Open Stack

On Jun 13, 2013, at 7:09 PM, Robert Collins <robertc at robertcollins.net> wrote:

> On 14 June 2013 10:11, Kevin L. Mitchell <kevin.mitchell at rackspace.com> wrote:
> 
>> With cells, it's different; each cell essentially has its own queue that
>> it listens to.  (This could be the single Rabbit queue that all its
>> services listen to, I think, or could be something totally different
>> reserved solely for inter-cell communication.)  This means that, for one
>> cell to talk to another, it must know how to talk to that other cell,
>> and thus that data must be bound together with the information about
>> what cells exist.  At present, we do this through the database.
>> 
>> Make sense?
> 
> Not entirely.
> 
> You have a rabbit bus for cross-cell communications, and an endpoint
> on that bus for each cell. Cells need to know about other endpoints

Not so, although that's interesting.  There's 1 rabbit bus per cell, not a global rabbit bus.  A parent cell talks to its immediate children by putting a message onto the child cell's bus.  So, this means that each cell needs to have rabbit credentials for its immediate parents or children.

> for some reason [what cross-cell comms go on?]. That doesn't imply
> globally accessible credential, because getting on the bus is a
> separate concern.

There's no 'endpoint' with cells… although I'm not sure what you mean, exactly.  To further clarify myself above, all cell-to-cell communication is done via a communication driver.  The only existing communication driver for cells is RPC.  So, a parent nova-cells service talks to a child nova-cells service via RPC, putting messages into the child cell's rabbit server.  A child talks to the parent by putting a message into the parent cell's rabbit server.  We may decide some proprietary protocol is better… who knows.

> 
> Or - are you saying that its actually a set of triples - (source cell,
> target cell, rabbit bus to use) - and because of this we don't know
> which credentials to use? In that case I'd suggest that we still want
> each machine connecting to each bus to have unique credentials, and
> the only places they should be stored are the rabbit server, and the
> machine using the credentials.

What is needed is (target_cell_name, target_cell_communication_driver, target_cell_communication_credentials).  The other problem with the current DB table is that it assumes RPC… so there's very rpc-specific things.  So, this all needs cleaned up anyway.

This means that an API cell needs to have the above triple for every single immediate child cell.  And each child cell also needs that for its parent(s).

The question that Kevin is asking is… do we fix this all in the DB and do some sort of encryption on the credentials.   Or do we do a JSON config file for cells?   And if we do the latter, how do we handle the migration?

I lean towards the JSON config.  This allows you to specify different credentials on each nova-cells node (if you have more than one in the same cell).  It means you don't need to worry about encryption.  And it's pretty flexible.

- Chris