>>>>> Date: Mon, 11 Feb 2013 17:02:11 +0200 >>>>> From: Gary Kotton <[email protected]> >>>>> Subject: Re: [Quantum-core] Move auth_token configuration to >>>>> quantum.conffrom api-paste > > On 02/11/2013 04:46 PM, Akihiro MOTOKI wrote: > > Thanks Dan, > > > > I will post the patch. > > I confirmed this change does not break the backward compat. > > If both api-paste.ini and quantum.conf have auth_token configurations, > > configurations from api-paste are used. > > > > I will also update the admin guide after G-3. > > "DocImpact" flag is useful for such changes. > > I am in favor of the change. I think that this requires a devstack > change. This should be in prior to us approving the Quantum patch.
I uploaded the devstack support. I noticed changing devstack has a dependency. devstack update needs to be done AFTER the change in Quantum is merged. I added a migration logic which comments out the existing configurations in api-paste.ini. The combination of Quantum before the change and new devstack do not work since devstack copiies api-paste.ini from Quantum repo and it has the unsetup-ed configurations as a result. The migration logic is just intended to avoid the case where the existing patch does not work. I believe this problem is specific to devstack. In the usual deployment, the adminstrator needs to ensure that one of quantum.conf or api-paste.ini has authtoken configuration. If the administrator want to move authtoken configuration to quantum.conf, he/she need to remove authtoken configuration in api-paste.ini. In addition, the admin can use api-paste.ini unchanged. This in the only requirement and I believe it is a reasonable requirement. Does it sound reasonable or should I stop the change? Thanks, > > > > > Akihiro > > > >>>>>> Date: Mon, 11 Feb 2013 02:28:32 -0800 > >>>>>> From: Dan Wendlandt<[email protected]> > >>>>>> Subject: Re: [Quantum-core] Move auth_token configuration to > >>>>>> quantum.conf from api-paste > >> Hi Akihiro, > >> > >> I agree at least with the high-level goal of simplifying configuration to > >> avoid most users having > >> to deal with api-paste.ini, so long as backward compat is properly > >> handled. Thanks for working on > >> this. > >> > >> Dan > >> > >> On Sat, Feb 9, 2013 at 6:09 AM, Akihiro MOTOKI<[email protected]> > >> wrote: > >> > >> Hi, > >> > >> We have the configurations of keystone auth_token in api-paste.ini. > >> keystoneclient.middleware.auth_token now allows the main application > >> such as quantum to have auth_token configuration in its configuration > >> file e.g., quantum.conf. > >> > >> I think it is better to have auth_token configurations in > >> quantum.conf. > >> If so users only need to customize quantum.conf and there is no need > >> to modify api-paste.ini. I think api-paste.ini is regarded as a part > >> of > >> quantum-server since it defines the pipeline of quantum-server, so > >> it would be better users do not modify it. > >> > >> Since auth_token has a backward compatibility, > >> users who already use api-paste.ini can continue to use it. > >> auth_token first tries the configurations in > >> /etc/quantum/api-paste.ini > >> and then the above configurations. > >> > >> I think this change has no risk and simplifies users' configurations. > >> > >> To do this, we just need to add an example to auto_token > >> configurations > >> below to quantum.conf and update the admin guide. > >> (In addition, need to update devstack at some timing) > >> > >> Glance already adopts this scheme, and nova does not. > >> > >> ------------------------------------------------------------ > >> [keystone_authtoken] > >> auth_host = 127.0.0.1 > >> auth_port = 35357 > >> auth_protocol = http > >> admin_tenant_name = %SERVICE_TENANT_NAME% > >> admin_user = %SERVICE_USER% > >> admin_password = %SERVICE_PASSWORD% > >> signing_dir = /var/lib/quantum/keystone-signing > >> ------------------------------------------------------------ > >> > >> Thanks, > >> Akihiro > >> > >> -- > >> Mailing list: https://launchpad.net/~quantum-core > >> Post to : [email protected] > >> Unsubscribe : https://launchpad.net/~quantum-core > >> More help : https://help.launchpad.net/ListHelp > >> > >> -- > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >> Dan Wendlandt > >> Nicira, Inc: www.nicira.com > >> twitter: danwendlandt > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >> > >> > > > -- > Mailing list: https://launchpad.net/~quantum-core > Post to : [email protected] > Unsubscribe : https://launchpad.net/~quantum-core > More help : https://help.launchpad.net/ListHelp -- Mailing list: https://launchpad.net/~quantum-core Post to : [email protected] Unsubscribe : https://launchpad.net/~quantum-core More help : https://help.launchpad.net/ListHelp
