<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:3.0cm 2.0cm 3.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">As for the network diagram the one on the referred page (http://docs.openstack.org/trunk/openstack-object-storage/admin/content/figures/swift_install_arch.png)
more or less looks what I plan on doing. I would just put a NAT’ing firewall between the public switch and the internet. For security reasons, I think it would make more sense to have the Auth node (keystone service) located on the private switch – but I am
not sure whether it is possible.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I am still trying to figure out how the different components interact, and exactly what the different parameters on the keystone command does.
Once I get that understanding, things will probably be much easier </span><span lang="EN-US" style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regarding the location of the keystone server – and please correct me, if I’m wrong; user authentication is done via the proxy. When a user authenticates,
I assume that the proxy asks the keystone/auth server – instead of the client asks the auth/keystone server directly? If it is the proxy that handles the authentication request towards the keystone server – then the keystone might as well be located on the
private switch on the drawing (for enhanced security). Of course, if the keystone service is located on the private switch, the IP addresses in the URL’s for the endpoint creation will need to match the IP address of the server in this network.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Clients will be located on the internet side on the drawing (again – I want to put a NAT’ing firewall between the public switch and what is referred
to as “internet” on the drawing).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Maybe I should start digging into the book “OpenStack Cloud Computing Cookbook” by Kevin Jackson to see if this can make things clearer for me
</span><span lang="EN-US" style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Brian
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Kuo Hugo [mailto:tonytkdk@gmail.com]
<br>
<b>Sent:</b> 19. januar 2013 09:58<br>
<b>To:</b> Brian Ipsen<br>
<b>Cc:</b> openstack@lists.launchpad.net<br>
<b>Subject:</b> Re: [Openstack] Network setup - Swift / keystone location and configuraton?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">The answer is depends on your service plan . </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Generally , the IP for keystone is the network which could be accessed from client . <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Also , the publicurl / adminurl / internal could be different . <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Keystone is the auth agent for swift(and all other services) , while you produce a request to ask for "services URLs / role / token" with your username/password . It will return
a bunch of of information . <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">In keystone v1.0 legacy auth method , it presents as several x-headers . <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">In keystone v2.0 , it returns a pack of json which includes more information . Such as service urls , in your case the service type is object-storage(aka. swift) . <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">The client could parse the needed url for using. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">The swift-client is using --publicurl as I know .<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">[Q]Could I have a question ? <o:p></o:p></span></p>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0cm">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Which network will the client located ?<o:p></o:p></span></p>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">For x.x.x.x , you can just fill in the IP which accessible from client . If there's a NAT of LB , you need to point to NAT entry point of LB IP and redirect to the service
port or internal IP . <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl '<a href="http://x.x.x.x5000/v2.0" target="_blank">http://x.x.x.x5000/v2.0</a>' --adminurl '<a href="http://x.x.x.x:35357/v2.0" target="_blank">http://x.x.x.x:35357/v2.0</a>'
--internalurl '<a href="http://x.x.x.x:5000/v2.0" target="_blank">http://x.x.x.x:5000/v2.0</a>'<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>'
--adminurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> ' --internalurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> '<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/1/19 Brian Ipsen <<a href="mailto:brian.ipsen@ryesgade47c.dk" target="_blank">brian.ipsen@ryesgade47c.dk</a>><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">I am trying to figure out how to build a swift setup with Keystone identity management – and have the environment secured by a firewall.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">I expect, that a number of proxy nodes are accessible through the firewall (traffic will be NAT’ed). The proxy nodes are connected to a private “storage network”
(not accessible from the outside) on a second network interface. Will the keystone have to be on the “public” side of the proxy nodes – or can it be on the “private” side (see
<a href="http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html" target="_blank">
http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html</a> - here it is on the “public” side)</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">But I am not quite sure about the configuration of the different service when it comes to specifying the different URL’s…</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">For example, for the Keystone service:</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Assuming, that storage/swift nodes are located in the range 172.21.100.20-172.21.100.80, the keystone server on 172.21.100.10 – and the proxies on 172.21.100.100-172.21.100.120
(and external 10.32.30.10-10.32.30.30). What would be the correct IP’s to use on this command ?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">keystone service-create --name keystone --type=identity --description "Keystone Identity Service"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl '<a href="http://x.x.x.x5000/v2.0" target="_blank">http://x.x.x.x5000/v2.0</a>'
--adminurl '<a href="http://x.x.x.x:35357/v2.0" target="_blank">http://x.x.x.x:35357/v2.0</a>' --internalurl '<a href="http://x.x.x.x:5000/v2.0" target="_blank">http://x.x.x.x:5000/v2.0</a>'</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">And for swift:</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">keystone service-create --name keystone --type=identity --description "Swift Storage Service"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>'
--adminurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">
http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> ' --internalurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">
http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> '</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Regards</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="color:#888888">Brian</span><span style="color:#888888"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="color:#888888"> </span><span style="color:#888888"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">+Hugo Kuo+<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br>
</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886 935004793<o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>