[openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

Monty Taylor mordred at inaugust.com
Fri Apr 8 17:06:06 UTC 2016


On 04/08/2016 11:12 AM, Andy Smith wrote:
> Aaaaaahahahahhahahahhaahhahahahahahahahahhahhahahahahhahaha

This is the indication that this thread wins.

> On Thu, Apr 7, 2016 at 6:23 AM Lance Bragstad <lbragstad at gmail.com
> <mailto:lbragstad at gmail.com>> wrote:
>
>     In response to point 2.2, the progress with Fernet in the last year
>     has exposed performance pain points in keystone. Finding sensible
>     solutions for those issues is crucial in order for people to adopt
>     Fernet. In Mitaka we had a lot of discussion that resulted in
>     landing several performance related patches.
>
>     As of today, we're already focusing on scalability, performance, and
>     simplicity. I'm afraid a project split would only delay the work
>     we're doing right now.
>
>     On Wed, Apr 6, 2016 at 5:34 PM, Morgan Fainberg
>     <morgan.fainberg at gmail.com <mailto:morgan.fainberg at gmail.com>> wrote:
>
>
>
>         On Wed, Apr 6, 2016 at 6:29 PM, David Stanek
>         <dstanek at dstanek.com <mailto:dstanek at dstanek.com>> wrote:
>
>
>             On Wed, Apr 6, 2016 at 3:26 PM Boris Pavlovic
>             <bpavlovic at mirantis.com <mailto:bpavlovic at mirantis.com>> wrote:
>
>
>                 2) This will reduce scope of Keystone, which means 2 things
>                 2.1) Smaller code base that has less issues and is
>                 simpler for testing
>                 2.2) Keystone team would be able to concentrate more on
>                 fixing perf/scalability issues of authorization, which
>                 is crucial at the moment for large clouds.
>
>
>             I'm not sure that this is entirely true. If we truly just
>             split up the project, meaning we don't remove functionality,
>             then we'd have the same number of bugs and work. It would
>             just be split across two projects.
>
>             I think the current momentum to get out of the authn
>             business is still our best bet. As Steve mentioned this is
>             ongoing work.
>
>             -- David
>
>
>         What everyone else said... but add in the need then to either
>         pass the AuthN over to the Assignment/AuthZ api or bake it in
>         (via apache module?) and we are basically where we are now.
>
>         Steve alluded to splitting out the authentication bit (but not
>         to a new service), the idea there is to make it so AuthN is not
>         part of the CRUD interface of the server. All being said, AuthN
>         and AuthZ are going to be hard to split into two separate
>         services and with exception of the unfounded "scope" benefit, we
>         already can handle most of what you've proposed with zero
>         changes to Keystone.
>
>         Cheers,
>         --Morgan
>
>
>         __________________________________________________________________________
>         OpenStack Development Mailing List (not for usage questions)
>         Unsubscribe:
>         OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>         <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>         http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>




More information about the OpenStack-dev mailing list