[openstack-dev] [keystone] removing domain configuration upload via keystone-manage

Colleen Murphy colleen at gazlene.net
Wed Jun 28 20:53:47 UTC 2017

> On Wed, Jun 28, 2017 at 2:00 AM, Lance Bragstad <lbragstad at gmail.com>
> wrote:
>> Hi all,
>> Keystone has deprecated the domain configuration upload capability
>> provided through `keystone-manage`. We discussed it's removal in today's
>> meeting [0] and wanted to send a quick note to the operator list. The
>> ability to upload a domain config into keystone was done as a stop-gap
>> until the API was marked as stable [1]. It seems as though file-based
>> domain configuration was only a band-aid until full support was done.
>> Of the operators using the domain config API in keystone, how many are
>> backing their configurations with actual configuration files versus the API?
>> [0] http://eavesdrop.openstack.org/meetings/keystone/2017/keysto
>> ne.2017-06-27-18.00.log.html#l-167 [1] https://github.com/openstack/k
>> eystone/commit/a5c5f5bce812fad3c6c88a23203bd6c00451e7b3
>  I am not clear on why we need to deprecate and remove file-backed domain
configuration. The way I see it:

* It's reflectve with the primary configuration, so I can copy over the
chunks I need from keystone.conf into
/etc/keystone/domains/keystone.domain.conf without thinking too hard about
* It's convenient for deployment tools to just lay down config files
* It's not that much extra effort for the keystone team to maintain (is it?)

The use case for file-backed domain configs is for smaller clouds with just
one or two LDAP-backed domains. There's not a real need for users to change
domain configs so the file-backed config is plenty fine. I don't see a lot
of gain from removing that functionality.

I don't particularly care about the keystone-manage tool, if that goes away
it would still be relatively easy to write a python script to parse and
upload configs if a user does eventually decide to transition.

As a side note, SUSE happens to be using file-backed domain configs in our
product. It would not be a big deal to rewrite that bit to use the API, but
I think it's just as easy to let us keep using it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170628/7334834e/attachment.html>

More information about the OpenStack-dev mailing list