[openstack-dev] [nova] global or per-project specific ssl config options, or both?
mriedem at linux.vnet.ibm.com
Thu Dec 4 21:51:22 UTC 2014
On 12/4/2014 6:02 AM, Davanum Srinivas wrote:
> +1 to @markmc's "default is global value and override for project
> specific key" suggestion.
> -- dims
> On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann
> <mriedem at linux.vnet.ibm.com> wrote:
>> I've posted this to the 12/4 nova meeting agenda but figured I'd socialize
>> it here also.
>> SSL options - do we make them per-project or global, or both? Neutron and
>> Cinder have config-group specific SSL options in nova, Glance is using oslo
>> sslutils global options since Juno which was contentious for a time in a
>> separate review in Icehouse .
>> Now  wants to break that out for Glance, but we also have a patch  for
>> Keystone to use the global oslo SSL options, we should be consistent, but
>> does that require a blueprint now?
>> In the Icehouse patch, markmc suggested using a DictOpt where the default
>> value is the global value, which could be coming from the oslo [ssl] group
>> and then you could override that with a project-specific key, e.g. cinder,
>> neutron, glance, keystone.
>>  https://review.openstack.org/#/c/84522/
>>  https://review.openstack.org/#/c/131066/
>>  https://review.openstack.org/#/c/124296/
>> Matt Riedemann
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
The consensus in the nova meeting today, I think, was that we generally
like the idea of the DictOpt with global oslo ssl as the default and
then be able to configure that per-service if needed.
Does anyone want to put up a POC on how that would work to see how ugly
and/or usable that would be? I haven't dug into the DictOpt stuff yet
and am kind of time-constrained at the moment.
More information about the OpenStack-dev