[openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

Adam Young ayoung at redhat.com
Tue Mar 8 16:58:48 UTC 2016 

On 03/08/2016 11:06 AM, Matt Fischer wrote:
> This would be complicated to setup. How would the Openstack services 
> validate the token? Which keystone node would they use? A better 
> question is why would you want to do this?
>
> On Tue, Mar 8, 2016 at 8:45 AM, rezroo <openstack at roodsari.us 
> <mailto:openstack at roodsari.us>> wrote:
>
>     Keystone supports both tokens and ec2 credentials simultaneously,
>     but as far as I can tell, will only do a single token format
>     (uuid, pki/z, fernet) at a time. Is it possible or advisable to
>     configure keystone to issue multiple token formats? For example, I
>     could configure two keystone servers, each using a different token
>     format, so depending on endpoint used, I could get a uuid or pki
>     token. Each service can use either token format, so is there a
>     conceptual or implementation issue with this setup?
>     Thanks,
>     Reza
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Theoretically:

Two different Keystone servers could independently issue different token 
formats.  They would need to share a common backend, so that they could 
all be verified online.  PKIZ  could be issued from multiple servers, 
each using different signing certs, so long as all the services got all 
the certs.

Practically:

You'd be insane to do this in production
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160308/217edc0c/attachment.html>

More information about the OpenStack-dev mailing list