Open Stack

On 09/10/2014 03:14 PM, Ben Nemec wrote:
> On 09/10/2014 01:13 PM, Dan Smith wrote:
>>> As far as I understand it, though, that's a patch for a
>>> read-only mode.  It seems bizzare, and possibly dangerous, to
>>> proxy read commands, but not write commands.  It gives the
>>> impression that everything's fine until it's not fine (because
>>> someone tried to use an existing script to do a create command).
>>> IMHO, it would be better to just tell people up front "Update
>>> your scripts to use Ironic, because they won't work at all"
>>> instead of leading people (through empirical evidence) to believe
>>> that their scripts will work, and then having them discover later
>>> that something broke because they tried to create a node.
> 
>> How is it dangerous? Most code making "write commands" would need
>> to be pretty diligent about making sure that the thing being
>> requested actually succeeded. Having the proxy allows us to return
>> a reasonable code for those things (i.e. 403 Forbidden, perhaps)
>> instead of just "500 Huh? What?".
> 
>> I was pro-proxy from the beginning, not because I think proxies
>> are awesome, but because that's what we do when we move things out
>> of Nova's API to other services. Some feel this is a purely admin
>> API and that gives us license to break our own rules here, but I
>> don't really understand where, when and why we draw that line. The
>> code is written, it's minor, and it gives a much more graceful
>> response to the move. We know there are people running this, with
>> clusters in the thousands. We don't know who they all are, what
>> they're doing with it, and we don't know that all of them are happy
>> or expecting to immediately rewrite all of their tools. I don't
>> really see why this is a big deal.
> 
> I wasn't aware that this was already written when I replied
> originally, and that fact does reduce my opposition somewhat.  I still
> have issues though:
> 
> 1) Is this tested anywhere?  There are no unit tests in the patch and
> it's not clear to me that there would be any Tempest coverage of this
> code path.  Providing this and having it break a couple of months down
> the line seems worse than not providing it at all.  This is obviously
> fixable though.
> 
> 2) If we think maintaining compatibility for existing users is that
> important, why aren't we proxying everything?  Is it too
> difficult/impossible due to the differences between Baremetal and
> Ironic?  And if they're that different, does it still make sense to
> allow one to look like the other?  As it stands, this isn't going to
> let deployers use their existing tools without modification anyway.

Because the world isn't black and white. The ready only proxy probably
covers a bunch of cases, and is easy. The write proxy is much more time,
and unclear that it would be semantically equivalent enough to be useful
to anyone.

So this is an 80/20 rule piece of code. And as it's already done, lets
do it.

	-Sean

-- 
Sean Dague
http://dague.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140910/0dcf5fe1/attachment.pgp>