Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion
Excerpts from Gage Hugo's message of 2017-12-06 15:16:14 -0600: > It's been a bit since the summit but I believe this was also discussed at > the Denver PTG as well: https://etherpad.openstack.org/p/oslo-ptg-queens > > The keystoneauth stuff seems to be more from Sydney, but if I remember > correctly, Castellan authenticates through keystoneauth and passes the > session to barbicanclient. This is the only use of keystoneauth within > Castellan, so one idea that was mentioned was to see if Castellan could > simply pass the credentials to barbicanclient, which would auth through > keystoneauth instead, removing the dependency from Castellan. It looks like Castellan tries to authenticate using the token from the context in two separate cases [1]. That would cause the service using castellan to connect to barbican as the user making the API request. Removing the use of keystoneauth would mean that feature would no longer work, and all requests to barbican would be made as a hard-coded user. That seems like a pretty fundamental difference in behavior. Which mode is used the most in the services that consume castellan today? I'm still not understanding the real motivation for removing the dependency. Is it just someone's notion of cleaning things up? Or is there a runtime issue of some sort? Doug [1] http://git.openstack.org/cgit/openstack/castellan/tree/castellan/key_manager/barbican_key_manager.py#n140 > > On Tue, Dec 5, 2017 at 10:54 AM, Doug Hellmann > wrote: > > > Excerpts from ARORA, ROHAN's message of 2017-12-05 14:37:49 +: > > > So from my understanding now, we are wanting to remove the HARD > > dependency on Keystoneauth, not to remove it completely since that would > > break the barbican client. Currently seeing if we just remove the > > dependency from requirements.txt, if that stops Keystoneauth from being > > used until you try to use the barbican. > > > > There would need to be more changes than that, because we still need the > > package to be installed for testing the Barbican driver. > > > > Maybe if someone could explain what the issue is, I can offer more > > detailed advice. What is wrong with having the keystoneauth dependency? > > Is it breaking something? Is it interfering with some other library? > > > > Doug > > > > __ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion
It's been a bit since the summit but I believe this was also discussed at the Denver PTG as well: https://etherpad.openstack.org/p/oslo-ptg-queens The keystoneauth stuff seems to be more from Sydney, but if I remember correctly, Castellan authenticates through keystoneauth and passes the session to barbicanclient. This is the only use of keystoneauth within Castellan, so one idea that was mentioned was to see if Castellan could simply pass the credentials to barbicanclient, which would auth through keystoneauth instead, removing the dependency from Castellan. On Tue, Dec 5, 2017 at 10:54 AM, Doug Hellmann wrote: > Excerpts from ARORA, ROHAN's message of 2017-12-05 14:37:49 +: > > So from my understanding now, we are wanting to remove the HARD > dependency on Keystoneauth, not to remove it completely since that would > break the barbican client. Currently seeing if we just remove the > dependency from requirements.txt, if that stops Keystoneauth from being > used until you try to use the barbican. > > There would need to be more changes than that, because we still need the > package to be installed for testing the Barbican driver. > > Maybe if someone could explain what the issue is, I can offer more > detailed advice. What is wrong with having the keystoneauth dependency? > Is it breaking something? Is it interfering with some other library? > > Doug > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion
Excerpts from ARORA, ROHAN's message of 2017-12-05 14:37:49 +: > So from my understanding now, we are wanting to remove the HARD dependency on > Keystoneauth, not to remove it completely since that would break the barbican > client. Currently seeing if we just remove the dependency from > requirements.txt, if that stops Keystoneauth from being used until you try to > use the barbican. There would need to be more changes than that, because we still need the package to be installed for testing the Barbican driver. Maybe if someone could explain what the issue is, I can offer more detailed advice. What is wrong with having the keystoneauth dependency? Is it breaking something? Is it interfering with some other library? Doug __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion
So from my understanding now, we are wanting to remove the HARD dependency on Keystoneauth, not to remove it completely since that would break the barbican client. Currently seeing if we just remove the dependency from requirements.txt, if that stops Keystoneauth from being used until you try to use the barbican. Best, Rohan -Original Message- From: Doug Hellmann [mailto:d...@doughellmann.com] Sent: Monday, December 04, 2017 4:00 PM To: openstack-dev Subject: Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion Excerpts from ARORA, ROHAN's message of 2017-12-04 21:47:45 +: > Wanted to start a thread to discuss the potential removal of the Keystoneauth > dependency from Castellan. Whether it is needed or not, approaches we might > want to take, etc. > From my understanding, Tin, Gage, and Ade discussed this at the Sydney > summit, so we were hoping for some details/clarifications before getting to > work on it. > > Best, > Rohan My understanding is that keystone is used when the barbican driver is invoked. So I don't understand how we can remove the dependency completely. We could possibly make it an "extras" so that it is only installed if the barbican driver is going to be used. Is that what you mean? Doug __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=HrszLFXMaQd7t9slUzbd4w&m=FujA9G4eVEAZYg6NIXvhNicVpcBdHJAIW-ZRJ2yeNjs&s=3x2COEHUcYS41wWEg97O9AmICZre8dUTMw_77FOWpeU&e= __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion
I do believe that was something Tin mentioned after I had talked to him after our IRC chat last week. Seems like the right way to go. Tin? Best, Rohan -Original Message- From: Doug Hellmann [mailto:d...@doughellmann.com] Sent: Monday, December 04, 2017 4:00 PM To: openstack-dev Subject: Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion Excerpts from ARORA, ROHAN's message of 2017-12-04 21:47:45 +: > Wanted to start a thread to discuss the potential removal of the Keystoneauth > dependency from Castellan. Whether it is needed or not, approaches we might > want to take, etc. > From my understanding, Tin, Gage, and Ade discussed this at the Sydney > summit, so we were hoping for some details/clarifications before getting to > work on it. > > Best, > Rohan My understanding is that keystone is used when the barbican driver is invoked. So I don't understand how we can remove the dependency completely. We could possibly make it an "extras" so that it is only installed if the barbican driver is going to be used. Is that what you mean? Doug __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Ddev&d=DwIGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=HrszLFXMaQd7t9slUzbd4w&m=FujA9G4eVEAZYg6NIXvhNicVpcBdHJAIW-ZRJ2yeNjs&s=3x2COEHUcYS41wWEg97O9AmICZre8dUTMw_77FOWpeU&e= __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Removing Keystoneauth Dependency in Castellan Discussion
Excerpts from ARORA, ROHAN's message of 2017-12-04 21:47:45 +: > Wanted to start a thread to discuss the potential removal of the Keystoneauth > dependency from Castellan. Whether it is needed or not, approaches we might > want to take, etc. > From my understanding, Tin, Gage, and Ade discussed this at the Sydney > summit, so we were hoping for some details/clarifications before getting to > work on it. > > Best, > Rohan My understanding is that keystone is used when the barbican driver is invoked. So I don't understand how we can remove the dependency completely. We could possibly make it an "extras" so that it is only installed if the barbican driver is going to be used. Is that what you mean? Doug __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev