<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 03/08/2016 11:06 AM, Matt Fischer
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHr1CO_dpwgSDYUmfXCC+UySnBo1+nHJmouWjnFefXLOEXxBYA@mail.gmail.com"
      type="cite">
      <div dir="ltr">This would be complicated to setup. How would the
        Openstack services validate the token? Which keystone node would
        they use? A better question is why would you want to do this? </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Mar 8, 2016 at 8:45 AM, rezroo
          <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:openstack@roodsari.us" target="_blank">openstack@roodsari.us</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Keystone
            supports both tokens and ec2 credentials simultaneously, but
            as far as I can tell, will only do a single token format
            (uuid, pki/z, fernet) at a time. Is it possible or advisable
            to configure keystone to issue multiple token formats? For
            example, I could configure two keystone servers, each using
            a different token format, so depending on endpoint used, I
            could get a uuid or pki token. Each service can use either
            token format, so is there a conceptual or implementation
            issue with this setup?<br>
            Thanks,<br>
            Reza<br>
            <br>
__________________________________________________________________________<br>
            OpenStack Development Mailing List (not for usage questions)<br>
            Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
              rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
            <a moz-do-not-send="true"
              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
              rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    Theoretically:<br>
    <br>
    Two different Keystone servers could independently issue different
    token formats.  They would need to share a common backend, so that
    they could all be verified online.  PKIZ  could be issued from
    multiple servers, each using different signing certs, so long as all
    the services got all the certs.<br>
    <br>
    Practically:<br>
    <br>
    You'd be insane to do this in production<br>
  </body>
</html>