[openstack-dev] Hiding complexity of paste config files from operators

Mark McLoughlin markmc at redhat.com
Mon Jul 30 09:31:49 UTC 2012 

Hi Lorin,

On Sun, 2012-07-29 at 21:28 -0400, Lorin Hochstein wrote:
> Assuming that the *-paste.ini files always need to be there, is there
> some way we could avoid requiring admins to edit these files, and
> instead make it more like editing the .conf files?

I'd like us to get to a point where it's highly unusual for admins to
need to modify the PasteDeploy files.

For example, in glance the most commonly used pipelines are pre-defined
in the PasteDeploy file and the admin chooses one of those in
glance-api.conf by setting e.g.

  [paste_deploy]
  flavor = keystone

This should probably be documented in glance-api.conf itself.

Nova has something similar where the auth_strategy option in nova.conf
chooses one of:

  [composite:openstack_compute_api_v2]
  use = call:nova.api.auth:pipeline_factory
  noauth = ...
  keystone = ...
  keystone_nolimit = ...

I think the last remaining common use case for modifying the PasteDeploy
files is to configure keystone's authtoken middleware. At the last
design summit we briefly discussed allowing this to be configured via
cfg options using the global ConfigOpts object - i.e. this would allow
the configuration for the middleware to come from nova.conf:

  in keystone/middleware/auth_token.py:

    from openstack.common import cfg

    CONF = cfg.CONF

    opts = [
        cfg.StrOpt('auth_host', default='127.0.0.1'),
        cfg.IntOpt('auth_port', default=35357),
        cfg.StrOpt('auth_protocol', default='http'),
        cfg.StrOpt('auth_uri', default=None),  # default='$auth_protocol://$auth_host:$auth_port'
        cfg.BoolOpt('delay_auth_decision', default=False),
        cfg.StrOpt('admin_token'),
        cfg.StrOpt('admin_user'),
        cfg.StrOpt('admin_password'),
        cfg.StrOpt('admin_tenant_name', default='admin'),
        cfg.ListOpt('memcache_servers'),
        cfg.IntOpt('token_cache_time', default=300),
    ]
    CONF.register_opts(opts, group='keystone_authtoken')
    ...
    class AuthProtocol(object):
        ...
        def _conf_get(self, name):
            if name in self.conf:
                return self.conf[name]
            else:
                return CONF.keystone_authtoken[name]

  in nova.conf:

      [keystone_authtoken]
      auth_host = 127.0.0.1
      auth_port = 35357
      auth_protocol = http
      admin_tenant_name = admin
      admin_user = admin
      admin_password = badpassword

Cheers,
Mark.

More information about the OpenStack-dev mailing list