neutron

Move keystone auth_token configuration to quantum.conf

Bug #1123865 reported by Akihiro Motoki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Akihiro Motoki
neutron 2013.1 "grizzly"

Bug Description

Though it has already been merged into master, I will file it as a bug to make feature tracking easier.

----
We have the configurations of keystone auth_token in api-paste.ini.
keystoneclient.middleware.auth_token now allows the main application
such as quantum to have auth_token configuration in its configuration
file e.g., quantum.conf.

I think it is better to have auth_token configurations in quantum.conf.
If so users only need to customize quantum.conf and there is no need
to modify api-paste.ini. I think api-paste.ini is regarded as a part of
quantum-server since it defines the pipeline of quantum-server, so
it would be better users do not modify it.

Since auth_token has a backward compatibility,
users who already use api-paste.ini can continue to use it.
auth_token first tries the configurations in /etc/quantum/api-paste.ini
and then the above configurations.

I think this change has no risk and simplifies users' configurations.

To do this, we just need to add an example to auto_token configurations
below to quantum.conf and update the admin guide.
(In addition, need to update devstack at some timing)

Glance already adopts this scheme, and nova does not.

------------------------------------------------------------
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
signing_dir = /var/lib/quantum/keystone-signing
------------------------------------------------------------

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Note that this change cannnot be backported to stable/folsom.
----
We alerady decided not to backport it. I would like to share the detail.

Actually auth_token configuration in quantum.conf does not work in stable/folsom
and we cannot backport it. In Folsom, keystone provides auth_token middleware and this middle does not check the configurations in quantum.conf.

In Grizzly, auth_token middleware is moved to keystoneclient and this middleware is enhanced
to check the auth_token configurations in the configurations in the main application in addition to api-paste.ini. "auth_token" middleware also exists in keystone and it is a wrapper to call keystoneclient auth_token. This provides backward compatibility with Folsom.
----

Revision history for this message
Alan Pevec (apevec) wrote :

> Actually auth_token configuration in quantum.conf does not work in stable/folsom

Please provide more details, I don't see why it wouldn't work, the cfg handling is the same in stable/folsom keystone.middleware.auth_tokenm which was moved to keystoneclient.middleware.auth_token:

https://github.com/openstack/keystone/blob/stable/folsom/keystone/middleware/auth_token.py#L117
vs
https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L126

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Thanks for correcting me. Oh sorry for my bad.

I was confused with common logging and common config... This requires common confg. (In Quantum folsom common logging is not used.)

I confirmed it also worked with stable/folsom and config in api-paste is first checked.

Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in quantum:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.