Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/10/2014 01:13 PM, Dan Smith wrote:
>> As far as I understand it, though, that's a patch for a
>> read-only mode.  It seems bizzare, and possibly dangerous, to
>> proxy read commands, but not write commands.  It gives the
>> impression that everything's fine until it's not fine (because
>> someone tried to use an existing script to do a create command).
>> IMHO, it would be better to just tell people up front "Update
>> your scripts to use Ironic, because they won't work at all"
>> instead of leading people (through empirical evidence) to believe
>> that their scripts will work, and then having them discover later
>> that something broke because they tried to create a node.
> 
> How is it dangerous? Most code making "write commands" would need
> to be pretty diligent about making sure that the thing being
> requested actually succeeded. Having the proxy allows us to return
> a reasonable code for those things (i.e. 403 Forbidden, perhaps)
> instead of just "500 Huh? What?".
> 
> I was pro-proxy from the beginning, not because I think proxies
> are awesome, but because that's what we do when we move things out
> of Nova's API to other services. Some feel this is a purely admin
> API and that gives us license to break our own rules here, but I
> don't really understand where, when and why we draw that line. The
> code is written, it's minor, and it gives a much more graceful
> response to the move. We know there are people running this, with
> clusters in the thousands. We don't know who they all are, what
> they're doing with it, and we don't know that all of them are happy
> or expecting to immediately rewrite all of their tools. I don't
> really see why this is a big deal.

I wasn't aware that this was already written when I replied
originally, and that fact does reduce my opposition somewhat.  I still
have issues though:

1) Is this tested anywhere?  There are no unit tests in the patch and
it's not clear to me that there would be any Tempest coverage of this
code path.  Providing this and having it break a couple of months down
the line seems worse than not providing it at all.  This is obviously
fixable though.

2) If we think maintaining compatibility for existing users is that
important, why aren't we proxying everything?  Is it too
difficult/impossible due to the differences between Baremetal and
Ironic?  And if they're that different, does it still make sense to
allow one to look like the other?  As it stands, this isn't going to
let deployers use their existing tools without modification anyway.

- -Ben

> 
> --Dan
> 
> 
> 
> _______________________________________________ OpenStack-dev
> mailing list OpenStack-dev at lists.openstack.org 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUEKMKAAoJEDehGd0Fy7uqzNsH+gPv45+IKWJEVeQK4/bd5KAa
SjUch6kmTaWkHxMCcIrm3E9bug0zU/64jhtlJuLWfDohqK4I3NRnaY7Ur5R6aEx7
QsXa74LS+cl2n8ydcVAGtmTYzRyLfF+Qvocu8pUZ3ZP+d4A73lkX09B3s07hwY02
e87blL9E6/T9/4ni+186RDrMEnD8TIY3oD4cnbAgib9tVNBMitqlGuFGqdp7gRDW
q0GMzh2bmbQRTE2OpEtSbjsVm+qeVsbVACg+bsM/y62ZT3TTO5NyqbYZPJJfDDy4
ys4rbJT6fDZLz2L5G835jAHMwUc54vLdXAz/blo/TsI1LCiJTHvIaWLdgsMSqAY=
=vcMK
-----END PGP SIGNATURE-----