settingsLogin | Registersettings

[openstack-dev] [keystone][all] v2.0 API removal

0 votes

Hey all,

Now that we're finishing up the last few bits of v2.0 removal, I'd like
to send out a reminder that Queens will not include the v2.0 keystone
APIs
except the ec2-api. Authentication and validation of v2.0 tokens
has been removed (in addition to the public and admin APIs) after a
lengthy deprecation period.

Let us know if you have any questions.

Thanks!


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

asked Oct 20, 2017 in openstack-dev by Lance_Bragstad (11,080 points)   2 3 6

6 Responses

0 votes

On Thu, Oct 19, 2017 at 10:08 AM, Lance Bragstad lbragstad@gmail.com wrote:
Hey all,

Now that we're finishing up the last few bits of v2.0 removal, I'd like to
send out a reminder that Queens will not include the v2.0 keystone APIs
except the ec2-api. Authentication and validation of v2.0 tokens has been
removed (in addition to the public and admin APIs) after a lengthy
deprecation period.

In the future can we have a notice before the actual code removal
starts? We've been battling various places where we thought we had
converted to v3 only to find out we hadn't correctly done so because
it use to just 'work' and the only way we know now is that CI blew up.
A heads up on the ML probably wouldn't have lessened the pain in this
instance but at least we might have been able to pinpoint the exact
problem quicker.

Thanks,
-Alex

Let us know if you have any questions.

Thanks!


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Oct 19, 2017 by aschultz_at_redhat.c (5,800 points)   2 2 4
0 votes

Yeah - we specifically talked about this in a recent meeting [0]. We
will be more verbose about this in the future.

[0]
http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-10-10-18.00.log.html#l-107

On 10/19/2017 12:00 PM, Alex Schultz wrote:
On Thu, Oct 19, 2017 at 10:08 AM, Lance Bragstad lbragstad@gmail.com wrote:

Hey all,

Now that we're finishing up the last few bits of v2.0 removal, I'd like to
send out a reminder that Queens will not include the v2.0 keystone APIs
except the ec2-api. Authentication and validation of v2.0 tokens has been
removed (in addition to the public and admin APIs) after a lengthy
deprecation period.

In the future can we have a notice before the actual code removal
starts? We've been battling various places where we thought we had
converted to v3 only to find out we hadn't correctly done so because
it use to just 'work' and the only way we know now is that CI blew up.
A heads up on the ML probably wouldn't have lessened the pain in this
instance but at least we might have been able to pinpoint the exact
problem quicker.

Thanks,
-Alex

Let us know if you have any questions.

Thanks!


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

responded Oct 19, 2017 by Lance_Bragstad (11,080 points)   2 3 6
0 votes

On Thu, Oct 19, 2017 at 11:49 AM, Lance Bragstad lbragstad@gmail.com wrote:
Yeah - we specifically talked about this in a recent meeting [0]. We
will be more verbose about this in the future.

I'm glad to see a review of this. In reading the meeting logs, I
understand it was well communicated that the api was going to go away
at some point. Yes we all knew it was coming, but the exact time of
impact wasn't known outside of Keystone. Also saying "oh it works in
devstack" is not enough when you do something this major. So a "FYI,
patches to remove v2.0 to start landing next week (or today)" is more
what would have been helpful for the devs who consume master. It
dramatically shortens the time spent debugging failures if you have an
idea about when something major changes and then we don't have to go
through git logs/gerrit to figure out what happened :)

IMHO when large efforts that affect the usage of your service are
going to start to land, it's good to send a note before landing those
patches. Or at least at the same time. Anyway I hope other projects
will also follow a similar pattern when they ultimately need to do
something like this in the future.

Thanks,
-Alex

[0]
http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-10-10-18.00.log.html#l-107

On 10/19/2017 12:00 PM, Alex Schultz wrote:

On Thu, Oct 19, 2017 at 10:08 AM, Lance Bragstad lbragstad@gmail.com wrote:

Hey all,

Now that we're finishing up the last few bits of v2.0 removal, I'd like to
send out a reminder that Queens will not include the v2.0 keystone APIs
except the ec2-api. Authentication and validation of v2.0 tokens has been
removed (in addition to the public and admin APIs) after a lengthy
deprecation period.

In the future can we have a notice before the actual code removal
starts? We've been battling various places where we thought we had
converted to v3 only to find out we hadn't correctly done so because
it use to just 'work' and the only way we know now is that CI blew up.
A heads up on the ML probably wouldn't have lessened the pain in this
instance but at least we might have been able to pinpoint the exact
problem quicker.

Thanks,
-Alex

Let us know if you have any questions.

Thanks!


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Oct 19, 2017 by aschultz_at_redhat.c (5,800 points)   2 2 4
0 votes

Keystone is one project that all other OpenStack projects use, so
personally I think the change to remove the API which are widely used
should be discussed at TC meeting .

As far as I know ,not all OpenStack projects support the keystone v3 domain
(domain, project,user) as well as keystone, you can see the policy.json of
each project to check.
most of projects have no domain specified role API.

I'd ask how much effort do we need to maintain the keystone v2 api ? can we
just keep the code there?

On Fri, Oct 20, 2017 at 2:41 AM, Alex Schultz aschultz@redhat.com wrote:

On Thu, Oct 19, 2017 at 11:49 AM, Lance Bragstad lbragstad@gmail.com
wrote:

Yeah - we specifically talked about this in a recent meeting [0]. We
will be more verbose about this in the future.

I'm glad to see a review of this. In reading the meeting logs, I
understand it was well communicated that the api was going to go away
at some point. Yes we all knew it was coming, but the exact time of
impact wasn't known outside of Keystone. Also saying "oh it works in
devstack" is not enough when you do something this major. So a "FYI,
patches to remove v2.0 to start landing next week (or today)" is more
what would have been helpful for the devs who consume master. It
dramatically shortens the time spent debugging failures if you have an
idea about when something major changes and then we don't have to go
through git logs/gerrit to figure out what happened :)

IMHO when large efforts that affect the usage of your service are
going to start to land, it's good to send a note before landing those
patches. Or at least at the same time. Anyway I hope other projects
will also follow a similar pattern when they ultimately need to do
something like this in the future.

Thanks,
-Alex

[0]
http://eavesdrop.openstack.org/meetings/keystone/2017/
keystone.2017-10-10-18.00.log.html#l-107

On 10/19/2017 12:00 PM, Alex Schultz wrote:

On Thu, Oct 19, 2017 at 10:08 AM, Lance Bragstad lbragstad@gmail.com
wrote:

Hey all,

Now that we're finishing up the last few bits of v2.0 removal, I'd
like to
send out a reminder that Queens will not include the v2.0 keystone APIs
except the ec2-api. Authentication and validation of v2.0 tokens has
been
removed (in addition to the public and admin APIs) after a lengthy
deprecation period.

In the future can we have a notice before the actual code removal
starts? We've been battling various places where we thought we had
converted to v3 only to find out we hadn't correctly done so because
it use to just 'work' and the only way we know now is that CI blew up.
A heads up on the ML probably wouldn't have lessened the pain in this
instance but at least we might have been able to pinpoint the exact
problem quicker.

Thanks,
-Alex

Let us know if you have any questions.

Thanks!



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:
unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:
unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Tang Yaguang


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Oct 20, 2017 by Yaguang_Tang (1,180 points)   1 3 4
0 votes

On 2017-10-20 10:52:36 +0800 (+0800), Yaguang Tang wrote:
Keystone is one project that all other OpenStack projects use, so
personally I think the change to remove the API which are widely
used should be discussed at TC meeting .
[...]

The OpenStack Technical Committee ceased holding regular weekly
meetings around 6 months ago:

https://governance.openstack.org/tc/resolutions/20170425-drop-tc-weekly-meetings.html

Also, the TC is not generally in the business of making decisions on
behalf of projects and instead provides opt-in policy in the form of
"tags" which projects can choose to apply to their teams or
deliverables, such as:

https://governance.openstack.org/tc/reference/tags/assert_follows-standard-deprecation.html

As you can see, the Keystone team asserts the keystone API service
follows the deprecation model indicated there. Are you suggesting
that policy was not followed, or that it's merely insufficient?
--
Jeremy Stanley


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

responded Oct 20, 2017 by Jeremy_Stanley (56,700 points)   3 5 7
0 votes

I am not saying keystone team don't follow the policy. Just want to express
my concern for this big action. it's a cross project thing, so want to have
a widely agreement. from the user's aspect, I want to ask the keystone team
to keep the V2 API for a long time if we don't have
to spend to much effort to maintain it.

On Fri, Oct 20, 2017 at 8:46 PM, Jeremy Stanley fungi@yuggoth.org wrote:

On 2017-10-20 10:52:36 +0800 (+0800), Yaguang Tang wrote:

Keystone is one project that all other OpenStack projects use, so
personally I think the change to remove the API which are widely
used should be discussed at TC meeting .
[...]

The OpenStack Technical Committee ceased holding regular weekly
meetings around 6 months ago:

https://governance.openstack.org/tc/resolutions/20170425-
drop-tc-weekly-meetings.html

Also, the TC is not generally in the business of making decisions on
behalf of projects and instead provides opt-in policy in the form of
"tags" which projects can choose to apply to their teams or
deliverables, such as:

https://governance.openstack.org/tc/reference/tags/assert_
follows-standard-deprecation.html

As you can see, the Keystone team asserts the keystone API service
follows the deprecation model indicated there. Are you suggesting
that policy was not followed, or that it's merely insufficient?
--
Jeremy Stanley


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Tang Yaguang


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Oct 20, 2017 by Yaguang_Tang (1,180 points)   1 3 4
...