openstack
/
heat-specs
Code Issues Proposed changes

Update patch set 5 

Patch Set 5: Code-Review-1

(4 comments)

Patch-set: 5
Reviewer: Gerrit User 4257 <4257@4a232e18-c5a9-48ee-94c0-e04e7cca6543>
Label: Code-Review=-1
This commit is contained in:
Gerrit User 4257 2018-07-05 19:21:39 +00:00 committed by Gerrit Code Review
parent b33fb43334
commit 71d832cd44
1 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
de04f0d2c153d7c87c7cae6d6fa5aad157953065
View File

@ -22,6 +22,86 @@
"revId": "de04f0d2c153d7c87c7cae6d6fa5aad157953065",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
"unresolved": false
},
{
"key": {
"uuid": "5f7c97a3_26afdb9d",
"filename": "specs/rocky/multi-cloud-support.rst",
"patchSetId": 5
},
"lineNbr": 63,
"author": {
"id": 4257
},
"writtenOn": "2018-07-05T19:21:39Z",
"side": 1,
"message": "After discussion on IRC[1], I\u0027d suggest the properties we want are: the region_name, the auth_url, the credential_secret_id, and the various SSL/TLS config options that Rabi alluded to above (but passing the file contents inline, using e.g. get_file, not just the filename as in https://review.openstack.org/#/c/480923/10).\n\nThe main reason I think we want to do this all inline is that the clouds.yaml format also refers to external files for SSL config. So it\u0027s not like we can just have the user drop the whole clouds.yaml entry into Barbican.\n\nWe could enhance that later by adding the option to refer to a named cloud provider in the clouds.yaml file provided by the Heat operator. It\u0027s not great for interoperability, but it would certainly be useful for some use cases (e.g. organisation has multiple internal private clouds, none of which have CA-signed SSL certs). I\u0027d treat that as a comparatively low priority though.\n\n[1] http://eavesdrop.openstack.org/irclogs/%23heat/%23heat.2018-07-05.log.html#t2018-07-05T15:16:19",
"revId": "de04f0d2c153d7c87c7cae6d6fa5aad157953065",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
"unresolved": false
},
{
"key": {
"uuid": "5f7c97a3_86a34fb1",
"filename": "specs/rocky/multi-cloud-support.rst",
"patchSetId": 5
},
"lineNbr": 85,
"author": {
"id": 4257
},
"writtenOn": "2018-07-05T19:21:39Z",
"side": 1,
"message": "OK, after talking to Thomas and reading the scrollback on IRC[1], I realise that I completely misinterpreted what this was saying. (This is also why I was so confused about the new DB table.)\n\nThere is no point to doing this. If you have a credential on a remote cloud that only gives you access to Barbican, but Barbican contains a second credential that gives you access to everything, then you have access to everything. The fact that you had to jump through twice as many hoops to get there adds no security benefit.\n\n[1] http://eavesdrop.openstack.org/irclogs/%23heat/%23heat.2018-07-04.log.html#t2018-07-04T14:33:12",
"range": {
"startLine": 82,
"startChar": 0,
"endLine": 85,
"endChar": 67
},
"revId": "de04f0d2c153d7c87c7cae6d6fa5aad157953065",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
"unresolved": false
},
{
"key": {
"uuid": "5f7c97a3_e647a31d",
"filename": "specs/rocky/multi-cloud-support.rst",
"patchSetId": 5
},
"lineNbr": 165,
"author": {
"id": 4257
},
"writtenOn": "2018-07-05T19:21:39Z",
"side": 1,
"message": "So we can ditch all 3 of these.",
"range": {
"startLine": 160,
"startChar": 0,
"endLine": 165,
"endChar": 60
},
"revId": "de04f0d2c153d7c87c7cae6d6fa5aad157953065",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
"unresolved": false
},
{
"key": {
"uuid": "5f7c97a3_668cf32d",
"filename": "specs/rocky/multi-cloud-support.rst",
"patchSetId": 5
},
"lineNbr": 169,
"author": {
"id": 4257
},
"writtenOn": "2018-07-05T19:21:39Z",
"side": 1,
"message": "Maybe add an extra work item for the operator-provided clouds.yaml support.",
"revId": "de04f0d2c153d7c87c7cae6d6fa5aad157953065",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543",
"unresolved": false
}
]
}