[openstack-dev] REST API access to configuration options

Henry Nash henryn at linux.vnet.ibm.com
Tue Jul 15 07:54:43 UTC 2014


HI

As the number of configuration options increases and OpenStack installations become more complex, the chances of incorrect configuration increases. There is no better way of enabling cloud providers to be able to check the configuration state of an OpenStack service than providing a direct REST API that allows the current running values to be inspected. Having an API to provide this information becomes increasingly important for dev/ops style operation.

As part of Keystone we are considering adding such an ability (see: https://review.openstack.org/#/c/106558/).  However, since this is the sort of thing that might be relevant to and/or affect other projects, I wanted to get views from the wider dev audience.  

Any such change obviously has to take security in mind - and as the spec says, just like when we log config options, any options marked as secret will be obfuscated.  In addition, the API will be protected by the normal policy mechanism and is likely in most installations to be left as "admin required".  And of course, since it is an extension, if a particular installation does not want to use it, they don't need to load it.

Do people think this is a good idea?  Useful in other projects?  Concerned about the risks?

Henry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140715/d234c30d/attachment.pgp>


More information about the OpenStack-dev mailing list