[openstack-dev] [fuel] FF Exception request for Fernet tokens support
bdobrelia at mirantis.com
Fri Jul 24 07:17:03 UTC 2015
> Fuel Library team, I expect your immediate reply here.
> I'd like upgrades team to take a look at this one, as well as at the one
> which moves Keystone under Apache, in order to check that there are no
> issues here.
> -1 from me for this time in the cycle. I'm concerned about:
> 1. I don't see any reference to blueprint or bug which explains (with
> measurements) why we need this change in reference architecture, and what
> are the thoughts about it in puppet-openstack, and OpenStack Keystone. We
> need to get datapoints, and point to them. Just knowing that Keystone team
> implemented support for it doesn't yet mean that we need to rush in
> enabling this.
> 2. It is quite noticeable change, not a simple enhancement. I reviewed
> the patch, there are questions raised.
> 3. It doesn't pass CI, and I don't have information on risks associated,
> and additional effort required to get this done (how long would it take to
> get it done)
> 4. This feature increases complexity of reference architecture. Now I'd
> like every complexity increase to be optional. I have feedback from the
> field, that our prescriptive architecture just doesn't fit users' needs,
> and it is so painful to decouple then what is needed vs what is not. Let's
> start extending stuff with an easy switch, being propagated from Fuel
> Settings. Is it possible to do? How complex would it be?
> If we get answers for all of this, and decide that we still want the
> feature, then it would be great to have it. I just don't feel that it's
> right timing anymore - we entered FF.
I vote -1 for the same reasons. Besides that, this feature seems already
partially supported in puppet openstack upstream , hence should be
developed and finished upstream first. Even if it wasn't at all - we
should follow our contribution rules and do not develop features like
Fernet tokens or v3 API in our forks.
So, the next steps as I see them are:
1) Freeze feature in fuel
2) Submit a spec to openstack puppet to make the feature completed
(address revocation, expiration, rotation of the fernet tokens). This
also seems related to the already existing blueprint for fuel  and
the mail thread 
3) Implement the feature upstream
4) Backport this to fuel fork in 8.0, or consume it upstream
directly in the case the related blueprint  will be already
implemented by that time.
More information about the OpenStack-dev