[openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project
Brad Topol
btopol at us.ibm.com
Fri Apr 8 17:15:00 UTC 2016
If Termie comes out of retirement to respond to a thread are there really
any winners??? :-)
--Brad
Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet: btopol at us.ibm.com
Assistant: Kendra Witherspoon (919) 254-0680
From: Monty Taylor <mordred at inaugust.com>
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org>
Date: 04/08/2016 01:10 PM
Subject: Re: [openstack-dev] [tc][ptl][keystone] Proposal to split
authentication part out of Keystone to separated project
On 04/08/2016 11:12 AM, Andy Smith wrote:
> Aaaaaahahahahhahahahhaahhahahahahahahahahhahhahahahahhahaha
This is the indication that this thread wins.
> On Thu, Apr 7, 2016 at 6:23 AM Lance Bragstad <lbragstad at gmail.com
> <mailto:lbragstad at gmail.com>> wrote:
>
> In response to point 2.2, the progress with Fernet in the last year
> has exposed performance pain points in keystone. Finding sensible
> solutions for those issues is crucial in order for people to adopt
> Fernet. In Mitaka we had a lot of discussion that resulted in
> landing several performance related patches.
>
> As of today, we're already focusing on scalability, performance, and
> simplicity. I'm afraid a project split would only delay the work
> we're doing right now.
>
> On Wed, Apr 6, 2016 at 5:34 PM, Morgan Fainberg
> <morgan.fainberg at gmail.com <mailto:morgan.fainberg at gmail.com>> wrote:
>
>
>
> On Wed, Apr 6, 2016 at 6:29 PM, David Stanek
> <dstanek at dstanek.com <mailto:dstanek at dstanek.com>> wrote:
>
>
> On Wed, Apr 6, 2016 at 3:26 PM Boris Pavlovic
> <bpavlovic at mirantis.com <mailto:bpavlovic at mirantis.com>>
wrote:
>
>
> 2) This will reduce scope of Keystone, which means 2
things
> 2.1) Smaller code base that has less issues and is
> simpler for testing
> 2.2) Keystone team would be able to concentrate more on
> fixing perf/scalability issues of authorization, which
> is crucial at the moment for large clouds.
>
>
> I'm not sure that this is entirely true. If we truly just
> split up the project, meaning we don't remove functionality,
> then we'd have the same number of bugs and work. It would
> just be split across two projects.
>
> I think the current momentum to get out of the authn
> business is still our best bet. As Steve mentioned this is
> ongoing work.
>
> -- David
>
>
> What everyone else said... but add in the need then to either
> pass the AuthN over to the Assignment/AuthZ api or bake it in
> (via apache module?) and we are basically where we are now.
>
> Steve alluded to splitting out the authentication bit (but not
> to a new service), the idea there is to make it so AuthN is not
> part of the CRUD interface of the server. All being said, AuthN
> and AuthZ are going to be hard to split into two separate
> services and with exception of the unfounded "scope" benefit, we
> already can handle most of what you've proposed with zero
> changes to Keystone.
>
> Cheers,
> --Morgan
>
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <
http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160408/51c15334/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160408/51c15334/attachment.gif>
More information about the OpenStack-dev
mailing list