ok, thanks for Morgan and Brant's comments, will rework the patch based on the comments, thanks!
Best Regards! Kevin (Chen) Ji 纪 晨 Engineer, zVM Development, CSTL Notes: Chen CH Ji/China/IBM@IBMCN Internet: [email protected] Phone: +86-10-82451493 Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC From: Morgan Fainberg <[email protected]> To: "OpenStack Development Mailing List (not for usage questions)" <[email protected]> Date: 08/17/2017 07:51 AM Subject: Re: [openstack-dev] [nova][keystone] keystoneauth1 and keystonemiddle setting On Aug 16, 2017 11:31, "Brant Knudson" <[email protected]> wrote: On Mon, Aug 14, 2017 at 2:48 AM, Chen CH Ji <[email protected]> wrote: In fixing bug 1704798, there's a proposed patch https://review.openstack.org/#/c/485121/7 but we stuck at http_connection_timeout and timeout value in keystoneauth1 and keystonemiddle repo basically we want to reuse the keystone_auth section in nova.conf to avoid create another section so we can use following to create a session sess = ks_loading.load_session_from_conf_options(CONF, 'keystone_authtoken', auth=context.get_auth_plugin()) any comments or we have to create another section and configure it anyway? thanks Best Regards! Kevin (Chen) Ji 纪 晨 Engineer, zVM Development, CSTL Notes: Chen CH Ji/China/IBM@IBMCN Internet: [email protected] Phone: +86-10-82451493 Address: 3/F Ring Building, ZhongGuanCun Software Park, Haidian District, Beijing 100193, PRC __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev I think reusing the keystone_authtoken config is a bad idea. keystone_authtoken contains the configuration for the auth_token middleware so this is what we keystone developers expect it to be used for. A deployment may have different security needs for the auth_token middleware vs checking quotas in which case they'll need different users or project for the auth_token middleware and quota checking. And even if we don't need it now we might need it in the future, and it's going to create a lot of work going forward to rearchitect. If a deployer wants to use the same authentication for both auth_token middleware and the proxy, they can create a new section with the config and point both keystone_authtoken and quota checking to it (by setting the auth_section). -- - Brant __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev What Brant said. Please do not lean on the options from keystone middleware for anything outside of keystone middleware. We have had to change these options before and those changes should only ever impact the keystone middleware code. If you re-use those options for something in Nova, it will likely break and need to be split into it's own option block in the future. Please create a new option block (even if a deployers uses the same user/passord) rather than using the authtoken config section for anything outside of authtoken. --Morgan __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=8sI5aZT88Uetyy_XsOddbPjIiLSGM-sFnua3lLy2Xr0&m=tObIBKyCbf77oLwdSwaHb3_FM8au2aTVSaHGYMH8-1Q&s=vRncIuk0n5yybdLrZA8uRBC3A0UZDhzj5-pX5alqUc0&e=
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
