My prioritization of noauth is rooted in the fact that we're finding that the current pattern of hitting auth to validate a token is not scaling well. Out current solution to this scale issue is:
- use noauth when possible between the services - use normal auth for public services - provide a method to create a 'trusted environment' While this problem may not be prevalent in other deployments I will add that support noauth in the client 'just makes sense' when the services themselves support them. For instance our setup looks like: User -> Auth to Nova -> Nova/Computes -> NoAuth to neutron in 'trusted environment' It saves quite a few calls to identity in this way and scales a lot better. On 1/16/14 11:06 AM, "Dean Troyer" <dtro...@gmail.com> wrote: >On Thu, Jan 16, 2014 at 9:37 AM, Jesse Noller ><jesse.nol...@rackspace.com> wrote: > >On Jan 16, 2014, at 9:26 AM, Justin Hammond ><justin.hamm...@rackspace.com> wrote: > > >I'm not sure if it was said, but which httplib using being used (urllib3 >maybe?). Also I noticed many people were talking about supporting auth >properly, but are there any intentions to properly support 'noauth' >(python-neutronclient, for instance, doesn't support it properly as of >this writing)? > > > > >Can you detail out noauth for me; and I would say the defacto httplib in >python today is python-requests - urllib3 is also good but I would say >from a *consumer* standpoint requests offers more in terms of usability / >extensibility > > > > > > >requests is built on top of urllib3 so there's that... > >The biggest reaon I favor using Jamie Lennox's new session layer stuff in >keystoneclient is that it better reflects the requests API instead of it >being stuffed in after the fact. And as the one responsible for that >stuffing, it was pretty blunt and really needs to be cleaned up more than >Alessio did. > >only a few libs (maybe just glance and swift?) don't use requests at this >point and I think the resistance there is the chunked transfers they both >do. > >I'm really curious what 'noauth' means against APIs that have few, if >any, calls that operate without a valid token. > >dt > >-- > >Dean Troyer >dtro...@gmail.com > > >_______________________________________________ >OpenStack-dev mailing list >OpenStack-dev@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
