[openstack-dev] [all] service catalog: TNG
Clint Byrum
clint at fewbar.com
Fri Oct 9 17:24:18 UTC 2015
Excerpts from Adam Young's message of 2015-10-09 09:51:55 -0700:
> On 10/09/2015 12:28 PM, Monty Taylor wrote:
> > On 10/09/2015 11:21 AM, Shamail wrote:
> >>
> >>
> >>> On Oct 9, 2015, at 10:39 AM, Sean Dague <sean at dague.net> wrote:
> >>>
> >>> It looks like some great conversation got going on the service catalog
> >>> standardization spec / discussion at the last cross project meeting.
> >>> Sorry I wasn't there to participate.
> >>>
> >> Apologize if this is a question that has already been address but why
> >> can't we just leverage something like consul.io?
> >
> > It's a good question and there have actually been some discussions
> > about leveraging it on the backend. However, even if we did, we'd
> > still need keystone to provide the multi-tenancy view on the subject.
> > consul wasn't designed (quite correctly I think) to be a user-facing
> > service for 50k users.
> >
> > I think it would be an excellent backend.
>
> The better question is, "Why are we not using DNS for the service catalog?"
>
Agreed, we're using HTTP and JSON for what DNS is supposed to do.
As an aside, consul has a lovely DNS interface.
> Right now, we have the aspect of "project filtering of endpoints" which
> means that a token does not need to have every endpoint for a specified
> service. If we were to use DNS, how would that map to the existing
> functionality.
>
There are a number of "how?" answers, but the "what?" question is the
more interesting one. As in, what is the actual point of this
functionality, and what do people want to do per-project?
I think what really ends up happening is you have 99.9% the same
catalogs to the majority of projects, with a few getting back a
different endpoint or two. For that, it seems like you would have two
queries needed in the "discovery" phase:
SRV compute.myprojectid.region1.mycloud.com
SRV compute.region1.mycloud.com
Use the first one you get an answer for. Keystone would simply add
or remove entries for special project<->endpoint mappings. You don't
need Keystone to tell you what your project ID is, so you just make
these queries. When you get a negative answer, respect the TTL and stop
querying for it.
Did I miss a use case with that?
>
> Can we make better use of regions to help in endpoint filtering/selection?
>
> Do we still need a query to Keystone to play arbiter if there are two
> endpoints assigned for a specific use case to help determine which is
> appropriate?
>
I'd hope not. If the user is authorized then they should be able
to access the endpoint that they're assigned to. It's confusing to
me sometimes how keystone is thought of as an authorization service,
when it is named "Identity", and primarily performs authentication and
service discovery.
More information about the OpenStack-dev
mailing list