<html><body><p><font size="2">ok, thanks for Morgan and Brant's comments, will rework the patch based on the comments, thanks!</font><br><br><font size="2">Best Regards! <br><br>Kevin (Chen) Ji 纪 晨<br><br>Engineer, zVM Development, CSTL<br>Notes: Chen CH Ji/China/IBM@IBMCN Internet: jichenjc@cn.ibm.com<br>Phone: +86-10-82451493<br>Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC </font><br><br><img width="16" height="16" src="cid:1__=8FBB0BECDFB9039F8f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Morgan Fainberg ---08/17/2017 07:51:29 AM---On Aug 16, 2017 11:31, "Brant Knudson" <blk@acm.org> wrot"><font size="2" color="#424282">Morgan Fainberg ---08/17/2017 07:51:29 AM---On Aug 16, 2017 11:31, "Brant Knudson" <blk@acm.org> wrote: On Mon, Aug 14, 2017 at 2:48 AM, Chen CH</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">Morgan Fainberg <morgan.fainberg@gmail.com></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">"OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org></font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">08/17/2017 07:51 AM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">Re: [openstack-dev] [nova][keystone] keystoneauth1 and keystonemiddle setting</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><br><br>On Aug 16, 2017 11:31, "Brant Knudson" <<a href="mailto:blk@acm.org"><u><font color="#0000FF">blk@acm.org</font></u></a>> wrote:
<ul><br><br>On Mon, Aug 14, 2017 at 2:48 AM, Chen CH Ji <<a href="mailto:jichenjc@cn.ibm.com" target="_blank"><u><font color="#0000FF">jichenjc@cn.ibm.com</font></u></a>> wrote:<br><font size="2">In fixing bug 1704798, there's a proposed patch </font><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_485121_7&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=YKCKzoie_e_pLuVwfT83E3jYk1gxGSJUnKHPKAX3xsw&e=" target="_blank"><u><font size="2" color="#0000FF">https://review.openstack.org/#/c/485121/7</font></u></a><font size="2"><br>but we stuck at http_connection_timeout and timeout value in keystoneauth1 and keystonemiddle repo</font><br><font size="2"><br>basically we want to reuse the keystone_auth section in nova.conf to avoid create another section so we can<br>use following to create a session </font><br><font size="2"><br>sess = ks_loading.load_session_from_conf_options(CONF, 'keystone_authtoken', auth=context.get_auth_plugin()) </font><br><font size="2"><br>any comments or we have to create another section and configure it anyway? thanks </font><br><br><font size="2"><br>Best Regards! <br><br>Kevin (Chen) Ji 纪 晨<br><br>Engineer, zVM Development, CSTL<br>Notes: Chen CH Ji/China/IBM@IBMCN Internet: </font><a href="mailto:jichenjc@cn.ibm.com" target="_blank"><u><font size="2" color="#0000FF">jichenjc@cn.ibm.com</font></u></a><font size="2"><br>Phone: </font><a href="tel:+86%2010%208245%201493" target="_blank"><u><font size="2" color="#0000FF">+86-10-82451493</font></u></a><font size="2"><br>Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC </font><br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__OpenStack-2Ddev-2Drequest-40lists.openstack.org-3Fsubject-3Aunsubscribe&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=JmW9D21Nn4Kjcr8MeljQlVElBEy6LmJKMO-nwnvoyP4&e=" target="_blank"><u><font color="#0000FF">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</font></u></a><u><font color="#0000FF"><br></font></u><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=vRncIuk0n5yybdLrZA8uRBC3A0UZDhzj5-pX5alqUc0&e=" target="_blank"><u><font color="#0000FF">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></u></a><br><br><br>I think reusing the keystone_authtoken config is a bad idea. keystone_authtoken contains the configuration for the auth_token middleware so this is what we keystone developers expect it to be used for. A deployment may have different security needs for the auth_token middleware vs checking quotas in which case they'll need different users or project for the auth_token middleware and quota checking. And even if we don't need it now we might need it in the future, and it's going to create a lot of work going forward to rearchitect.<br><br>If a deployer wants to use the same authentication for both auth_token middleware and the proxy, they can create a new section with the config and point both keystone_authtoken and quota checking to it (by setting the auth_section).<br><br><font color="#888888">-- </font><br><font color="#888888">- Brant</font><br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__OpenStack-2Ddev-2Drequest-40lists.openstack.org-3Fsubject-3Aunsubscribe&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=JmW9D21Nn4Kjcr8MeljQlVElBEy6LmJKMO-nwnvoyP4&e=" target="_blank"><u><font color="#0000FF">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</font></u></a><u><font color="#0000FF"><br></font></u><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=vRncIuk0n5yybdLrZA8uRBC3A0UZDhzj5-pX5alqUc0&e=" target="_blank"><u><font color="#0000FF">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></u></a><br></ul><br><br>What Brant said. Please do not lean on the options from keystone middleware for anything outside of keystone middleware. We have had to change these options before and those changes should only ever impact the keystone middleware code. If you re-use those options for something in Nova, it will likely break and need to be split into it's own option block in the future.<br><br>Please create a new option block (even if a deployers uses the same user/passord) rather than using the authtoken config section for anything outside of authtoken. <br><br>--Morgan<tt><font size="2">__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br></font></tt><tt><font size="2"><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=vRncIuk0n5yybdLrZA8uRBC3A0UZDhzj5-pX5alqUc0&e=">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=vRncIuk0n5yybdLrZA8uRBC3A0UZDhzj5-pX5alqUc0&e=</a></font></tt><tt><font size="2"> <br></font></tt><br><br><BR>
</body></html>