openstack/nova
Code Issues Proposed changes
4370aa9c5e
nova/releasenotes/notes/workarounds-enable-consoleauth-71d68c3879dc2c8a.yaml
Paul Murray 969239029d Convert websocketproxy to use db for token validation 
Now we can use the ConsoleAuthToken object to do token
validation. This change converts websocketproxy to use
the ConsoleAuthToken object for token validation.

Tha ConsoleAuthToken object is prepared to work with cells
v2. We use consoleauth if using cells v1.

A new config option: [workarounds]/enable_consoleauth has been
added to aid in transitioning to the database backend if
resetting already existing consoles would be problematic for an
operator.

Co-Authored-By: melanie witt <melwittt@gmail.com>

partially-implements: blueprint convert-consoles-to-objects

Depends-On: I67894a31b887a93de26f3d2d8a1fa84be5b9ea89

Change-Id: If1b6e5f20d2ea82d94f5f0550f13189fc9bc16c4
2018-05-03 09:57:56 -04:00

25 lines
1.3 KiB
YAML
Raw Blame History

---
upgrade:
- |
The ``nova-consoleauth`` service has been deprecated and new consoles will
have their token authorizations stored in cell databases instead of in the
``nova-consoleauth`` service backend. With this, console proxies are
required to be deployed per cell. All existing consoles will be reset. For
most operators, this should be a minimal disruption as the default TTL of a
console token is 10 minutes.
Operators that have configured a much longer token TTL or otherwise wish to
avoid immediately resetting all existing consoles can use the new
configuration option ``[workarounds]/enable_consoleauth`` to fall back on
the ``nova-consoleauth`` service for locating existing console
authorizations. The option defaults to False. Once all of the existing
consoles have naturally expired, operators may unset the configuration
option and discontinue running the consoleauth service. For example, if
a deployment has configured a token TTL of one hour, the operator may
disable the ``[workarounds]/enable_consoleauth`` option and stop running
the ``nova-consoleauth`` service one hour after deploying the new code.
Operators who do not need to use the ``[workarounds]/enable_consoleauth``
configuration option may discontinue running the consoleauth service
immediately.
View Git Blame Copy Permalink