[openstack-dev] [all] Lets not assume everyone is using the global `CONF` object (zaqar broken by latest keystoneclient release 1.0)

Flavio Percoco flavio at redhat.com
Fri Dec 19 14:58:05 UTC 2014 

On 19/12/14 09:07 -0500, Doug Hellmann wrote:
>
>On Dec 19, 2014, at 7:17 AM, Flavio Percoco <flavio at redhat.com> wrote:
>
>> Greetings,
>>
>> DISCLAIMER: The following comments are neither finger pointing the
>> author of this work nor the keystone team.
>>
>> RANT: We should really stop assuming everyone is using a global `CONF`
>> object. Moreover, we should really stop using it, especially in
>> libraries.
>>
>> That said, here's a gentle note for all of us:
>>
>> If I understood the flow of changes correctly, keystoneclient recently
>> introduced a auth_section[0] option, which needs to be registered in
>> order for it to work properly. In keystoneclient, it's been correctly
>> added a function[1] to register this option in a conf object.
>>
>> keystonemiddleware was then updated to support the above and a call to
>> the register function[1] was then added to the `auth_token` module[2].
>>
>> The above, unfortunately, broke Zaqar's auth because Zaqar is not
>> using the global `CONF` object which means it has to register
>> keystonemiddleware's options itself. Since the option was registered
>> in the global conf instead of the conf object passed to
>> `AuthProtocol`, the new `auth_section` option is not bein registered
>> as keystoneclient excepts.
>>
>> So, as a gentle reminder to everyone, please, lets not assume all
>> projects are using the global `CONF` object and make sure all libraries
>> provide a good way to register the required options. I think either
>> secretly registering options or exposing a function to let consumers
>> do so is fine.
>>
>> I hate complaining without helping to solve the problem so, here's[3] a
>> workaround to provide a, hopefully, better way to do this. Note that
>> this shouldn't be the definitive fix and that we also implemented a
>> workaround in zaqar as well.
>
>That change will fix the issue, but a better solution is to have the code in keystoneclient that wants the options handle the registration at runtime. It looks like keystoneclient/auth/conf.py:load_from_conf_options() is at least one place that’s needed, there may be others.

Fully agree!

-- 
@flaper87
Flavio Percoco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141219/74e15599/attachment.pgp>

More information about the OpenStack-dev mailing list