[openstack-dev] a "common" client library

Justin Hammond justin.hammond at RACKSPACE.COM
Thu Jan 16 16:19:45 UTC 2014


My prioritization of noauth is rooted in the fact that we're finding that
the current pattern of hitting auth to validate a token is not scaling
well. Out current solution to this scale issue is:

- use noauth when possible between the services
- use normal auth for public services
- provide a method to create a 'trusted environment'

While this problem may not be prevalent in other deployments I will add
that support noauth in the client 'just makes sense' when the services
themselves support them.

For instance our setup looks like:

User -> Auth to Nova -> Nova/Computes -> NoAuth to neutron in 'trusted
environment'

It saves quite a few calls to identity in this way and scales a lot better.

On 1/16/14 11:06 AM, "Dean Troyer" <dtroyer at gmail.com> wrote:

>On Thu, Jan 16, 2014 at 9:37 AM, Jesse Noller
><jesse.noller at rackspace.com> wrote:
>
>On Jan 16, 2014, at 9:26 AM, Justin Hammond
><justin.hammond at RACKSPACE.COM> wrote:
>
>
>I'm not sure if it was said, but which httplib using being used (urllib3
>maybe?). Also I noticed many people were talking about supporting auth
>properly, but are there any intentions to properly support 'noauth'
>(python-neutronclient, for instance, doesn't support it properly as of
>this writing)? 
>
>
>
>
>Can you detail out noauth for me; and I would say the defacto httplib in
>python today is python-requests - urllib3 is also good but I would say
>from a *consumer* standpoint requests offers more in terms of usability /
>extensibility 
>
>
>
>
>
>
>requests is built on top of urllib3 so there's that...
>
>The biggest reaon I favor using Jamie Lennox's new session layer stuff in
>keystoneclient is that it better reflects the requests API instead of it
>being stuffed in after the fact.  And as the one responsible for that
>stuffing, it was pretty blunt and really needs to be cleaned up more than
>Alessio did.
>
>only a few libs (maybe just glance and swift?) don't use requests at this
>point and I think the resistance there is the chunked transfers they both
>do.
>
>I'm really curious what 'noauth' means against APIs that have few, if
>any, calls that operate without a valid token.
>
>dt
>
>-- 
>
>Dean Troyer
>dtroyer at gmail.com
>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list