[openstack-dev] [keystone] removing domain configuration upload via keystone-manage
s.martinelli at gmail.com
Wed Jun 28 21:22:34 UTC 2017
++ to what colleen said. I've always preferred using the file-backed
I think we deprecated it for completeness and to only have a single tool
for configuring LDAP-backed domains. If it's tested well enough and not
much effort to support then we should keep it around as an alternative
method for configuring LDAP-backed domains.
On Wed, Jun 28, 2017 at 4:53 PM, Colleen Murphy <colleen at gazlene.net> wrote:
> On Wed, Jun 28, 2017 at 2:00 AM, Lance Bragstad <lbragstad at gmail.com>
>>> Hi all,
>>> Keystone has deprecated the domain configuration upload capability
>>> provided through `keystone-manage`. We discussed it's removal in today's
>>> meeting  and wanted to send a quick note to the operator list. The
>>> ability to upload a domain config into keystone was done as a stop-gap
>>> until the API was marked as stable . It seems as though file-based
>>> domain configuration was only a band-aid until full support was done.
>>> Of the operators using the domain config API in keystone, how many are
>>> backing their configurations with actual configuration files versus the API?
>>>  http://eavesdrop.openstack.org/meetings/keystone/2017/keysto
>>> ne.2017-06-27-18.00.log.html#l-167  https://github.com/openstack/k
>> I am not clear on why we need to deprecate and remove file-backed domain
> configuration. The way I see it:
> * It's reflectve with the primary configuration, so I can copy over the
> chunks I need from keystone.conf into /etc/keystone/domains/keystone.domain.conf
> without thinking too hard about it
> * It's convenient for deployment tools to just lay down config files
> * It's not that much extra effort for the keystone team to maintain (is
> The use case for file-backed domain configs is for smaller clouds with
> just one or two LDAP-backed domains. There's not a real need for users to
> change domain configs so the file-backed config is plenty fine. I don't see
> a lot of gain from removing that functionality.
> I don't particularly care about the keystone-manage tool, if that goes
> away it would still be relatively easy to write a python script to parse
> and upload configs if a user does eventually decide to transition.
> As a side note, SUSE happens to be using file-backed domain configs in our
> product. It would not be a big deal to rewrite that bit to use the API, but
> I think it's just as easy to let us keep using it.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev