[openstack-dev] [keystone] orchestration and db_sync
Dolph Mathews
dolph.mathews at gmail.com
Tue May 31 13:46:12 UTC 2016
On Tue, May 31, 2016 at 8:41 AM David Stanek <dstanek at dstanek.com> wrote:
> On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey <rhallise at redhat.com>
> wrote:
>
> Theses changes do not all happen at the same times for an OpenStack
> installation.
>
> > - Create the service's users and add a password into the databse
>
> Should only happen once during installation.
>
> > - Sync the service with the database
>
> Should happen during installation and for every upgrade.
>
> > - Start the service
> >
> > I was wondering if for some services they could be aware of whether or
> not they need
> > to sync with the database at startup. Or maybe the service runs a
> db_sync every time
> > is starts? I figured I would start a thread about this because Keystone
> has some
> > flexibility when running N+1 in a cluster of N. If Keystone could have
> that
> > that ability maybe Keystone could db_sync each time it starts without
> harming the
> > cluster?
>
> This isn't something I would want to see for a few reasons. The most
> important one is that I think the decision to run db_sync needs to be
> explicit. An operator should run it when they are ready (maybe they
> need to shut something down, ensure up-to-date backups, etc.).
>
+1
>
> Another issue is database modification permissions. The user running
> the application, as well as the DB user the application uses,
> shouldn't have access to DML for security reasons. Little Bobby
> Tables' mom found this out the hard way[1].
>
+2
>
> 1. https://xkcd.com/327/
>
> --
> David
> blog: http://www.traceback.org
> twitter: http://twitter.com/dstanek
> www: http://dstanek.com
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160531/27669b86/attachment.html>
More information about the OpenStack-dev
mailing list