[openstack-dev] [infra] [keystone] pysaml2/xmlsec1 dep blocking keystone-to-keystone federation

Doug Hellmann doug at doughellmann.com
Tue Aug 26 14:29:13 UTC 2014 

On Aug 26, 2014, at 10:18 AM, Steve Martinelli <stevemar at ca.ibm.com> wrote:

> 
> > From: Doug Hellmann <doug at doughellmann.com> 
> > To: "OpenStack Development Mailing List (not for usage questions)" 
> > <openstack-dev at lists.openstack.org>, 
> > Date: 08/26/2014 10:11 AM 
> > Subject: Re: [openstack-dev] [infra] [keystone] pysaml2/xmlsec1 dep 
> > blocking keystone-to-keystone federation 
> > 
> > 
> > On Aug 26, 2014, at 7:44 AM, Sean Dague <sean at dague.net> wrote:
> > 
> > > On 08/26/2014 05:38 AM, Thierry Carrez wrote:
> > >> Hi keystone/infra,
> > >> 
> > >> One key upcoming Juno feature (Keystone to keystone federation) is
> > >> currently blocked on adding pysaml2 to requirements:
> > >> 
> > >> https://review.openstack.org/#/c/113294/
> > >> 
> > >> It was -1ed by Doug after the discussion at the release meeting last
> > >> week, where the xmlsec1 dependency was raised as a potential infra issue.
> > >> 
> > >> There doesn't seem to be so many good alternatives though. Steve
> > >> mentioned saml, but it's a bit alpha, and I have no idea how much work
> > >> would be required to use that instead of pysaml2 at this point.
> > >> 
> > >> How blocking is the xmlsec1 dependency from an Infra perspective ? How
> > >> doable would a migration to saml at this point be ? I'm trying to find a
> > >> solution so that we can ship this feature :)
> > > 
> > > I don't think this has anything to do with Infra. xmlsec1 is included in
> > > Debian / Ubuntu and Fedora.
> > > 
> > > I think the complaint was about whether this library existed for MacOSX,
> > > which honestly, I *don't* think is a valid argument against adding a
> > > requirement as that's not a target environment for OpenStack.
> > 
> > My impression was this library would also be needed for keystone 
> > client, not just the server or middleware. Did I misunderstand?
> > 
> > Doug
> 
> Hey Doug, 
> 
> Just talked it over with Marek, we shouldn't need it for keystoneclient. Just the server side. 

Great! Sorry for the confusion. +2a

Doug

> 
> > 
> > > 
> > > I'm +2 on this moving forward. I feel that the keystone team answered
> > > the questions needed.
> > > 
> > >    -Sean
> > > 
> > > -- 
> > > Sean Dague
> > > http://dague.net
> > > 
> > > _______________________________________________
> > > OpenStack-dev mailing list
> > > OpenStack-dev at lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > 
> > 
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list