Bug 824034

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

So this package would just contain keystone/middleware/auth_token.py ?

The main reason one would split up is to minimize dependencies,
and this does seem reasonable.

I was wondering about splitting all of keystone/middleware
to a keystone-middleware package, but the other modules there
look to have more extensive dependencies:
s3_token,swift_auth on swift and ec2_token on nova.

Considering the reduced dependencies on a "swift proxy" node:

openstack-swift-proxy (through openstack-swift) depends on:
python-configobj  
python-eventlet >= 0.9.8
python-greenlet >= 0.3.1
python-netifaces  
python-paste-deploy1.5  
python-setuptools  
python-simplejson  
python-webob1.0  
pyxattr  

while python-keystone depends on:
MySQL-python  
python-crypto  
python-dateutil  
python-eventlet  
python-httplib2  
python-ldap  
python-lxml  
python-memcached  
python-migrate  
python-passlib  
python-paste  
python-paste-deploy1.5  
python-paste-script  
python-prettytable  
python-routes1.12  
python-setuptools  
python-sqlalchemy0.7  
python-webob1.0  

And it seems that auth_token should depend on:
python-webob1.0  
python-memcached  
python-iso8601

So that's a reduction of

MySQL-python  
python-crypto  
python-dateutil  
python-httplib2  
python-ldap  
python-lxml  
python-migrate  
python-passlib  
python-paste-script  
python-prettytable  
python-routes1.12  
python-sqlalchemy0.7  

p.s. if we don't make this split,
perhaps python-iso8601 should be added to python-keystone

BTW the guard around the import of memcache and iso8601 in auth_token.py seems weird. Shouldn't it be catching ImportError rather than NameError?

> So this package would just contain keystone/middleware/auth_token.py ?

yes

> I was wondering about splitting all of keystone/middleware
> to a keystone-middleware package, but the other modules there
> look to have more extensive dependencies:
> s3_token,swift_auth on swift and ec2_token on nova.

yes, BTW swift middleware is going to be moved to swift
from http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-16-20.31.html

"Voted on "move swift_auth.py middleware from keystone to swift?" Results are, yes: 5"

> perhaps python-iso8601 should be added to python-keystone

I've fixed that in openstack-keystone-2012.1-2
http://pkgs.fedoraproject.org/gitweb/?p=openstack-keystone.git;a=commitdiff;h=edd22d669d2c0bb8d591d0da673ea536fa88a46a#patch4

> Shouldn't it be catching ImportError rather than NameError?

Let's file LP bug upstream.

If you guys want to create subpackage for s3_token and ec2_token that would be ideal tool and indeed we are working on moving swift_auth to swift so no need to create a subpackage (perhaps another bug report when moved to swift).

PS: it should indeed be ImportError

Created attachment 586483 [details]
proposed spec patch

Created attachment 586484 [details]
proposed spec patch

The milestone bump is redundant and a bit confusing given there never was an essex rc3 for keystone. Otherwise patch looks good.

cheers

(In reply to comment #8)
> The milestone bump is redundant and a bit confusing

Count me confused too, that was wrong line :) I meant to bump Release only of course.

One thing I missed, yum update on existing Keystone installation will not pull python-keystone-auth-token:

@@ -56,6 +56,9 @@ Group:            Applications/System
 # python-keystone added in 2012.1-0.2.e3
 Conflicts:      openstack-keystone < 2012.1-0.2.e3
 
+# to pull middleware on yum update
+Requires:       python-keystone-auth-token = %{version}-%{release}
+
 Requires:       python-eventlet
 Requires:       python-ldap
 Requires:       python-lxml

Created attachment 586618 [details]
final proposed patch

Created attachment 586621 [details]
final final patch

* yum update
Updating:
 openstack-keystone             noarch     2012.1-3.fc16
 python-keystone                noarch     2012.1-3.fc16
Installing for dependencies:
 python-keystone-auth-token     noarch     2012.1-3.fc16

* yum install python-keystone-auth-token
Installing:
 python-keystone-auth-token     noarch     2012.1-3.fc16
Updating:
 python-keystone                noarch     2012.1-3.fc16
Updating for dependencies:
 openstack-keystone             noarch     2012.1-3.fc16

openstack-keystone-2012.1-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-8283/openstack-keystone-2012.1-3.fc17

Package openstack-keystone-2012.1-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openstack-keystone-2012.1-3.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8283/openstack-keystone-2012.1-3.fc17
then log in and leave karma (feedback).

This will need to be updated, as the package is missing two empty __init__.py files in the keystone/ and keystone/middleware/ directories

I tested with those in place and glance was able to start OK

Note these empty files will need to not conflict with those from python-keystone.
I've not looked into how best to achieve that.

What about small subpackage python-keystone-common which contains only:
keystone/__init__.py*
keystone/middleware/__init__.py*

(In reply to comment #15)
> keystone/middleware/__init__.py*

Bad idea, it contains "from keystone.middleware.core import *" and core.py imports from keystone.

Only clean way seems to move auth_token out of keystone.middleware but that requires changes in paste-deploy configs of all apps.
Might be worth to propose that change upstream.

(In reply to comment #16)
> (In reply to comment #15)
> > keystone/middleware/__init__.py*
> 
> Bad idea, it contains "from keystone.middleware.core import *" and core.py
> imports from keystone.

I tried to get rid of that but that would require keystone.conf changes which is config{noreplace} so existing setups would be broken after update.

This is yet another reason why mixing user-configurable settings and paste-deploy is bad, but that's another story.

Only quick fix here is what Pádraig suggested:
let python-keystone-auth-token create empty __init__.py if missing in %post script.
That way it can stand alone and if full python-keystone gets installed, it will overwrite those empty files.

> Only quick fix here is what Pádraig suggested:

http://pkgs.fedoraproject.org/gitweb/?p=openstack-keystone.git;a=commitdiff;h=55247fe77e53bfdf58c19078a3f289ba357bb0e3

Pádraig, I feel rather dirty after this, please review :)

Nice work on the triggerpostun edge case.
I learn something every day :)

The logic looks sound, so looks good to me

Reopening, triggerpostun has a side-effect on el6 where keystone/__init__.py is patched to import parallel versions of few python libs.

Package openstack-keystone-2012.1-4.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openstack-keystone-2012.1-4.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8283/openstack-keystone-2012.1-4.fc17
then log in and leave karma (feedback).

(In reply to comment #20)
> Reopening, triggerpostun has a side-effect on el6 where keystone/__init__.py
> is patched to import parallel versions of few python libs.

The issue is that triggerpostun was running on upgrades, breaking python-keystone:
http://pkgs.fedoraproject.org/gitweb/?p=openstack-keystone.git;a=commitdiff;h=fa729f8c9e4761ebb3b51eb38030defe48f328bf

openstack-keystone-2012.1-8.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openstack-keystone-2012.1-8.el6

Package openstack-keystone-2012.1-5.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openstack-keystone-2012.1-5.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8283/openstack-keystone-2012.1-5.fc17
then log in and leave karma (feedback).

openstack-keystone-2012.1.1-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/openstack-keystone-2012.1.1-1.el6

openstack-keystone-2012.1.1-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openstack-keystone-2012.1.1-1.fc17

openstack-keystone-2012.1.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Fun never ends:

folsom-2 introduced new keystone-internal dependecy, breaking auth-token stand-alone:

 from keystone.openstack.common import jsonutils

and folsom-3 adds one more:

 from keystone.common import cms

I'll look into further subpackaging common parts as python-keystone-common but this is getting messy.

Filed bug 844508 to track the issue described in comment 28

openstack-keystone-2012.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.