<div dir="ltr">On Mon, May 4, 2015 at 12:56 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 05/04/2015 10:23 AM, rémi Le trocquer wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
In multi-region configuration : multi keystone, multi database<br>
but with a common ldap. Is-it possible on Horizon to switch<br>
region without re-authenticate ?<br>
</blockquote>
<br>
Horizon talks to Keystone to get the service catalog, and uses the service catalog to figure out which service to talk to. Horizon does not have a Region select function, as far as I have seen.<br></blockquote><div><br></div><div>By "Region select", do you mean any way for a user to specify a region? If so, there are two ways that Horizon can do this (apologies if this is already known):</div><div><br></div><div>The first is to add the regions to the AVAILABLE_REGIONS setting in the local_settings.py file. Regions will then appear on the login screen.</div><div><br></div><div>The second way is to add all regions and services to each Keystone catalog. Horizon will then detect the multiple regions when querying Keystone and build a region list. That list appears once logged in (so not on the login form).<br></div><div><br></div><div>By using this second method, if the Keystone database is shared amongst all regions, users can seamlessly switch regions without re-authenticating. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">With OPKI or Fernet tokens, you should be able to share tokens across multiple regions. In both cases, it is a key distribution matter; for PKI, all of the the Public keys need to be in all the endpoints, for Fernet, all of the Keystone servers need the same set of signing keys.<br>
<br>
SSO doesn't help. It is a question of token validation.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
For reason of latency or RTT, it is not possible to share the databases<br>
between the keystone indeed the sites could be geographically distant.<br>
<br>
Is there a solution perhaps using :<br>
Kerberos + SSO/ Fernet token/ K2K + SSO ?<br>
<br>
Regards,<br>
<br>
Rémi Le Trocquer<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</blockquote>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</blockquote></div><br></div></div>