
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">On 07/13/2012 05:39 PM, Nathanael

      Burton wrote:<br>

    </div>

    <blockquote

cite="mid:CAHTGUNTBWVdnFfoKsSkqW6mqg5=VTD7T1axAzgDiMvDHmKMJPg@mail.gmail.com"

      type="cite">

      <p>Dan,</p>

      <p>Adam Young was advocating for something like this.  I don't

        know if a consensus was ever reached, but I thought it was a

        good idea.</p>

      <p><a moz-do-not-send="true"

          href="https://lists.launchpad.net/openstack/msg10864.html">https://lists.launchpad.net/openstack/msg10864.html</a></p>

      <p>Nate</p>

    </blockquote>

    Dan,<br>

    <br>

    Here's my proposed scheme.<br>

    <br>

    <a class="moz-txt-link-freetext" href="http://wiki.openstack.org/URLs">http://wiki.openstack.org/URLs</a><br>

    <br>

    I have submitted a patch for running Keystone in Apache:<br>

    <a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/9735/">https://review.openstack.org/#/c/9735/</a><br>

    <br>

    This assumes that you put admin on <a class="moz-txt-link-freetext" href="https://hostname/admin">https://hostname/admin</a><br>

    and so on.<br>

    <br>

    For Nova,  there is a pretty good write up here:<br>

    <br>

    <a class="moz-txt-link-freetext" href="http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/">http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/</a><br>

    <br>

    <br>

    Which pretty much takes the same approach.<br>

    <br>

    Glance needs some work to fit into that scheme, too, as I recall.<br>

    <br>

    The Client pieces need to be flexible enough to call with the

    suburls.  For example,  look at this patch:<br>

    <br>

    <a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/7156/">https://review.openstack.org/#/c/7156/</a><br>

    <br>

    <br>

    <br>

    <br>

    <br>

    <blockquote

cite="mid:CAHTGUNTBWVdnFfoKsSkqW6mqg5=VTD7T1axAzgDiMvDHmKMJPg@mail.gmail.com"

      type="cite">

      <div class="gmail_quote">On Jul 13, 2012 5:31 PM, "Dan Sneddon"

        <<a moz-do-not-send="true" href="mailto:dan@cloudscaling.com">dan@cloudscaling.com</a>>

        wrote:<br type="attribution">

        <blockquote class="gmail_quote" style="margin:0 0 0

          .8ex;border-left:1px #ccc solid;padding-left:1ex">

          I am attempting to find a workable solution for the following

          use case, and would like to get feedback from the community

          about it.<br>

          <br>

          There are some situations when it is required to put a proxy

          in front of multiple API endpoints and route by URL. This

          allows for more flexible routing/filtering in load balancers

          and firewalls, and makes it possible to differentiate between

          services in unified HTTP logs. In the current OpenStack model

          a typical API endpoint looks something like this:<br>

          <br>

          http(s)://<hostname>:<port>/<api

          version>/<account>/<container>/<object><br>

          <br>

          In essence, separate services have similar URLs, and are

          separated by the port number. It is difficult to use a

          request-header-aware proxy to route to a particular endpoint,

          since there is no clear differentiation between service URLs

          if the hostname and port are the same.<br>

          <br>

          With standard HTTP, this can be handled by using several

          different hostnames pointing to the same IP. This is

          particularly a problem with SSL certificates, which need to

          match the hostname.<br>

          <br>

          If the URLs contained a service identifier at the beginning of

          the URL, this would allow a proxy to make decisions about

          where to route requests based on the beginning of the URL, for

          example the URL above would become:<br>

          <br>

          http(s)://<hostname>:<port>/<service>/<api

          version>/<account>/<container>/<object><br>

          e.g.<br>

          <a moz-do-not-send="true"

            href="https://api-host:443/compute/v2.0/." target="_blank">https://api-host:443/compute/v2.0/.</a>..<br>

          <a moz-do-not-send="true"

            href="https://api-host:443/auth/v2.0/." target="_blank">https://api-host:443/auth/v2.0/.</a>..<br>

          etc.<br>

          <br>

          It seems that the API services are compatible with this

          through the use of the urlmap configuration by including both

          versions of the URL:<br>

          <br>

          [composite:osapi_compute]<br>

          use = call:nova.api.openstack.urlmap:urlmap_factory<br>

          /: oscomputeversions<br>

          /v1.1: openstack_compute_api_v2<br>

          /v2: openstack_compute_api_v2<br>

          /compute/: oscomputeversions<br>

          /compute/v1.1: openstack_compute_api_v2<br>

          /compute/v2: openstack_compute_api_v2<br>

          <br>

          Is allowing both forms of this URL in all services likely to

          break anything down the line? Does this seem like a common

          enough use case that it should be considered as an addition to

          the default configuration? Also, as services change (such as

          nova-volume being replaced by cinder) is there a set of

          generic service descriptors defined that can be used to

          abstract from the particular name of the service? Some of

          these are obvious, like "network", but it would be nice to be

          consistent across versions and instances.<br>

          <br>

          Thank you for your feedback,<br>

          --<br>

          Dan Sneddon<br>

          Senior Engineer, Cloudscaling<br>

          <a moz-do-not-send="true" href="mailto:dan@cloudscaling.com">dan@cloudscaling.com</a>

          - @dxs on Twitter<br>

          _______________________________________________<br>

          Mailing list: <a moz-do-not-send="true"

            href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>

          Post to     : <a moz-do-not-send="true"

            href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>

          Unsubscribe : <a moz-do-not-send="true"

            href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>

          More help   : <a moz-do-not-send="true"

            href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>

        </blockquote>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>

Post to     : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>

Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>

More help   : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>

</pre>

    </blockquote>

    <br>

    <br>

  </body>

</html>