Decide on validation sets behaviour
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Anchor |
Won't Fix
|
Medium
|
Stanislaw Pitucha |
Bug Description
The original validation sets behaviour was to sign the certificate if any of the validation sets passed completely.
This was intended to be used in scenarios where different groups of servers make different kind of requests to the same Anchor instance. For example operator could configure Anchor to sign certificates for hosts *.nv.domain if the request comes from a nova range and for hosts *.gl.domain if the requests comes from a glance range.
This was changed in commit 52fefc1ca6ea507
There are two ways forwards I see:
- restore the original behaviour if needed, or
- remove validation sets, because they're not required anymore (merging all validators into one set doesn't change the behaviour)
Changed in anchor: | |
status: | In Progress → Won't Fix |
Fix proposed to branch: master /review. openstack. org/190086
Review: https:/