Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-08 Thread Dolph Mathews
We're _all_ winners. On Friday, April 8, 2016, Brad Topol wrote: > If Termie comes out of retirement to respond to a thread are there really > any winners??? :-) > > --Brad > > > Brad Topol, Ph.D. > IBM Distinguished Engineer > OpenStack > (919) 543-0646 > Internet:

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-08 Thread Brad Topol
If Termie comes out of retirement to respond to a thread are there really any winners??? :-) --Brad Brad Topol, Ph.D. IBM Distinguished Engineer OpenStack (919) 543-0646 Internet: bto...@us.ibm.com Assistant: Kendra Witherspoon (919) 254-0680 From: Monty Taylor To:

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-08 Thread Monty Taylor
On 04/08/2016 11:12 AM, Andy Smith wrote: Aahahahahhahahahhaahhahahahahahahahahhahhahahahahhahaha This is the indication that this thread wins. On Thu, Apr 7, 2016 at 6:23 AM Lance Bragstad > wrote: In response to point 2.2, the

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-08 Thread Heck, Joseph
You know it’s an interesting discussion thread on keystone when both Termie and I are watching, chuckling, and grimacing in remembered pain … -joe From: Andy Smith > Reply-To: "OpenStack Development Mailing List (not for usage questions)"

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-08 Thread Andy Smith
Aahahahahhahahahhaahhahahahahahahahahhahhahahahahhahaha On Thu, Apr 7, 2016 at 6:23 AM Lance Bragstad wrote: > In response to point 2.2, the progress with Fernet in the last year has > exposed performance pain points in keystone. Finding sensible solutions for > those

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-07 Thread Lance Bragstad
In response to point 2.2, the progress with Fernet in the last year has exposed performance pain points in keystone. Finding sensible solutions for those issues is crucial in order for people to adopt Fernet. In Mitaka we had a lot of discussion that resulted in landing several performance related

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-06 Thread Morgan Fainberg
On Wed, Apr 6, 2016 at 6:29 PM, David Stanek wrote: > > On Wed, Apr 6, 2016 at 3:26 PM Boris Pavlovic > wrote: > >> >> 2) This will reduce scope of Keystone, which means 2 things >> 2.1) Smaller code base that has less issues and is simpler for

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-06 Thread David Stanek
On Wed, Apr 6, 2016 at 3:26 PM Boris Pavlovic wrote: > > 2) This will reduce scope of Keystone, which means 2 things > 2.1) Smaller code base that has less issues and is simpler for testing > 2.2) Keystone team would be able to concentrate more on fixing >

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-06 Thread Adam Young
On 04/06/2016 04:56 PM, Dolph Mathews wrote: For some historical perspective, that's basically how v2 was designed. The "public" service (port 5000) did nothing but the auth flow. The "admin" service (port 35357) was identity management. Unfortunately, there are (perhaps uncommon)

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-06 Thread Steve Martinelli
This has been our hidden agenda for many releases (minus the project split). There are other projects that you mention that are much better at handling authentication, many enterprises already have these place as well. We have been trying to get out of the identity management (and consequently,

Re: [openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-06 Thread Dolph Mathews
For some historical perspective, that's basically how v2 was designed. The "public" service (port 5000) did nothing but the auth flow. The "admin" service (port 35357) was identity management. Unfortunately, there are (perhaps uncommon) authentication flows where, for example, you need to 1)

[openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

2016-04-06 Thread Boris Pavlovic
Hi stackers, I would like to suggest very simple idea of splitting out of Keystone authentication part in the separated project. Such change has 2 positive outcomes: 1) It will be quite simple to create scalable service with high performance for authentication based on very mature projects like: