<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/17/2015 02:51 AM, joehuang wrote:<br>
</div>
<blockquote
cite="mid:5E7A3D1BF5FD014E86E5F971CF446EFF5424B4B9@szxema505-mbs.china.huawei.com"
type="cite">
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">It’s not reality to deploy KeyStone service (
including backend store ) in each site if the number, for
example, is more than 10. The reason is that the stored data
including data related to revocation need to be replicated to
all sites in synchronization manner. Otherwise, the API server
might attempt to use the token before it's able to be
validated in the target site.
</span></p>
</blockquote>
<br>
Replicating revocati9on data across 10 sites will be tricky, but far
better than replicating all of the token data. Revocations should
be relatively rare.<br>
<blockquote
cite="mid:5E7A3D1BF5FD014E86E5F971CF446EFF5424B4B9@szxema505-mbs.china.huawei.com"
type="cite">
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">When Fernet token is used in multisite scenario,
each API request will ask for token validation from KeyStone.
The cloud will be out of service if KeyStone stop working,
therefore KeyStone service need to run in several sites.</span></p>
</blockquote>
<br>
There will be multiple Keystone servers, so each should talk to
their local instance.<br>
<blockquote
cite="mid:5E7A3D1BF5FD014E86E5F971CF446EFF5424B4B9@szxema505-mbs.china.huawei.com"
type="cite">
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">For reliability purpose, I suggest that the
keystone client should provide a fail-safe design: primary
KeyStone server, the second KeyStone server (or even the third
KeySont server) . If the primary KeyStone server is out of
service, then the KeyStone client will try the second KeyStone
server. Different KeyStone client may be configured with
different primary KeyStone server and the second KeyStone
server.</span></p>
</blockquote>
<br>
Makes sense, but that can be handled outside of Keystone using HA
and Heartbear and awhole slew of technologies. Each Keystone server
can validate each other's tokens.<br>
<br>
</body>
</html>