<div dir="ltr">Thanks for Chmouel's mention , much flexible with swift-client<div><div class="gmail_extra"><br></div><div class="gmail_extra">Brain , please have a look with following reply....<br><br><div class="gmail_quote">
2013/1/19 Brian Ipsen <span dir="ltr"><<a href="mailto:brian.ipsen@ryesgade47c.dk" target="_blank">brian.ipsen@ryesgade47c.dk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DA" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As for the network diagram the one on the referred page (<a href="http://docs.openstack.org/trunk/openstack-object-storage/admin/content/figures/swift_install_arch.png" target="_blank">http://docs.openstack.org/trunk/openstack-object-storage/admin/content/figures/swift_install_arch.png</a>)
more or less looks what I plan on doing. I would just put a NAT’ing firewall between the public switch and the internet. For security reasons, I think it would make more sense to have the Auth node (keystone service) located on the private switch – but I am
not sure whether it is possible.</span></p></div></div></blockquote><div style><font color="#ff0000">[Reply]</font></div><div style>In your case , to put a NAT server front of swift ecosystem . The keystone could be located in private network without any problem . But in this scenario , there's some more work you have to do . </div>
<div style>1) set NAT for keystone too , whatever a DNAT or redirect port in your firewall for keystone. Remember that , if you want to use username/password authentication method for swift . The easiest way is using keystone/tempauth . In these method , they provide token-auth mechanism to determine if the user is accessible currently. While you want to access swift , you must have a "TOKEN". And the "TOKEN" is managing by keystone . As default , the token will be expired in a period. 24hrs in my memory . The client user have to get the token from keystone first. </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DA" link="blue" vlink="purple"><div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I am still trying to figure out how the different components interact, and exactly what the different parameters on the keystone command does.
Once I get that understanding, things will probably be much easier </span><span lang="EN-US" style="font-size:11.0pt;font-family:Wingdings;color:#1f497d">J</span></p></div></div></blockquote><div style><font color="#ff0000">[Reply] </font></div>
<div style>Yes , that's the keypoint. You must understand the workflow. </div><div style>My assumption is your proxy pipline is using tokenauth and keystone even swift-auth .</div><div style>The full request workflow is :</div>
</div></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div class="gmail_extra"><div class="gmail_quote"><div style>client send username/password --> keystone verify it --> return token and service(swift) url to client --> client use returned url and token to swift-proxy --> proxy verify the token by asking keystone immediately ---> keystone confirmed it with several information includes role etc. --> the request pass the token-auth filter --> check the role with swift-auth middleware --> do the operation for user --> returned the result(status) </div>
</div></div></div></blockquote><div><div class="gmail_extra"><div class="gmail_quote"><div style><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DA" link="blue" vlink="purple">
<div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regarding the location of the keystone server – and please correct me, if I’m wrong; user authentication is done via the proxy. When a user authenticates,
I assume that the proxy asks the keystone/auth server – instead of the client asks the auth/keystone server directly? If it is the proxy that handles the authentication request towards the keystone server – then the keystone might as well be located on the
private switch on the drawing (for enhanced security). Of course, if the keystone service is located on the private switch, the IP addresses in the URL’s for the endpoint creation will need to match the IP address of the server in this network.</span></p>
</div></div></blockquote><div style><font color="#ff0000">[Reply]</font></div><div style>As the description in previous section , user authentication is done by keystone . And token authentication is done by proxy . </div>
<div style>If you want to send username/password to swift directly , yes you can , but need to write another middleware for it. And would be a little complicated. Keystone should be accessed by client & proxy in original design. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DA" link="blue" vlink="purple"><div><p class="MsoNormal"> </p></div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DA" link="blue" vlink="purple"><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Clients will be located on the internet side on the drawing (again – I want to put a NAT’ing firewall between the public switch and what is referred
to as “internet” on the drawing).</span></p></div></div></blockquote><div style><font color="#ff0000">[Reply]</font></div><div style>Anywhere could be possible</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DA" link="blue" vlink="purple"><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Maybe I should start digging into the book “OpenStack Cloud Computing Cookbook” by Kevin Jackson to see if this can make things clearer for me
</span><span lang="EN-US" style="font-size:11.0pt;font-family:Wingdings;color:#1f497d">J</span></p></div></div></blockquote><div><br></div><div style>Sure , also official documents . </div><div style>1) play with it </div>
<div style>2) IRC</div><div style>3) mailing list</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DA" link="blue" vlink="purple"><div><p class="MsoNormal">
<span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Brian</span></p></div></div></blockquote><div><br></div><div style>Hope it helps</div>
<div style>Cheers</div><div style>Hugo Kuo </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DA" link="blue" vlink="purple"><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Kuo Hugo [mailto:<a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com</a>]
<br>
<b>Sent:</b> 19. januar 2013 09:58<br>
<b>To:</b> Brian Ipsen<br>
<b>Cc:</b> <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
<b>Subject:</b> Re: [Openstack] Network setup - Swift / keystone location and configuraton?<u></u><u></u></span></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">The answer is depends on your service plan . </span><u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Generally , the IP for keystone is the network which could be accessed from client . <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Also , the publicurl / adminurl / internal could be different . <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Keystone is the auth agent for swift(and all other services) , while you produce a request to ask for "services URLs / role / token" with your username/password . It will return
a bunch of of information . <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">In keystone v1.0 legacy auth method , it presents as several x-headers . <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">In keystone v2.0 , it returns a pack of json which includes more information . Such as service urls , in your case the service type is object-storage(aka. swift) . <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">The client could parse the needed url for using. <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">The swift-client is using --publicurl as I know .<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">[Q]Could I have a question ? <u></u><u></u></span></p>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0cm">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Which network will the client located ?<u></u><u></u></span></p>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">For x.x.x.x , you can just fill in the IP which accessible from client . If there's a NAT of LB , you need to point to NAT entry point of LB IP and redirect to the service
port or internal IP . <u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl '<a href="http://x.x.x.x5000/v2.0" target="_blank">http://x.x.x.x5000/v2.0</a>' --adminurl '<a href="http://x.x.x.x:35357/v2.0" target="_blank">http://x.x.x.x:35357/v2.0</a>'
--internalurl '<a href="http://x.x.x.x:5000/v2.0" target="_blank">http://x.x.x.x:5000/v2.0</a>'<u></u><u></u></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>'
--adminurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> ' --internalurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> '<u></u><u></u></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">2013/1/19 Brian Ipsen <<a href="mailto:brian.ipsen@ryesgade47c.dk" target="_blank">brian.ipsen@ryesgade47c.dk</a>><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">Hi<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">I am trying to figure out how to build a swift setup with Keystone identity management – and have the environment secured by a firewall.</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">I expect, that a number of proxy nodes are accessible through the firewall (traffic will be NAT’ed). The proxy nodes are connected to a private “storage network”
(not accessible from the outside) on a second network interface. Will the keystone have to be on the “public” side of the proxy nodes – or can it be on the “private” side (see
<a href="http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html" target="_blank">
http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html</a> - here it is on the “public” side)</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">But I am not quite sure about the configuration of the different service when it comes to specifying the different URL’s…</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">For example, for the Keystone service:</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">Assuming, that storage/swift nodes are located in the range 172.21.100.20-172.21.100.80, the keystone server on 172.21.100.10 – and the proxies on 172.21.100.100-172.21.100.120
(and external 10.32.30.10-10.32.30.30). What would be the correct IP’s to use on this command ?</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">keystone service-create --name keystone --type=identity --description "Keystone Identity Service"</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl '<a href="http://x.x.x.x5000/v2.0" target="_blank">http://x.x.x.x5000/v2.0</a>'
--adminurl '<a href="http://x.x.x.x:35357/v2.0" target="_blank">http://x.x.x.x:35357/v2.0</a>' --internalurl '<a href="http://x.x.x.x:5000/v2.0" target="_blank">http://x.x.x.x:5000/v2.0</a>'</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">And for swift:</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">keystone service-create --name keystone --type=identity --description "Swift Storage Service"</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl '<a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a>'
--adminurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">
http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> ' --internalurl ' <a href="http://x.x.x.x:8080/v1/AUTH_%5C$(tenant_id)s" target="_blank">
http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s</a> '</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">Regards</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#888888">Brian</span><span style="color:#888888"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<p class="MsoNormal">+Hugo Kuo+<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br>
</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886 935004793<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div>+Hugo Kuo+</div><div><a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br></a></div><div><a href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886 935004793</div>
</div></div></div>