[openstack-dev] [nova] global or per-project specific ssl config options, or both?

Matthew Gilliard matthew.gilliard at gmail.com
Fri Dec 5 16:37:17 UTC 2014 

I just put up a quick pre-weekend POC at
https://review.openstack.org/#/c/139672/ - comments welcome on that
patch.

Thanks :)

On Fri, Dec 5, 2014 at 10:07 AM, Matthew Gilliard
<matthew.gilliard at gmail.com> wrote:
> Hi Matt, Nova,
>
>   I'll look into this.
>
> Gilliard
>
> On Thu, Dec 4, 2014 at 9:51 PM, Matt Riedemann
> <mriedem at linux.vnet.ibm.com> wrote:
>>
>>
>> On 12/4/2014 6:02 AM, Davanum Srinivas wrote:
>>>
>>> +1 to @markmc's "default is global value and override for project
>>> specific key" suggestion.
>>>
>>> -- dims
>>>
>>>
>>>
>>> On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann
>>> <mriedem at linux.vnet.ibm.com> wrote:
>>>>
>>>> I've posted this to the 12/4 nova meeting agenda but figured I'd
>>>> socialize
>>>> it here also.
>>>>
>>>> SSL options - do we make them per-project or global, or both? Neutron and
>>>> Cinder have config-group specific SSL options in nova, Glance is using
>>>> oslo
>>>> sslutils global options since Juno which was contentious for a time in a
>>>> separate review in Icehouse [1].
>>>>
>>>> Now [2] wants to break that out for Glance, but we also have a patch [3]
>>>> for
>>>> Keystone to use the global oslo SSL options, we should be consistent, but
>>>> does that require a blueprint now?
>>>>
>>>> In the Icehouse patch, markmc suggested using a DictOpt where the default
>>>> value is the global value, which could be coming from the oslo [ssl]
>>>> group
>>>> and then you could override that with a project-specific key, e.g.
>>>> cinder,
>>>> neutron, glance, keystone.
>>>>
>>>> [1] https://review.openstack.org/#/c/84522/
>>>> [2] https://review.openstack.org/#/c/131066/
>>>> [3] https://review.openstack.org/#/c/124296/
>>>>
>>>> --
>>>>
>>>> Thanks,
>>>>
>>>> Matt Riedemann
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>>
>>>
>>
>> The consensus in the nova meeting today, I think, was that we generally like
>> the idea of the DictOpt with global oslo ssl as the default and then be able
>> to configure that per-service if needed.
>>
>> Does anyone want to put up a POC on how that would work to see how ugly
>> and/or usable that would be?  I haven't dug into the DictOpt stuff yet and
>> am kind of time-constrained at the moment.
>>
>>
>> --
>>
>> Thanks,
>>
>> Matt Riedemann
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list