<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Wed, Aug 28, 2013 at 7:22 PM, Yongsheng Gong <span dir="ltr"><<a href="mailto:gongysh@unitedstack.com" target="_blank">gongysh@unitedstack.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">For admin, we must use admin token.  In general, the token from API context is not of role admin.</div></blockquote>
<div><br></div><div>So... because the authenticated user making the API request *may not* have "admin" access, you're dropping that authorization in favor of using CONF.neutron_admin_username, etc, to escalate the available privileges? Yikes.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>I think the BP can help <a href="https://blueprints.launchpad.net/keystone/+spec/reuse-token" target="_blank">https://blueprints.launchpad.net/keystone/+spec/reuse-token</a></div>
</div></blockquote><div><br></div><div>I don't see how?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 29, 2013 at 8:12 AM, Roman Verchikov <span dir="ltr"><<a href="mailto:rverchikov@mirantis.com" target="_blank">rverchikov@mirantis.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi stackers!<br>
<br>
Sorry for the stupid question, but why does nova.network.neutronv2.get_client() [1] drop auth_token for admin? Is it really necessary to make another check for username/password when trying to get a list of ports or floating IPs?..<br>


<br>
When keystone is configured with LDAP backed this leads to a bunch of LDAP requests which tend to be quite slow. Plus those LDAP requests could have been simply skipped when keystone is configured with token cache enabled.<br>


<br>
Thanks,<br>
Roman<br>
<br>
[1] <a href="https://github.com/openstack/nova/blob/master/nova/network/neutronv2/__init__.py#L68" target="_blank">https://github.com/openstack/nova/blob/master/nova/network/neutronv2/__init__.py#L68</a><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>-Dolph
</div></div>