[openstack-dev] [nova][keystone] keystoneauth1 and keystonemiddle setting

Chen CH Ji jichenjc at cn.ibm.com
Thu Aug 17 07:47:04 UTC 2017 

ok, thanks for Morgan and Brant's comments, will rework the patch based on
the comments, thanks!

Best Regards!

Kevin (Chen) Ji 纪 晨

Engineer, zVM Development, CSTL
Notes: Chen CH Ji/China/IBM at IBMCN   Internet: jichenjc at cn.ibm.com
Phone: +86-10-82451493
Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District,
Beijing 100193, PRC



From:	Morgan Fainberg <morgan.fainberg at gmail.com>
To:	"OpenStack Development Mailing List (not for usage questions)"
            <openstack-dev at lists.openstack.org>
Date:	08/17/2017 07:51 AM
Subject:	Re: [openstack-dev] [nova][keystone] keystoneauth1 and
            keystonemiddle setting





On Aug 16, 2017 11:31, "Brant Knudson" <blk at acm.org> wrote:


  On Mon, Aug 14, 2017 at 2:48 AM, Chen CH Ji <jichenjc at cn.ibm.com> wrote:
   In fixing bug 1704798, there's a proposed patch
   https://review.openstack.org/#/c/485121/7
   but we stuck at http_connection_timeout and timeout value in
   keystoneauth1 and keystonemiddle repo

   basically we want to reuse the keystone_auth section in nova.conf to
   avoid create another section so we can
   use following to create a session

   sess = ks_loading.load_session_from_conf_options(CONF,
   'keystone_authtoken', auth=context.get_auth_plugin())

   any comments or we have to create another section and configure it
   anyway? thanks


   Best Regards!

   Kevin (Chen) Ji 纪 晨

   Engineer, zVM Development, CSTL
   Notes: Chen CH Ji/China/IBM at IBMCN Internet: jichenjc at cn.ibm.com
   Phone: +86-10-82451493
   Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian
   District, Beijing 100193, PRC

   __________________________________________________________________________

   OpenStack Development Mailing List (not for usage questions)
   Unsubscribe:
   OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
   http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


  I think reusing the keystone_authtoken config is a bad idea.
  keystone_authtoken contains the configuration for the auth_token
  middleware so this is what we keystone developers expect it to be used
  for. A deployment may have different security needs for the auth_token
  middleware vs checking quotas in which case they'll need different users
  or project for the auth_token middleware and quota checking. And even if
  we don't need it now we might need it in the future, and it's going to
  create a lot of work going forward to rearchitect.

  If a deployer wants to use the same authentication for both auth_token
  middleware and the proxy, they can create a new section with the config
  and point both keystone_authtoken and quota checking to it (by setting
  the auth_section).

  --
  - Brant

  __________________________________________________________________________

  OpenStack Development Mailing List (not for usage questions)
  Unsubscribe:
  OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



What Brant said. Please do not lean on the options from keystone middleware
for anything outside of keystone middleware. We have had to change these
options before and those changes should only ever impact the keystone
middleware code. If you re-use those options for something in Nova, it will
likely break and need to be split into it's own option block in the future.

Please create a new option block (even if a deployers uses the same
user/passord) rather than using the authtoken config section for anything
outside of authtoken.

--Morgan
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=vRncIuk0n5yybdLrZA8uRBC3A0UZDhzj5-pX5alqUc0&e=



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170817/3ad3e17e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170817/3ad3e17e/attachment.gif>

More information about the OpenStack-dev mailing list