Re: [openstack-dev] [nova] global or per-project specific ssl config options, or both?
Hi Matt, Nova, I'll look into this. Gilliard On Thu, Dec 4, 2014 at 9:51 PM, Matt Riedemann mrie...@linux.vnet.ibm.com wrote: On 12/4/2014 6:02 AM, Davanum Srinivas wrote: +1 to @markmc's default is global value and override for project specific key suggestion. -- dims On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann mrie...@linux.vnet.ibm.com wrote: I've posted this to the 12/4 nova meeting agenda but figured I'd socialize it here also. SSL options - do we make them per-project or global, or both? Neutron and Cinder have config-group specific SSL options in nova, Glance is using oslo sslutils global options since Juno which was contentious for a time in a separate review in Icehouse [1]. Now [2] wants to break that out for Glance, but we also have a patch [3] for Keystone to use the global oslo SSL options, we should be consistent, but does that require a blueprint now? In the Icehouse patch, markmc suggested using a DictOpt where the default value is the global value, which could be coming from the oslo [ssl] group and then you could override that with a project-specific key, e.g. cinder, neutron, glance, keystone. [1] https://review.openstack.org/#/c/84522/ [2] https://review.openstack.org/#/c/131066/ [3] https://review.openstack.org/#/c/124296/ -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The consensus in the nova meeting today, I think, was that we generally like the idea of the DictOpt with global oslo ssl as the default and then be able to configure that per-service if needed. Does anyone want to put up a POC on how that would work to see how ugly and/or usable that would be? I haven't dug into the DictOpt stuff yet and am kind of time-constrained at the moment. -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova] global or per-project specific ssl config options, or both?
I just put up a quick pre-weekend POC at https://review.openstack.org/#/c/139672/ - comments welcome on that patch. Thanks :) On Fri, Dec 5, 2014 at 10:07 AM, Matthew Gilliard matthew.gilli...@gmail.com wrote: Hi Matt, Nova, I'll look into this. Gilliard On Thu, Dec 4, 2014 at 9:51 PM, Matt Riedemann mrie...@linux.vnet.ibm.com wrote: On 12/4/2014 6:02 AM, Davanum Srinivas wrote: +1 to @markmc's default is global value and override for project specific key suggestion. -- dims On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann mrie...@linux.vnet.ibm.com wrote: I've posted this to the 12/4 nova meeting agenda but figured I'd socialize it here also. SSL options - do we make them per-project or global, or both? Neutron and Cinder have config-group specific SSL options in nova, Glance is using oslo sslutils global options since Juno which was contentious for a time in a separate review in Icehouse [1]. Now [2] wants to break that out for Glance, but we also have a patch [3] for Keystone to use the global oslo SSL options, we should be consistent, but does that require a blueprint now? In the Icehouse patch, markmc suggested using a DictOpt where the default value is the global value, which could be coming from the oslo [ssl] group and then you could override that with a project-specific key, e.g. cinder, neutron, glance, keystone. [1] https://review.openstack.org/#/c/84522/ [2] https://review.openstack.org/#/c/131066/ [3] https://review.openstack.org/#/c/124296/ -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The consensus in the nova meeting today, I think, was that we generally like the idea of the DictOpt with global oslo ssl as the default and then be able to configure that per-service if needed. Does anyone want to put up a POC on how that would work to see how ugly and/or usable that would be? I haven't dug into the DictOpt stuff yet and am kind of time-constrained at the moment. -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova] global or per-project specific ssl config options, or both?
+1 to @markmc's default is global value and override for project specific key suggestion. -- dims On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann mrie...@linux.vnet.ibm.com wrote: I've posted this to the 12/4 nova meeting agenda but figured I'd socialize it here also. SSL options - do we make them per-project or global, or both? Neutron and Cinder have config-group specific SSL options in nova, Glance is using oslo sslutils global options since Juno which was contentious for a time in a separate review in Icehouse [1]. Now [2] wants to break that out for Glance, but we also have a patch [3] for Keystone to use the global oslo SSL options, we should be consistent, but does that require a blueprint now? In the Icehouse patch, markmc suggested using a DictOpt where the default value is the global value, which could be coming from the oslo [ssl] group and then you could override that with a project-specific key, e.g. cinder, neutron, glance, keystone. [1] https://review.openstack.org/#/c/84522/ [2] https://review.openstack.org/#/c/131066/ [3] https://review.openstack.org/#/c/124296/ -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova] global or per-project specific ssl config options, or both?
On 12/4/2014 6:02 AM, Davanum Srinivas wrote: +1 to @markmc's default is global value and override for project specific key suggestion. -- dims On Wed, Dec 3, 2014 at 11:57 PM, Matt Riedemann mrie...@linux.vnet.ibm.com wrote: I've posted this to the 12/4 nova meeting agenda but figured I'd socialize it here also. SSL options - do we make them per-project or global, or both? Neutron and Cinder have config-group specific SSL options in nova, Glance is using oslo sslutils global options since Juno which was contentious for a time in a separate review in Icehouse [1]. Now [2] wants to break that out for Glance, but we also have a patch [3] for Keystone to use the global oslo SSL options, we should be consistent, but does that require a blueprint now? In the Icehouse patch, markmc suggested using a DictOpt where the default value is the global value, which could be coming from the oslo [ssl] group and then you could override that with a project-specific key, e.g. cinder, neutron, glance, keystone. [1] https://review.openstack.org/#/c/84522/ [2] https://review.openstack.org/#/c/131066/ [3] https://review.openstack.org/#/c/124296/ -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev The consensus in the nova meeting today, I think, was that we generally like the idea of the DictOpt with global oslo ssl as the default and then be able to configure that per-service if needed. Does anyone want to put up a POC on how that would work to see how ugly and/or usable that would be? I haven't dug into the DictOpt stuff yet and am kind of time-constrained at the moment. -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [nova] global or per-project specific ssl config options, or both?
I've posted this to the 12/4 nova meeting agenda but figured I'd socialize it here also. SSL options - do we make them per-project or global, or both? Neutron and Cinder have config-group specific SSL options in nova, Glance is using oslo sslutils global options since Juno which was contentious for a time in a separate review in Icehouse [1]. Now [2] wants to break that out for Glance, but we also have a patch [3] for Keystone to use the global oslo SSL options, we should be consistent, but does that require a blueprint now? In the Icehouse patch, markmc suggested using a DictOpt where the default value is the global value, which could be coming from the oslo [ssl] group and then you could override that with a project-specific key, e.g. cinder, neutron, glance, keystone. [1] https://review.openstack.org/#/c/84522/ [2] https://review.openstack.org/#/c/131066/ [3] https://review.openstack.org/#/c/124296/ -- Thanks, Matt Riedemann ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev