<div dir="ltr">Thanks David..<div><br></div><div>So, I am actually curious about what Jay was suggesting.. is there a way to have multiple separate keystone instances, but shared tokens?</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Thu, Jan 2, 2014 at 7:03 PM, Lyle, David <span dir="ltr"><<a href="mailto:david.lyle@hp.com" target="_blank">david.lyle@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><br>
> -----Original Message-----<br>
> From: Jay Pipes [mailto:<a href="mailto:jaypipes@gmail.com">jaypipes@gmail.com</a>]<br>
> Sent: Thursday, January 02, 2014 11:14 AM<br>
> To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Subject: Re: [Openstack] Fwd: [openstack] [keystone] [horizon] regions<br>
> setup<br>
><br>
</div><div><div class="h5">> On 01/02/2014 12:32 PM, Xu (Simon) Chen wrote:<br>
> > A few questions..<br>
> ><br>
> > First, I am a little confused by this post:<br>
> > <a href="http://docs.openstack.org/trunk/openstack-" target="_blank">http://docs.openstack.org/trunk/openstack-</a><br>
> ops/content/segregate_cloud.html<br>
> ><br>
> > On the one hand, it says different regions should have no interactions<br>
> > among them. On the other hand, it says keystone should be shared across<br>
> > regions. I can see that sharing credentials is useful, but replicating<br>
> > things like tokens across region seems to be a hassle to deal with - I<br>
> > don't want to replicate the tokens that are specific to regions via WAN..<br>
> ><br>
> > Second, I am confused about Horizon's multi-region support. There are<br>
> > two ways of informing a horizon instance about multiple regions. One way<br>
> > is to configure the AVAILABLE_REGIONS variable in local_settings.py,<br>
> > where I can put keystone endpoints associated to different regions. Then<br>
> > something would show up in the top right corner of horizon, that I can<br>
> > switch to a different region, log in, and it works. The second way is to<br>
> > configure the endpoints of another region in the keystone instance local<br>
> > to horizon. Then, a drop down list would show up on the left side of the<br>
> > page, right beneath the list of projects. This however doesn't work,<br>
> > since the openstack_auth package seems to be performing a simple<br>
> > redirect assuming the same token would work across regions (my two<br>
> > regions have completely separate keystone deployments.)<br>
> ><br>
> > Any ideas on the best practice here?<br>
><br>
> Hello there, Simon! :) Happy New Year!<br>
><br>
> My best advice to you would be to share identity/role/group information<br>
> across regions (just so your users don't have to deal with separate<br>
> creds in each region), but use the memcached token backend in each<br>
> region's Keystone service. That way, you get the advantage of shared<br>
> credentials but get decent token performance. As you point out,<br>
> replicating tokens across the WAN is deadly for performance, as just a<br>
> small number of users can quickly swamp the replicated database traffic<br>
> from millions of tokens created and replicated.<br>
><br>
> I have no played with the AVAILABLE_REGIONS thing in Horizon yet, as I<br>
> was under the impression that it relied on shared-region tokens<br>
> (otherwise, users would have to grab a different token when doing things<br>
> in different regions..)<br>
><br>
> Our users so far have not complained about simply going to the Horizon<br>
> dashboard of the particular region they are working with, but I<br>
> understand from Ryan Lane and others that that isn't a great user story!<br>
><br>
> All the best,<br>
> -jay<br>
><br>
<br>
</div></div>AVAILABLE_REGIONS allows login into different keystone instances, separate user/credentials. This is different than the regions returned in the keystone service catalog which subdivide service regions for the same keystone instance. The dropdown selector on the left-hand side of the page allows management of the latter.<br>
<br>
If you are trying to manage separate keystone environments from the same Horizon, AVAILABLE_REGIONS should contain entries for all the keystone endpoints you want to manage.<br>
<span class="HOEnZb"><font color="#888888"><br>
David<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</div></div></blockquote></div><br></div>