The Keystone development team is planning to deprecate deployment of Keystone
under Eventlet during the Kilo cycle. Support for deploying under eventlet will
be dropped as of the “M”-release of OpenStack.
The reasoning behind this move is multifaceted but the core of the reasons are
as follows:
Keystone relies on apache/web-server modules to handle federated identity
(validation of SAML, etc) and similar SSO type authentication (Kerberos).
Eventlet has proven problematic when it comes to workloads within Keystone,
notably that a number of actions cannot yield (either due to lacking in
Eventlet, or that the dependent library uses C-bindings that eventlet is not
able to work with).
Keystone has recommended (for multiple cycles) deploying Keystone under apache
instead of eventlet. In the gate we primarily test all new development under
Apache/mod_wsgi deployments.
Most deployers I’ve discussed keystone deployment with are either already on
httpd+mod_wsgi or looking to move that direction (for support of features such
as federated auth).
The review to finalize the deprecation is:
https://review.openstack.org/#/c/157495/ (Please only provide comments on
deprecation, verbiage can be modified separately from the actual act of
deprecation).
Please comment on the review or in reply to this Email.
Thanks,
—Morgan
--
Morgan Fainberg
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
