[openstack-dev] [nova] global or per-project specific ssl config options, or both?

Matt Riedemann mriedem at linux.vnet.ibm.com
Thu Dec 4 04:57:30 UTC 2014

I've posted this to the 12/4 nova meeting agenda but figured I'd 
socialize it here also.

SSL options - do we make them per-project or global, or both? Neutron 
and Cinder have config-group specific SSL options in nova, Glance is 
using oslo sslutils global options since Juno which was contentious for 
a time in a separate review in Icehouse [1].

Now [2] wants to break that out for Glance, but we also have a patch [3] 
for Keystone to use the global oslo SSL options, we should be 
consistent, but does that require a blueprint now?

In the Icehouse patch, markmc suggested using a DictOpt where the 
default value is the global value, which could be coming from the oslo 
[ssl] group and then you could override that with a project-specific 
key, e.g. cinder, neutron, glance, keystone.

[1] https://review.openstack.org/#/c/84522/
[2] https://review.openstack.org/#/c/131066/
[3] https://review.openstack.org/#/c/124296/



Matt Riedemann

More information about the OpenStack-dev mailing list