Shouldn't it be a sysadmin's headache?<div>I think, it should be secure enough to run both APIs on one port and let sysadmin decide to allow or deny access to them on some conditions.<br clear="all"><br><div>Kind regards, Yuriy.</div>
<br>
<br><br><div class="gmail_quote">On Tue, Aug 23, 2011 at 19:00, Ziad Sawalha <span dir="ltr"><<a href="mailto:ziad.sawalha@rackspace.com">ziad.sawalha@rackspace.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Admin and Service start on different ports (and potentially different<br>
networks). That's a deployment option we are trying to support from the<br>
get go to allow for deployments where the Admin APIU cannot be exposed on<br>
a public-facing network.<br>
<font color="#888888"><br>
Z<br>
</font><div><div></div><div class="h5"><br>
<br>
<br>
On 8/23/11 9:55 AM, "Ewan Mellor" <<a href="mailto:Ewan.Mellor@eu.citrix.com">Ewan.Mellor@eu.citrix.com</a>> wrote:<br>
<br>
>If the Admin API is a superset of the Service API, then what's the<br>
>difference between "keystone-control admin start" and "keystone-control<br>
>ALL start"?<br>
><br>
>Thanks,<br>
><br>
>Ewan.<br>
><br>
>> -----Original Message-----<br>
>> From: Ziad Sawalha [mailto:<a href="mailto:ziad.sawalha@rackspace.com">ziad.sawalha@rackspace.com</a>]<br>
>> Sent: 23 August 2011 20:24<br>
>> To: Ewan Mellor; Mark Nottingham; <<a href="mailto:ksankar@doubleclix.net">ksankar@doubleclix.net</a>><br>
>> Cc: <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> Subject: Re: [Openstack] Default ports for services<br>
>><br>
>> Yes, we'll probably be getting rid of some of those. They've been<br>
>> useful<br>
>> for testing (you can chose one, the other, or both) while we waited for<br>
>> a<br>
>> more robust implementation following other OpenStack service patterns.<br>
>> Keystone-control has been added to the bin folder to support the more<br>
>> OpenStack-like commands, but is not yet working. I think the pattern in<br>
>> keystone-control now is:<br>
>><br>
>> keystone-control ALL start<br>
>> or<br>
>> keystone-control auth start<br>
>> or<br>
>> keystone-control admin start<br>
>><br>
>> (probably should be `keystone-control service' start for the second<br>
>> one).<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> On 8/23/11 9:45 AM, "Ewan Mellor" <<a href="mailto:Ewan.Mellor@eu.citrix.com">Ewan.Mellor@eu.citrix.com</a>> wrote:<br>
>><br>
>> >OK, now I'm confused. We have three scripts in the bin directory:<br>
>> >keystone-admin, keystone-auth, and keystone. If the Admin API is a<br>
>> >superset of the Service API, then why do we need these three variants?<br>
>> >Wouldn't we just need two? (Or maybe just one with a flag that said<br>
>> >"enable admin functions")<br>
>> ><br>
>> >Ewan.<br>
>> ><br>
>> >> -----Original Message-----<br>
>> >> From: Ziad Sawalha [mailto:<a href="mailto:ziad.sawalha@rackspace.com">ziad.sawalha@rackspace.com</a>]<br>
>> >> Sent: 23 August 2011 19:37<br>
>> >> To: Ewan Mellor; Mark Nottingham; <<a href="mailto:ksankar@doubleclix.net">ksankar@doubleclix.net</a>><br>
>> >> Cc: <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> >> Subject: Re: [Openstack] Default ports for services<br>
>> >><br>
>> >> The Admin API is a superset of the Service API. My thinking was that<br>
>> by<br>
>> >> default Keystone starts up and exposes the Admin API on 35357<br>
>> allowing<br>
>> >> services on the local machine to find it and register themselves and<br>
>> >> their<br>
>> >> endpoints (especially if they are picking up ports dynamically).<br>
>> This<br>
>> >> is a<br>
>> >> simple use case for installing on one machine.<br>
>> >><br>
>> >> What I haven't fully worked out yet is how to handle multiple<br>
>> machine<br>
>> >> deployments. I'm thinking we should then register a DNS SRV record<br>
>> (or<br>
>> >> listen to broadcasts) to be discoverable by other machines on the<br>
>> >> network<br>
>> >> (or even a remote network).<br>
>> >><br>
>> >><br>
>> >><br>
>> >> On 8/23/11 5:49 AM, "Ewan Mellor" <<a href="mailto:Ewan.Mellor@eu.citrix.com">Ewan.Mellor@eu.citrix.com</a>> wrote:<br>
>> >><br>
>> >> >Are you intending to use 35357 for the admin API or the service<br>
>> API?<br>
>> >> And<br>
>> >> >what port will be the default for the other one?<br>
>> >> ><br>
>> >> >Thanks,<br>
>> >> ><br>
>> >> >Ewan.<br>
>> >> ><br>
>> >> >> -----Original Message-----<br>
>> >> >> From: openstack-<br>
>> bounces+ewan.mellor=<a href="mailto:citrix.com@lists.launchpad.net">citrix.com@lists.launchpad.net</a><br>
>> >> >> [mailto:<a href="mailto:openstack-">openstack-</a><br>
>> >> bounces+ewan.mellor=<a href="mailto:citrix.com@lists.launchpad.net">citrix.com@lists.launchpad.net</a>]<br>
>> >> >> On Behalf Of Ziad Sawalha<br>
>> >> >> Sent: 16 August 2011 22:17<br>
>> >> >> To: Mark Nottingham; <<a href="mailto:ksankar@doubleclix.net">ksankar@doubleclix.net</a>><br>
>> >> >> Cc: <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> >> >> Subject: Re: [Openstack] Default ports for services<br>
>> >> >><br>
>> >> >> Keystone has been assigned TCP port 35357 by IANA.<br>
>> >> >><br>
>> >> >> We'll make that the default port.<br>
>> >> >><br>
>> >> >> Thanks,<br>
>> >> >> Z<br>
>> >> >><br>
>> >> >><br>
>> >> >><br>
>> >> >> On 6/24/11 12:46 AM, "Mark Nottingham" <<a href="mailto:mnot@mnot.net">mnot@mnot.net</a>> wrote:<br>
>> >> >><br>
>> >> >> >On 24/06/2011, at 3:31 PM, <<a href="mailto:ksankar@doubleclix.net">ksankar@doubleclix.net</a>><br>
>> >> >> ><<a href="mailto:ksankar@doubleclix.net">ksankar@doubleclix.net</a>> wrote:<br>
>> >> >> ><br>
>> >> >> >> Couple of quick points:<br>
>> >> >> >><br>
>> >> >> >> a) Once the ports are fixed, we should register them with IANA<br>
>> as<br>
>> >> >> well<br>
>> >> >> >>known ports, which is the right<br>
>> >> >> >>place.[<a href="http://www.iana.org/assignments/port-numbers" target="_blank">http://www.iana.org/assignments/port-numbers</a>]<br>
>> >> >> ><br>
>> >> >> >That would be a friendly thing to do. See below for potential<br>
>> >> >> conflicts.<br>
>> >> >> ><br>
>> >> >> >> b) I was going to suggest something like a ZooKeeper, may be<br>
>> the<br>
>> >> >> >>service catalog serves that purpose.<br>
>> >> >> >> c) Also, on the port numbers, I assume they will manifest as<br>
>> >> >> universal<br>
>> >> >> >>constants and/or a configuration file in a universally (or<br>
>> >> >> >>intergalactically ;o)) known place.<br>
>> >> >> >> Cheers<br>
>> >> >> >> <k/><br>
>> >> >> >> -------- Original Message --------<br>
>> >> >> >> Subject: [Openstack] Default ports for services<br>
>> >> >> >> From: Ziad Sawalha <<a href="mailto:ziad.sawalha@rackspace.com">ziad.sawalha@rackspace.com</a>><br>
>> >> >> >> Date: Wed, June 22, 2011 9:52 pm<br>
>> >> >> >> To: "<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>"<br>
>> >> <<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>><br>
>> >> >> >><br>
>> >> >> >> Where's the best place to keep track of default ports for<br>
>> >> services<br>
>> >> >> to<br>
>> >> >> >>avoid conflicts? A wiki page on <a href="http://wiki.openstack.org" target="_blank">wiki.openstack.org</a>?<br>
>> >> >> >><br>
>> >> >> >> We had a discussion while working on Keystone about default<br>
>> ports<br>
>> >> >> for<br>
>> >> >> >>OpenStack services<br>
>> >> (<a href="https://github.com/rackspace/keystone/issues/31" target="_blank">https://github.com/rackspace/keystone/issues/31</a>).<br>
>> >> >> We<br>
>> >> >> >>want OpenStack to work 'out-of-the-box' without built-in port<br>
>> >> >> conflicts,<br>
>> >> >> >>so we should coordinate which ports new services start on.<br>
>> >> >> >><br>
>> >> >> >> At a minimum, we need that for Keystone as it isn't<br>
>> discoverable.<br>
>> >> >> Other<br>
>> >> >> >>services can be discovered using the service catalog that<br>
>> Keystone<br>
>> >> >> >>returns as part of an auth request (Sample response below at<br>
>> end<br>
>> >> of<br>
>> >> >> >>email).<br>
>> >> >> >><br>
>> >> >> >> Here's a list of ports we talked about on<br>
>> >> >> >><a href="https://github.com/rackspace/keystone/issues/31" target="_blank">https://github.com/rackspace/keystone/issues/31</a><br>
>> >> >> >> 80: Swift proxy server (swift/etc/proxy-server.conf-sample)<br>
>> >> >> ><br>
>> >> >> >Already taken by HTTP, of course. If it's just an HTTP API,<br>
>> that's<br>
>> >> >> fine.<br>
>> >> >> ><br>
>> >> >> >> 6000: Swift object server<br>
>> >> >> >> 6001: Swift container server<br>
>> >> >> >> 6002: Swift account server<br>
>> >> >> ><br>
>> >> >> >These are already registered for X-windows.<br>
>> >> >> ><br>
>> >> >> >> 6080: Nova VNC proxy<br>
>> >> >> ><br>
>> >> >> >free<br>
>> >> >> ><br>
>> >> >> >> 8001: Nova direct API<br>
>> >> >> ><br>
>> >> >> >taken by vcom-tunnel<br>
>> >> >> ><br>
>> >> >> >> 8080: Swift proxy server (swift/bin/swift-proxy-server)<br>
>> >> >> ><br>
>> >> >> >already HTTP alternate. Again, if it's an HTTP server (NOT http<br>
>> >> >> proxy),<br>
>> >> >> >that's OK.<br>
>> >> >> ><br>
>> >> >> >> 3306: MySQL<br>
>> >> >> ><br>
>> >> >> >already registered to mysql<br>
>> >> >> ><br>
>> >> >> >> 5672: AMPQ (RabbitMQ)<br>
>> >> >> ><br>
>> >> >> >already AMPQ<br>
>> >> >> ><br>
>> >> >> >> 9292: Glance API<br>
>> >> >> ><br>
>> >> >> >ArmTech Daemon (whatever that is)<br>
>> >> >> ><br>
>> >> >> >> 9191: Glance Registry<br>
>> >> >> ><br>
>> >> >> >Sun AppSvr JPDA<br>
>> >> >> ><br>
>> >> >> >> 5900...590?: qemu-system for VNC<br>
>> >> >> ><br>
>> >> >> >5901-5909 are Unassigned, 5900 is already remote framebuffer.<br>
>> >> >> ><br>
>> >> >> ><br>
>> >> >> >> We've moved Keystone to 5000/5001 (for Service and Admin API,<br>
>> >> >> >>respectively).<br>
>> >> >> ><br>
>> >> >> >commplex-main and commplex-link, respectively.<br>
>> >> >> ><br>
>> >> >> >><br>
>> >> >> >><br>
>> >> >> >><br>
>> >> >> >> Sample Response with service catalog:<br>
>> >> >> >> {<br>
>> >> >> >> "auth":{<br>
>> >> >> >> "token":{<br>
>> >> >> >> "id":"asdasdasd-adsasdads-asdasdasd-adsadsasd",<br>
>> >> >> >> "expires":"2010-11-01T03:32:15-05:00"<br>
>> >> >> >> },<br>
>> >> >> >> "serviceCatalog":{<br>
>> >> >> >> "nova":[<br>
>> >> >> >> {<br>
>> >> >> >> "region":"NorthAmerica",<br>
>> >> >> >> "publicURL":"<a href="https://service1-public:9000/v1/blah-" target="_blank">https://service1-public:9000/v1/blah-</a><br>
>> >> blah",<br>
>> >> >> >> "internalURL":"<a href="https://service1-" target="_blank">https://service1-</a><br>
>> internal:9001/v1/blah-<br>
>> >> >> blah"<br>
>> >> >> >> },<br>
>> >> >> >> {<br>
>> >> >> >> "region":"Europe",<br>
>> >> >> >> "publicURL":"<a href="https://service1-public-eu/v1/blah-" target="_blank">https://service1-public-eu/v1/blah-</a><br>
>> blah",<br>
>> >> >> >> "internalURL":"<a href="https://service1-internal-eu/v1/blah-" target="_blank">https://service1-internal-eu/v1/blah-</a><br>
>> >> blah"<br>
>> >> >> >> }<br>
>> >> >> >> ],<br>
>> >> >> >> "swift":[<br>
>> >> >> >> {<br>
>> >> >> >> "region":"regionOne",<br>
>> >> >> >> "publicURL":"<a href="https://service2-public-dat/v1/blah-" target="_blank">https://service2-public-dat/v1/blah-</a><br>
>> blah"<br>
>> >> >> >> }<br>
>> >> >> >> ]<br>
>> >> >> >> }<br>
>> >> >> >> }<br>
>> >> >> >> }<br>
>> >> >> >> _______________________________________________<br>
>> >> >> >> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> >> >> >> Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> >> >> >> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> >> >> >> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
>> >> >> >> _______________________________________________<br>
>> >> >> >> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> >> >> >> Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> >> >> >> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> >> >> >> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
>> >> >> ><br>
>> >> >> >--<br>
>> >> >> >Mark Nottingham <a href="http://www.mnot.net/" target="_blank">http://www.mnot.net/</a><br>
>> >> >> ><br>
>> >> >> ><br>
>> >> >> ><br>
>> >> >><br>
>> >> >> This email may include confidential information. If you received<br>
>> it<br>
>> >> in<br>
>> >> >> error, please delete it.<br>
>> >> >><br>
>> >> >><br>
>> >> >> _______________________________________________<br>
>> >> >> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> >> >> Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> >> >> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> >> >> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
>> >><br>
>> >> This email may include confidential information. If you received it<br>
>> in<br>
>> >> error, please delete it.<br>
>> ><br>
>><br>
>> This email may include confidential information. If you received it in<br>
>> error, please delete it.<br>
><br>
<br>
This email may include confidential information. If you received it in error, please delete it.<br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div></div></blockquote></div><br></div>