[openstack-dev] [nova] global or per-project specific ssl config options, or both?

Matthew Gilliard matthew.gilliard at gmail.com
Fri Dec 5 10:07:08 UTC 2014 

Hi Matt, Nova,

  I'll look into this.

Gilliard

On Thu, Dec 4, 2014 at 9:51 PM, Matt Riedemann
<mriedem at linux.vnet.ibm.com> wrote:
>
>
> On 12/4/2014 6:02 AM, Davanum Srinivas wrote:
>>
>> +1 to @markmc's "default is global value and override for project
>> specific key" suggestion.
>>
>> -- dims
>>
>>
>>
>> On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann
>> <mriedem at linux.vnet.ibm.com> wrote:
>>>
>>> I've posted this to the 12/4 nova meeting agenda but figured I'd
>>> socialize
>>> it here also.
>>>
>>> SSL options - do we make them per-project or global, or both? Neutron and
>>> Cinder have config-group specific SSL options in nova, Glance is using
>>> oslo
>>> sslutils global options since Juno which was contentious for a time in a
>>> separate review in Icehouse [1].
>>>
>>> Now [2] wants to break that out for Glance, but we also have a patch [3]
>>> for
>>> Keystone to use the global oslo SSL options, we should be consistent, but
>>> does that require a blueprint now?
>>>
>>> In the Icehouse patch, markmc suggested using a DictOpt where the default
>>> value is the global value, which could be coming from the oslo [ssl]
>>> group
>>> and then you could override that with a project-specific key, e.g.
>>> cinder,
>>> neutron, glance, keystone.
>>>
>>> [1] https://review.openstack.org/#/c/84522/
>>> [2] https://review.openstack.org/#/c/131066/
>>> [3] https://review.openstack.org/#/c/124296/
>>>
>>> --
>>>
>>> Thanks,
>>>
>>> Matt Riedemann
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>
> The consensus in the nova meeting today, I think, was that we generally like
> the idea of the DictOpt with global oslo ssl as the default and then be able
> to configure that per-service if needed.
>
> Does anyone want to put up a POC on how that would work to see how ugly
> and/or usable that would be?  I haven't dug into the DictOpt stuff yet and
> am kind of time-constrained at the moment.
>
>
> --
>
> Thanks,
>
> Matt Riedemann
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list