<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:14px">The answer is depends on your service plan . </span><div style="font-family:arial,sans-serif;font-size:14px"><br></div><div style="font-family:arial,sans-serif;font-size:14px">
Generally , the IP for keystone is the network which could be accessed from client . </div><div style="font-family:arial,sans-serif;font-size:14px">Also , the publicurl / adminurl / internal could be different . </div><div style="font-family:arial,sans-serif;font-size:14px">
<br></div><div style="font-family:arial,sans-serif;font-size:14px">Keystone is the auth agent for swift(and all other services) , while you produce a request to ask for "services URLs / role / token" with your username/password . It will return a bunch of of information . </div>
<div style="font-family:arial,sans-serif;font-size:14px">In keystone v1.0 legacy auth method , it presents as several x-headers . </div><div style="font-family:arial,sans-serif;font-size:14px">In keystone v2.0 , it returns a pack of json which includes more information . Such as service urls , in your case the service type is object-storage(aka. swift) . </div>
<div style="font-family:arial,sans-serif;font-size:14px"><br></div><div style="font-family:arial,sans-serif;font-size:14px">The client could parse the needed url for using. </div><div style="font-family:arial,sans-serif;font-size:14px">
The swift-client is using --publicurl as I know .</div><div style="font-family:arial,sans-serif;font-size:14px"><br></div><div style="font-family:arial,sans-serif;font-size:14px">[Q]Could I have a question ? </div><blockquote style="font-family:arial,sans-serif;font-size:14px;margin:0px 0px 0px 40px;border:none;padding:0px">
Which network will the client located ?</blockquote><div style="font-family:arial,sans-serif;font-size:14px"><br></div><div style="font-family:arial,sans-serif;font-size:14px">For x.x.x.x , you can just fill in the IP which accessible from client . If there's a NAT of LB , you need to point to NAT entry point of LB IP and redirect to the service port or internal IP . </div>
<div class="im" style="font-family:arial,sans-serif;font-size:14px"><div><br></div><div>keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl '<a href="http://x.x.x.x5000/v2.0" target="_blank">http://x.x.x.x5000/v2.0</a>' --adminurl '<a href="http://x.x.x.x:35357/v2.0" target="_blank">http://x.x.x.x:35357/v2.0</a>' --internalurl '<a href="http://x.x.x.x:5000/v2.0" target="_blank">http://x.x.x.x:5000/v2.0</a>'<br>
</div></div><div class="im" style="font-family:arial,sans-serif;font-size:14px">keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>' --adminurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> ' --internalurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> '</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/1/19 Brian Ipsen <span dir="ltr"><<a href="mailto:brian.ipsen@ryesgade47c.dk" target="_blank">brian.ipsen@ryesgade47c.dk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DA" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Hi<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">I am trying to figure out how to build a swift setup with Keystone identity management – and have the environment secured by a firewall.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I expect, that a number of proxy nodes are accessible through the firewall (traffic will be NAT’ed). The proxy nodes are connected to a private “storage network” (not accessible from the outside) on a second network interface.
Will the keystone have to be on the “public” side of the proxy nodes – or can it be on the “private” side (see
<a href="http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html" target="_blank">
http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html</a> - here it is on the “public” side)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">But I am not quite sure about the configuration of the different service when it comes to specifying the different URL’s…<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">For example, for the Keystone service:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Assuming, that storage/swift nodes are located in the range 172.21.100.20-172.21.100.80, the keystone server on 172.21.100.10 – and the proxies on 172.21.100.100-172.21.100.120 (and external 10.32.30.10-10.32.30.30).
What would be the correct IP’s to use on this command ?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">keystone service-create --name keystone --type=identity --description "Keystone Identity Service"<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl '<a href="http://x.x.x.x5000/v2.0" target="_blank">http://x.x.x.x5000/v2.0</a>' --adminurl '<a href="http://x.x.x.x:35357/v2.0" target="_blank">http://x.x.x.x:35357/v2.0</a>' --internalurl '<a href="http://x.x.x.x:5000/v2.0" target="_blank">http://x.x.x.x:5000/v2.0</a>'<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">And for swift:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">keystone service-create --name keystone --type=identity --description "Swift Storage Service"<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>' --adminurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> ' --internalurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>
'<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Regards<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></span></p><span class="HOEnZb"><font color="#888888">
<p class="MsoNormal"><span lang="EN-US">Brian<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
</font></span></div>
</div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>+Hugo Kuo+</div><div><a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br></a></div><div><a href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886 935004793</div>
</div>