<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 09/26/2015 11:19 PM, RunnerCheng
wrote:<br>
</div>
<blockquote cite="mid:BLU173-W23A391B0F6C6616372E1EE7400@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:微软雅黑
}
--></style>
<div dir="ltr">Hi All,<br>
I'm a newbie of keystone, and I'm doing some research about it
recently. I have a question about how to deploy it. The scenario
is on below:<br>
<br>
One comany has one headquarter dc and 5 sub dc locate in
different cities. We want to deploy separate OpenStack with
"sub" keystone at the sub dc, and want to deploy one "master"
keystone at headquarter dc. We want to manage all users, roles
and tenants etc on the "master" keystone, however we want the
end-user can authenticate with the "sub" keystone where he or
she is locate.<br>
</div>
</blockquote>
<br>
<br>
Use LDAP for the users, don't keep them in Keystone.<br>
<br>
Replicate roles, projects etc from master to sub.<br>
<br>
Use Fernet tokens. Replicate revocation events both ways.<br>
<br>
<br>
<blockquote cite="mid:BLU173-W23A391B0F6C6616372E1EE7400@phx.gbl"
type="cite">
<div dir="ltr"> <br>
Is anyone understant this scenario? How to realize it without
additionaly development?<br>
<br>
Thanks in advance!<br>
<br>
Sam Cheng<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-operators mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
</pre>
</blockquote>
<br>
</body>
</html>