[openstack-dev] [Openstack-operators] [keystone] Removing functionality that was deprecated in Kilo and upcoming deprecated functionality in Mitaka

Lance Bragstad lbragstad at gmail.com
Tue Dec 1 14:50:14 UTC 2015

On Tue, Dec 1, 2015 at 6:05 AM, Sean Dague <sean at dague.net> wrote:

> On 12/01/2015 01:57 AM, Steve Martinelli wrote:
> > Trying to summarize here...
> >
> > - There isn't much interest in keeping eventlet around.
> > - Folks are OK with running keystone in a WSGI server, but feel they are
> > constrained by Apache.
> From an interop perspective, this concerns me a bit. My understanding is
> that Apache is specifically needed for Federation. Federation is the
> norm that we want for environments in the future.

(On a side note from removing eventlet, but related to what Sean said)

A spec has been proposed to make keystone a fully fledged saml2 provider
[0]. Depending on how we feel about implementing and maintaining something
like this, we'd be able to use federation within uWSGI (we would no longer
*require* Apache for federation). Only bringing this up because it would
also solve the two-reference-architectures problem. A uWSGI reference
architecture could be used for deploying keystone, regardless if you want
federation or not.

We probably wouldn't get a uWSGI reference architecture until after that is
all fleshed out. This is assuming the spec is accepted and implemented in

Not to take away from the current thread, but it seems partially relevant.
Also, this seems like a good opportunity to gather thoughts on the idea :)

[0] https://review.openstack.org/#/c/244694/5

> I'd hate to go down a path where the reference architecture we put out
> there doesn't support this. It's going to be all the pain of cells /
> non-cells that Nova's or nova-net / neutron bifurcation.
> Whatever the reference architecture is, it should support Federation. A
> non federation capable keystone should be the exception.
> > - uWSGI could help to support multiple web servers.
> --
> Sean Dague
> http://dague.net
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151201/dccffe66/attachment.html>

More information about the OpenStack-dev mailing list