[Openstack-operators] "Master" keystone and "sub"

RunnerCheng runner_cheng at hotmail.com
Tue Sep 29 03:25:23 UTC 2015 

Hi All,
 
Really thanks all of you disscussing this topic, I believe I got several important clues from your disscussion.
------------------------------

Message: 11
Date: Mon, 28 Sep 2015 15:31:54 -0400
From: Adam Young <ayoung at redhat.com>
To: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] "Master" keystone and "sub"
	keystone
Message-ID: <560995AA.5040808 at redhat.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

On 09/26/2015 11:19 PM, RunnerCheng wrote:
> Hi All,
> I'm a newbie of keystone, and I'm doing some research about it 
> recently. I have a question about how to deploy it. The scenario is on 
> below:
>
> One comany has one headquarter dc and 5 sub dc locate in different 
> cities. We want to deploy separate OpenStack with "sub" keystone at 
> the sub dc, and want to deploy one "master" keystone at headquarter 
> dc. We want to manage all users, roles and tenants etc on the "master" 
> keystone, however we want the end-user can authenticate with the "sub" 
> keystone where he or she is locate.


Use LDAP for the users, don't keep them in Keystone.

Replicate roles, projects etc from master to sub.

Use Fernet tokens.  Replicate revocation events both ways.


>
> Is anyone understant this scenario? How to realize it without 
> additionaly development?
>
> Thanks in advance!
>
> Sam Cheng
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150928/7a0c57c4/attachment-0001.html>

------------------------------

Message: 12
Date: Mon, 28 Sep 2015 15:46:50 -0400
From: Jonathan Proulx <jon at csail.mit.edu>
To: Adam Young <ayoung at redhat.com>
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] "Master" keystone and "sub"
	keystone
Message-ID: <20150928194650.GO24467 at csail.mit.edu>
Content-Type: text/plain; charset=us-ascii

On Mon, Sep 28, 2015 at 03:31:54PM -0400, Adam Young wrote:
:On 09/26/2015 11:19 PM, RunnerCheng wrote:
:>Hi All,
:>I'm a newbie of keystone, and I'm doing some research about it
:>recently. I have a question about how to deploy it. The scenario is
:>on below:
:>
:>One comany has one headquarter dc and 5 sub dc locate in different
:>cities. We want to deploy separate OpenStack with "sub" keystone at
:>the sub dc, and want to deploy one "master" keystone at headquarter
:>dc. We want to manage all users, roles and tenants etc on the
:>"master" keystone, however we want the end-user can authenticate
:>with the "sub" keystone where he or she is locate.
:
:
:Use LDAP for the users, don't keep them in Keystone.
:
:Replicate roles, projects etc from master to sub.
:
:Use Fernet tokens.  Replicate revocation events both ways.

I'm hearing conflicting advice about the suitibility of Fernet tokens
for production use.

I like the idea. I did get them to work in kilo trivially for CLI, but
Horizon was unhappy for reasons I didn't fully investigate as I heard
they 'weren't quite ready in kilo' so I defered further investigation
to next cycle.

Though honestly if you're building somthing new right now starting
with Liberty is probably the right thing anyway by the time you're
done PoC it will be released.

-Jon



------------------------------

Message: 13
Date: Mon, 28 Sep 2015 14:06:00 -0600
From: Matt Fischer <matt at mattfischer.com>
To: Jonathan Proulx <jon at csail.mit.edu>
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] "Master" keystone and "sub"
	keystone
Message-ID:
	<CAHr1CO9sSjwb6ug-9D9K2Zt8Y6WWxQON1ZPecWojqZkMstPV+A at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

On Mon, Sep 28, 2015 at 1:46 PM, Jonathan Proulx <jon at csail.mit.edu> wrote:

> On Mon, Sep 28, 2015 at 03:31:54PM -0400, Adam Young wrote:
> :On 09/26/2015 11:19 PM, RunnerCheng wrote:
> :>Hi All,
> :>I'm a newbie of keystone, and I'm doing some research about it
> :>recently. I have a question about how to deploy it. The scenario is
> :>on below:
> :>
> :>One comany has one headquarter dc and 5 sub dc locate in different
> :>cities. We want to deploy separate OpenStack with "sub" keystone at
> :>the sub dc, and want to deploy one "master" keystone at headquarter
> :>dc. We want to manage all users, roles and tenants etc on the
> :>"master" keystone, however we want the end-user can authenticate
> :>with the "sub" keystone where he or she is locate.
> :
> :
> :Use LDAP for the users, don't keep them in Keystone.
> :
> :Replicate roles, projects etc from master to sub.
> :
> :Use Fernet tokens.  Replicate revocation events both ways.
>
> I'm hearing conflicting advice about the suitibility of Fernet tokens
> for production use.
>
> I like the idea. I did get them to work in kilo trivially for CLI, but
> Horizon was unhappy for reasons I didn't fully investigate as I heard
> they 'weren't quite ready in kilo' so I defered further investigation
> to next cycle.
>
> Though honestly if you're building somthing new right now starting
> with Liberty is probably the right thing anyway by the time you're
> done PoC it will be released.
>
> -Jon


We're using them in prod, generally happy except with Validation
performance. For Horizon we run off of master anyway but you have to pull
in some code from Liberty or it won't work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150928/e3e01f80/attachment-0001.html>

------------------------------

Message: 14
Date: Mon, 28 Sep 2015 16:20:56 -0400
From: Jonathan Proulx <jon at csail.mit.edu>
To: Matt Fischer <matt at mattfischer.com>
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] "Master" keystone and "sub"
	keystone
Message-ID: <20150928202056.GP24467 at csail.mit.edu>
Content-Type: text/plain; charset=us-ascii

On Mon, Sep 28, 2015 at 02:06:00PM -0600, Matt Fischer wrote:
:On Mon, Sep 28, 2015 at 1:46 PM, Jonathan Proulx <jon at csail.mit.edu> wrote:

:> I'm hearing conflicting advice about the suitibility of Fernet tokens
:> for production use.
:>
:> I like the idea. I did get them to work in kilo trivially for CLI, but
:> Horizon was unhappy for reasons I didn't fully investigate as I heard
:> they 'weren't quite ready in kilo' so I defered further investigation
:> to next cycle.
:>
:> Though honestly if you're building somthing new right now starting
:> with Liberty is probably the right thing anyway by the time you're
:> done PoC it will be released.
:>
:> -Jon
:
:
:We're using them in prod, generally happy except with Validation
:performance. For Horizon we run off of master anyway but you have to pull
:in some code from Liberty or it won't work.

Thanks that's actually very good to know.  I have a recent master
version of Horizon that I hope to move to production soon, so if it's
all Horizon issues I may make the move to Fernet in production sooner
rather than later.

-Jon



------------------------------

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150929/35fd7a08/attachment.html>

More information about the OpenStack-operators mailing list