Move keystone auth_token configuration to quantum.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Akihiro Motoki |
Bug Description
Though it has already been merged into master, I will file it as a bug to make feature tracking easier.
----
We have the configurations of keystone auth_token in api-paste.ini.
keystoneclient.
such as quantum to have auth_token configuration in its configuration
file e.g., quantum.conf.
I think it is better to have auth_token configurations in quantum.conf.
If so users only need to customize quantum.conf and there is no need
to modify api-paste.ini. I think api-paste.ini is regarded as a part of
quantum-server since it defines the pipeline of quantum-server, so
it would be better users do not modify it.
Since auth_token has a backward compatibility,
users who already use api-paste.ini can continue to use it.
auth_token first tries the configurations in /etc/quantum/
and then the above configurations.
I think this change has no risk and simplifies users' configurations.
To do this, we just need to add an example to auto_token configurations
below to quantum.conf and update the admin guide.
(In addition, need to update devstack at some timing)
Glance already adopts this scheme, and nova does not.
-------
[keystone_
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = %SERVICE_
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
signing_dir = /var/lib/
-------
Changed in quantum: | |
status: | Fix Committed → Fix Released |
Changed in quantum: | |
milestone: | grizzly-3 → 2013.1 |
Note that this change cannnot be backported to stable/folsom.
----
We alerady decided not to backport it. I would like to share the detail.
Actually auth_token configuration in quantum.conf does not work in stable/folsom
and we cannot backport it. In Folsom, keystone provides auth_token middleware and this middle does not check the configurations in quantum.conf.
In Grizzly, auth_token middleware is moved to keystoneclient and this middleware is enhanced
to check the auth_token configurations in the configurations in the main application in addition to api-paste.ini. "auth_token" middleware also exists in keystone and it is a wrapper to call keystoneclient auth_token. This provides backward compatibility with Folsom.
----