[openstack-dev] REST API access to configuration options

joehuang joehuang at huawei.com
Wed Jul 16 00:20:33 UTC 2014


Hello, 

My personal view is that not to put all configuration options being accessed by RESTFUL API, but for these configurations which will leads to restart the controller nodes should be able to be configured dynamically through RESTFUL api.

There are lots of configuration change only become valid after the controller nodes restart. It's hard for the O&M If too many such configuration because any change should be taken into account whether the change will break the cloud service continuity or not.

Best Regards
Chaoyi Huang ( Joe Huang )

-----邮件原件-----
发件人: Mark McLoughlin [mailto:markmc at redhat.com] 
发送时间: 2014年7月15日 17:08
收件人: OpenStack Development Mailing List (not for usage questions)
主题: Re: [openstack-dev] REST API access to configuration options

On Tue, 2014-07-15 at 08:54 +0100, Henry Nash wrote:
> HI
> 
> As the number of configuration options increases and OpenStack 
> installations become more complex, the chances of incorrect 
> configuration increases. There is no better way of enabling cloud 
> providers to be able to check the configuration state of an OpenStack 
> service than providing a direct REST API that allows the current 
> running values to be inspected. Having an API to provide this 
> information becomes increasingly important for dev/ops style 
> operation.
> 
> As part of Keystone we are considering adding such an ability (see:
> https://review.openstack.org/#/c/106558/).  However, since this is the 
> sort of thing that might be relevant to and/or affect other projects, 
> I wanted to get views from the wider dev audience.
> 
> Any such change obviously has to take security in mind - and as the 
> spec says, just like when we log config options, any options marked as 
> secret will be obfuscated.  In addition, the API will be protected by 
> the normal policy mechanism and is likely in most installations to be 
> left as "admin required".  And of course, since it is an extension, if 
> a particular installation does not want to use it, they don't need to 
> load it.
> 
> Do people think this is a good idea?  Useful in other projects?
> Concerned about the risks?

I would have thought operators would be comfortable gleaning this information from the log files?

Also, this is going to tell you how the API service you connected to was configured. Where there are multiple API servers, what about the others?
How do operators verify all of the API servers behind a load balancer with this?

And in the case of something like Nova, what about the many other nodes behind the API server?

Mark.


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


More information about the OpenStack-dev mailing list