<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi -<br>
Can you or anyone else explain the technical reason for admin
endpoint being deprecated?<br>
Is it because domain admins have to create user/project using public
endpoint, or something more benign - like we don't think it matters
in terms of security, and are deprecating the admin endpoint?<br>
Thanks,<br>
Reza<br>
<br>
<div class="moz-cite-prefix">On 4/8/2016 1:14 AM, Morgan Fainberg
wrote:<br>
</div>
<blockquote
cite="mid:CAGnj6as=2R5Z=h0Nkdoj=xHbN5wiDYa1TtwA9PYQH-JvxhTDTA@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 8, 2016 at 1:06 AM,
Shinobu Kinjo <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:shinobu.kj@gmail.com" target="_blank">shinobu.kj@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On Fri, Apr 8, 2016 at 1:46 PM, Morgan
Fainberg<br>
<<a moz-do-not-send="true"
href="mailto:morgan.fainberg@gmail.com">morgan.fainberg@gmail.com</a>>
wrote:<br>
><br>
><br>
> On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <<a
moz-do-not-send="true" href="mailto:remo@italy1.com"><a class="moz-txt-link-abbreviated" href="mailto:remo@italy1.com">remo@italy1.com</a></a>>
wrote:<br>
>><br>
>> I did a project where we had all three of
them in a sep VLAN, sep net.<br>
>><br>
>> So to answer your question, this depends how
much you want to secure, what<br>
>> is the requirements of your env, with access
etc..<br>
>> here is one of the answer from OpenStack<br>
>><br>
>> Keep in mind that public URL are just read
only in most cases, where Admin<br>
>> URL are used to set password change roles,
add roles etc..<br>
>><br>
>><br>
>><br>
>> <a moz-do-not-send="true"
href="https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/"
rel="noreferrer" target="_blank">https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/</a><br>
>><br>
>><br>
>><br>
>> Remo<br>
>> > On Apr 7, 2016, at 14:48, Kaustubh
Kelkar<br>
>> > <<a moz-do-not-send="true"
href="mailto:kaustubh.kelkar@casa-systems.com">kaustubh.kelkar@casa-systems.com</a>>
wrote:<br>
>> ><br>
>> ><br>
>> > -----Original Message-----<br>
>> > From: D'ANDREA, JOE (JOE) [mailto:<a
moz-do-not-send="true"
href="mailto:jdandrea@research.att.com"><a class="moz-txt-link-abbreviated" href="mailto:jdandrea@research.att.com">jdandrea@research.att.com</a></a>]<br>
>> > Sent: Thursday, April 7, 2016 4:28 PM<br>
>> > To: <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>> > Subject: [Openstack] [keystone]
publicurl vs adminurl reachability<br>
>> ><br>
>> ><br>
>> > More to the point: It's unclear to me
whether adminurl endpoints are<br>
>> > designed such that they may be
restricted to private networks, or if they<br>
>> > are expected to be as reachable as
publicurl endpoints are.<br>
>> > [Kaustubh] I haven't tried this out, but
this seems to be supported.<br>
>> > (<a moz-do-not-send="true"
href="http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1"
rel="noreferrer" target="_blank">http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1</a>),<br>
>> > point 2:<br>
>> > "In a production environment, the
variants might reside on separate<br>
>> > networks that service different types of
users for security reasons". It<br>
>> > does makes sense to isolate at least the
public API (read customer traffic<br>
>> > )network from the admin and internal API
endpoints.<br>
>> ><br>
>> ><br>
>> > -Kaustubh<br>
><br>
><br>
> Also keep in mind there is no real
differentiation between "admin" and<br>
> "public" in keystone V3. The difference (public
for auth only and a few<br>
> other minor things) was an artifact of the V2
implementation.<br>
<br>
</div>
</div>
So regarding to v3, the difference between them does not
make at all<br>
in terms of functionality?<br>
<span class="HOEnZb"><font color="#888888"><br>
</font></span></blockquote>
<div><br>
</div>
<div>The API (routers) for V3 are used by default
(duplicated) between the public and admin entries in the
catalog for Keystone. In general it is possible to make
some minor modifications but largely the differentiation
and ability to differentiate the API paths has been
eliminated in Keystone V3.</div>
<div><br>
</div>
<div>--Morgan</div>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>