With the aim of replacing httplib and cert validation with requests[1] I've put forward the following review to use the requests library for auth_token middleware.
https://review.openstack.org/#/c/34161/ This adds 2 new config options. - The ability to provide CAs to validate https connections against. - The ability to set insecure to ignore https validation. By default request will validate connections against the system CAs by default. So given that we currently don't verify SSL connections, do we need to default insecure to true? Maintaining compatibility should win here as i imagine there are a great number of auth_token deployments using SSL with invalid/self-signed certificates that would be broken, but defaulting to insecure just seems wrong. Given that keystone isn't the only project moving away from httplib, how are other projects handling this? How do we end up with reasonable defaults? Is there any amount of warning that we could give to change a default like this - or is this another one of those version 1.0 issues? Jamie [1] https://bugs.launchpad.net/keystone/+bug/1188189 _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
