple client that can get resource provider usage and capacity. In placement a resource provider maps directly to a compute node in nova. Now we have the means to query this information I wrote a custom Ceilometer poller to collect this information periodically. Once this was collecting data I needed to configure Ceilometer and Gnocchi to ingest the notifications that my new poller was generating. In Ceilometer I ne
Read more

A brief history of OVN migration

We are currently undertaking an upgrade of the Software Defined Networking (SDN) for the Nectar Research Cloud. History Nectar Cloud SDN is currently powered by MidoNet . We started off using this project in around 2016 to provide Advance Networking capabilities. Unfortunately, in 2019 Sony purchased Midokura , the company that wrote MidoNet. MidoNet then became unmaintained. Lucky for us, it is opensource, so Nectar could continue using it and we have been maintaining it since. However, the feature set and integration of MidoNet with the rest of OpenStack components drift further and further with each upgrade, and it will be a pointless endeavour carrying MidoNet forever. Fortunately there is hope. The team at Open vSwitch , decided to work with OpenStack to create a project named  OVN (Open Virtual Network) . Open vSwitch is a popular virtual switch software running on Linux to provide many networking capabilities . The OVN project will create a software which will provide the L2 and
Read more