[openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

Lance Bragstad lbragstad at gmail.com
Mon Aug 3 13:10:51 UTC 2015


On Mon, Aug 3, 2015 at 7:03 AM, David Stanek <dstanek at dstanek.com> wrote:

>
> On Mon, Aug 3, 2015 at 7:14 AM, Davanum Srinivas <davanum at gmail.com>
> wrote:
>
>> agree. "Native HA solution" was already ruled out in several email
>> threads by keystone cores already (if i remember right). This is a
>> devops issue and should be handled as such was the feedback.
>>
>
> I'm sure you are right. I'm not sure why we would want to add that much
> complexity into Keystone.
>

++, I think the more complicated the tool to distribute the keys, the more
complex it is to troubleshoot issues when things go south. If you have an
issue with a single Keystone node, you have to understand whatever
mechanism that keeps keys in sync, as well as what could go wrong and how
to fix it. This is in comparison to something, or some ansible script, that
is idempotent and can be applied against the whole cluster, or a single
node. The ability of having a staged key buys you time in the key
distribution process.

>
>
>
> --
> David
> blog: http://www.traceback.org
> twitter: http://twitter.com/dstanek
> www: http://dstanek.com
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150803/1972ad15/attachment.html>


More information about the OpenStack-dev mailing list