[openstack-dev] [Openstack-operators] [keystone] Removing functionality that was deprecated in Kilo and upcoming deprecated functionality in Mitaka

Morgan Fainberg morgan.fainberg at gmail.com
Tue Dec 1 21:01:38 UTC 2015


On Tue, Dec 1, 2015 at 1:57 AM, Steve Martinelli <stevemar at ca.ibm.com>
wrote:

> Trying to summarize here...
>
> - There isn't much interest in keeping eventlet around.
> - Folks are OK with running keystone in a WSGI server, but feel they are
> constrained by Apache.
> - uWSGI could help to support multiple web servers.
>
> My opinion:
>
> - Adding support for uWSGI definitely sounds like it's worth
> investigating, but not achievable in this release (unless someone already
> has something cooked up).
>
uWSGI is trivial to use, but there are a ton of options that go along with
it. Our current wsgi file that works w/ mod_wsgi pretty much "just works"
for uWSGI. The "configure uWSGI" in a sane way is much much much more in
depth.

> - I'm tempted to let eventlet stick around another release, since it's
> causing pain on some of our operators.
> - Other folks have managed to run keystone in a web server (and hopefully
> not feel pain when doing so!), so it might be worth getting technical
> details on just how it was accomplished. If we get an OK from the operator
> community later on in mitaka, I'd still be OK with removing eventlet, but I
> don't want to break folks.
>
> stevemar
>
> From: John Dewey <john at dewey.ws>
> 100% agree.
>
> We should look at uwsgi as the reference architecture. Nginx/Apache/etc
> should be interchangeable, and up to the operator which they choose to use.
> Hell, with tcp load balancing now in opensource Nginx, I could get rid of
> Apache and HAProxy by utilizing uwsgi.
>
> John
>
> On November 30, 2015 at 1:05:26 PM, Paul Czarkowski (
> *pczarkowski+openstackops at bluebox.net*
> <pczarkowski+openstackops at bluebox.net>) wrote:
>
>    I don't have a problem with eventlet itself going away, but I do feel
>       that keystone should pick a python based web server capable of running WSGI
>       apps ( such as uWSGI ) for the reference implementation rather than Apache
>       which can be declared appropriately in the requirements.txt of the project.
>       I feel it is important to allow the operator to make choices based on their
>       organization's skill sets ( i.e. apache vs nginx ) to help keep complexity
>       low.
>
>       I understand there are some newer features that rely on Apache (
>       federation, etc ) but we should allow the need for those features inform
>       the operators choice of web server rather than force it for everybody.
>
>       Having a default implementation using uWSGI is also more inline
>       with the 12 factor way of writing applications and will run a lot more
>       comfortably in [application] containers than apache would which is probably
>       an important consideration given how many people are focused on being able
>       to run openstack projects inside containers.
>
>       On Mon, Nov 30, 2015 at 2:36 PM, Jesse Keating <*jlk at bluebox.net*
>       <jlk at bluebox.net>> wrote:
>          I have an objection to eventlet going away. We have problems
>          with running Apache and mod_wsgi with multiple python virtual environments.
>          In some of our stacks we're running both Horizon and Keystone. Each get
>          their own virtual environment. Apache mod_wsgi doesn't really work that
>          way, so we'd have to do some ugly hacks to expose the python environments
>          of both to Apache at the same time.
>
>          I believe we spoke about this at Summit. Have you had time to
>          look into this scenario and have suggestions?
>
>
>          - jlk
>
>          On Mon, Nov 30, 2015 at 10:26 AM, Steve Martinelli <
>          *stevemar at ca.ibm.com* <stevemar at ca.ibm.com>> wrote:
>          This post is being sent again to the operators mailing list, and
>          i apologize if it's duplicated for some folks. The original thread is here:
>          *http://lists.openstack.org/pipermail/openstack-dev/2015-November/080816.html*
>          <http://lists.openstack.org/pipermail/openstack-dev/2015-November/080816.html>
>
>
>          In the Mitaka release, the keystone team will be removing
>          functionality that was marked for deprecation in Kilo, and marking certain
>          functions as deprecated in Mitaka (that may be removed in at least 2
>          cycles).
>
>          removing deprecated functionality
>          =====================
>
>          This is not a full list, but these are by and large the most
>          contentious topics.
>
>          * Eventlet support: This was marked as deprecated back in Kilo
>          and is currently scheduled to be removed in Mitaka in favor of running
>          keystone in a WSGI server. This is currently how we test keystone in the
>          gate, and based on the feedback we received at the summit, a lot of folks
>          have moved to running keystone under Apache since we’ve announced this
>          change. OpenStack's CI is configured to mainly test using this deployment
>          model. See [0] for when we started to issue warnings.
>
>          * Using LDAP to store assignment data: Like eventlet support,
>          this feature was also deprecated in Kilo and scheduled to be removed in
>          Mitaka. To store assignment data (role assignments) we suggest using an SQL
>          based backend rather than LDAP. See [1] for when we started to issue
>          warnings.
>
>          * Using LDAP to store project and domain data: The same as
>          above, see [2] for when we started to issue warnings.
>
>          * for a complete list:
>          *https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka*
>          <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-mitaka>
>
>          functions deprecated as of mitaka
>          =====================
>
>          The following will adhere to the TC’s new standard on
>          deprecating functionality [3].
>
>          * LDAP write support for identity: We suggest simply not writing
>          to LDAP for users and groups, this effectively makes create, delete and
>          update of LDAP users and groups a no-op. It will be removed in the O
>          release.
>
>          * PKI tokens: We suggest using UUID or fernet tokens instead.
>          The PKI token format has had issues with security and causes problems with
>          both horizon and swift when the token contains an excessively large service
>          catalog. It will be removed in the O release.
>
>          * v2.0 of our API: Lastly, the keystone team recommends using v3
>          of our Identity API. We have had the intention of deprecating v2.0 for a
>          while (since Juno actually), and have finally decided to formally deprecate
>          v2.0. OpenStack’s CI runs successful v3 only jobs, there is complete
>          feature parity with v2.0, and we feel the CLI exposed via openstackclient
>          is mature enough to say with certainty that we can deprecate v2.0. It will
>          be around for at least FOUR releases, with the authentication routes (POST
>          /auth/tokens) potentially sticking around for longer.
>
>          * for a complete list:
>          *https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka*
>          <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>
>
>
>          If you have ANY concern about the following, please speak up now
>          and let us know!
>
>
>          Thanks!
>
>          Steve Martinelli
>          OpenStack Keystone Project Team Lead
>
>
>          [0]
>          *https://github.com/openstack/keystone/blob/b475040636ccc954949e6372a60dd86845644611/keystone/server/eventlet.py#L77-L80*
>          <https://github.com/openstack/keystone/blob/b475040636ccc954949e6372a60dd86845644611/keystone/server/eventlet.py#L77-L80>
>          [1]
>          *https://github.com/openstack/keystone/blob/28a30f53a6c0d4e84d60795e08f137e8194abbe9/keystone/assignment/backends/ldap.py#L34*
>          <https://github.com/openstack/keystone/blob/28a30f53a6c0d4e84d60795e08f137e8194abbe9/keystone/assignment/backends/ldap.py#L34>
>          [2]
>          *https://github.com/openstack/keystone/blob/28a30f53a6c0d4e84d60795e08f137e8194abbe9/keystone/resource/backends/ldap.py#L36-L39*
>          <https://github.com/openstack/keystone/blob/28a30f53a6c0d4e84d60795e08f137e8194abbe9/keystone/resource/backends/ldap.py#L36-L39>
>          [3]
>          *http://governance.openstack.org/reference/tags/assert_follows-standard-deprecation.html*
>          <http://governance.openstack.org/reference/tags/assert_follows-standard-deprecation.html>
>
>
>
>          _______________________________________________
>          OpenStack-operators mailing list
> *OpenStack-operators at lists.openstack.org*
>          <OpenStack-operators at lists.openstack.org>
> *http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators*
>          <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators>
>
>
>
>          _______________________________________________
>          OpenStack-operators mailing list
> *OpenStack-operators at lists.openstack.org*
>          <OpenStack-operators at lists.openstack.org>
> *http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators*
>          <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators>
>
>       _______________________________________________
>       OpenStack-operators mailing list
>       OpenStack-operators at lists.openstack.org
>
>       http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>       _______________________________________________
>       OpenStack-operators mailing list
>       OpenStack-operators at lists.openstack.org
>
>       http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151201/677e2480/attachment.html>


More information about the OpenStack-dev mailing list