<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Aug 16, 2017 11:31, "Brant Knudson" <<a href="mailto:blk@acm.org">blk@acm.org</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 14, 2017 at 2:48 AM, Chen CH Ji <span dir="ltr"><<a href="mailto:jichenjc@cn.ibm.com" target="_blank">jichenjc@cn.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p><font size="2">In fixing bug 1704798, there's a proposed patch </font><a href="https://review.openstack.org/#/c/485121/7" target="_blank"><font size="2">https://review.openstack.org/#<wbr>/c/485121/7</font></a><br><font size="2">but we stuck at http_connection_timeout and timeout value in keystoneauth1 and keystonemiddle repo</font><br><br><font size="2">basically we want to reuse the keystone_auth section in nova.conf to avoid create another section so we can</font><br><font size="2">use following to create a session </font><br><br><font size="2">sess = ks_loading.load_session_from_c<wbr>onf_options(CONF, 'keystone_authtoken', auth=context.get_auth_plugin()<wbr>) </font><br><br><font size="2">any comments or we have to create another section and configure it anyway? thanks </font><br><br><br><font size="2">Best Regards! <br><br>Kevin (Chen) Ji 纪 晨<br><br>Engineer, zVM Development, CSTL<br>Notes: Chen CH Ji/China/IBM@IBMCN Internet: <a href="mailto:jichenjc@cn.ibm.com" target="_blank">jichenjc@cn.ibm.com</a><br>Phone: <a href="tel:+86%2010%208245%201493" value="+861082451493" target="_blank">+86-10-82451493</a><br>Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC </font><br>
</p></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br>I think reusing the keystone_authtoken config is a bad idea. keystone_authtoken contains the configuration for the auth_token middleware so this is what we keystone developers expect it to be used for. A deployment may have different security needs for the auth_token middleware vs checking quotas in which case they'll need different users or project for the auth_token middleware and quota checking. And even if we don't need it now we might need it in the future, and it's going to create a lot of work going forward to rearchitect.</div><div class="gmail_extra"><br></div><div class="gmail_extra">If a deployer wants to use the same authentication for both auth_token middleware and the proxy, they can create a new section with the config and point both keystone_authtoken and quota checking to it (by setting the auth_section).<font color="#888888"><br clear="all"><div><br></div>-- <br><div class="m_-3125627573056247906gmail_signature"><div dir="ltr">- Brant<br></div></div>
</font></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br></div></div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto">What Brant said. Please do not lean on the options from keystone middleware for anything outside of keystone middleware. We have had to change these options before and those changes should only ever impact the keystone middleware code. If you re-use those options for something in Nova, it will likely break and need to be split into it's own option block in the future.</div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto">Please create a new option block (even if a deployers uses the same user/passord) rather than using the authtoken config section for anything outside of authtoken. </div><div class="gmail_extra" dir="auto"><br></div><div class="gmail_extra" dir="auto">--Morgan</div></div>