[Openstack-operators] [keystone] Removing functionality that was deprecated in Kilo and upcoming deprecated functionality in Mitaka
jlk at bluebox.net
Mon Nov 30 20:36:53 UTC 2015
I have an objection to eventlet going away. We have problems with running
Apache and mod_wsgi with multiple python virtual environments. In some of
our stacks we're running both Horizon and Keystone. Each get their own
virtual environment. Apache mod_wsgi doesn't really work that way, so we'd
have to do some ugly hacks to expose the python environments of both to
Apache at the same time.
I believe we spoke about this at Summit. Have you had time to look into
this scenario and have suggestions?
On Mon, Nov 30, 2015 at 10:26 AM, Steve Martinelli <stevemar at ca.ibm.com>
> This post is being sent again to the operators mailing list, and i
> apologize if it's duplicated for some folks. The original thread is here:
> In the Mitaka release, the keystone team will be removing functionality
> that was marked for deprecation in Kilo, and marking certain functions as
> deprecated in Mitaka (that may be removed in at least 2 cycles).
> removing deprecated functionality
> This is not a full list, but these are by and large the most contentious
> * Eventlet support: This was marked as deprecated back in Kilo and is
> currently scheduled to be removed in Mitaka in favor of running keystone in
> a WSGI server. This is currently how we test keystone in the gate, and
> based on the feedback we received at the summit, a lot of folks have moved
> to running keystone under Apache since we’ve announced this change.
> OpenStack's CI is configured to mainly test using this deployment model.
> See  for when we started to issue warnings.
> * Using LDAP to store assignment data: Like eventlet support, this feature
> was also deprecated in Kilo and scheduled to be removed in Mitaka. To store
> assignment data (role assignments) we suggest using an SQL based backend
> rather than LDAP. See  for when we started to issue warnings.
> * Using LDAP to store project and domain data: The same as above, see 
> for when we started to issue warnings.
> * for a complete list:
> functions deprecated as of mitaka
> The following will adhere to the TC’s new standard on deprecating
> functionality .
> * LDAP write support for identity: We suggest simply not writing to LDAP
> for users and groups, this effectively makes create, delete and update of
> LDAP users and groups a no-op. It will be removed in the O release.
> * PKI tokens: We suggest using UUID or fernet tokens instead. The PKI
> token format has had issues with security and causes problems with both
> horizon and swift when the token contains an excessively large service
> catalog. It will be removed in the O release.
> * v2.0 of our API: Lastly, the keystone team recommends using v3 of our
> Identity API. We have had the intention of deprecating v2.0 for a while
> (since Juno actually), and have finally decided to formally deprecate v2.0.
> OpenStack’s CI runs successful v3 only jobs, there is complete feature
> parity with v2.0, and we feel the CLI exposed via openstackclient is mature
> enough to say with certainty that we can deprecate v2.0. It will be around
> for at least FOUR releases, with the authentication routes (POST
> /auth/tokens) potentially sticking around for longer.
> * for a complete list:
> If you have ANY concern about the following, please speak up now and let
> us know!
> Steve Martinelli
> OpenStack Keystone Project Team Lead
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators