<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 14, 2017 at 2:48 AM, Chen CH Ji <span dir="ltr"><<a href="mailto:jichenjc@cn.ibm.com" target="_blank">jichenjc@cn.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p><font size="2">In fixing bug 1704798, there's a proposed patch </font><a href="https://review.openstack.org/#/c/485121/7" target="_blank"><font size="2">https://review.openstack.org/#<wbr>/c/485121/7</font></a><br><font size="2">but we stuck at http_connection_timeout and timeout value in keystoneauth1 and keystonemiddle repo</font><br><br><font size="2">basically we want to reuse the keystone_auth section in nova.conf to avoid create another section so we can</font><br><font size="2">use following to create a session </font><br><br><font size="2">sess = ks_loading.load_session_from_<wbr>conf_options(CONF, 'keystone_authtoken', auth=context.get_auth_plugin()<wbr>) </font><br><br><font size="2">any comments or we have to create another section and configure it anyway? thanks </font><br><br><br><font size="2">Best Regards! <br><br>Kevin (Chen) Ji 纪 晨<br><br>Engineer, zVM Development, CSTL<br>Notes: Chen CH Ji/China/IBM@IBMCN Internet: <a href="mailto:jichenjc@cn.ibm.com" target="_blank">jichenjc@cn.ibm.com</a><br>Phone: <a href="tel:+86%2010%208245%201493" value="+861082451493" target="_blank">+86-10-82451493</a><br>Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC </font><br>
</p></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br>I think reusing the keystone_authtoken config is a bad idea. keystone_authtoken contains the configuration for the auth_token middleware so this is what we keystone developers expect it to be used for. A deployment may have different security needs for the auth_token middleware vs checking quotas in which case they'll need different users or project for the auth_token middleware and quota checking. And even if we don't need it now we might need it in the future, and it's going to create a lot of work going forward to rearchitect.</div><div class="gmail_extra"><br></div><div class="gmail_extra">If a deployer wants to use the same authentication for both auth_token middleware and the proxy, they can create a new section with the config and point both keystone_authtoken and quota checking to it (by setting the auth_section).<br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">- Brant<br></div></div>
</div></div>