[openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

Adam Young ayoung at redhat.com
Tue Mar 17 13:59:38 UTC 2015


On 03/17/2015 02:51 AM, joehuang wrote:
>
> It’s not reality to deploy KeyStone service ( including backend store 
> ) in each site if the number, for example, is more than 10.  The 
> reason is that the stored data including data related to revocation 
> need to be replicated to all sites in synchronization manner. 
> Otherwise, the API server might attempt to use the token before it's 
> able to be validated in the target site.
>

Replicating revocati9on data across 10 sites will be tricky, but far 
better than replicating all of the token data.  Revocations should be 
relatively rare.
>
> When Fernet token is used in multisite scenario, each API request will 
> ask for token validation from KeyStone. The cloud will be out of 
> service if KeyStone stop working, therefore KeyStone service need to 
> run in several sites.
>

There will be multiple Keystone servers, so each should talk to their 
local instance.
>
> For reliability purpose, I suggest that the keystone client should 
> provide a fail-safe design: primary KeyStone server, the second 
> KeyStone server (or even the third KeySont server) . If the primary 
> KeyStone server is out of service, then the KeyStone client will try 
> the second KeyStone server. Different KeyStone client may be 
> configured with different primary KeyStone server and the second 
> KeyStone server.
>

Makes sense, but that can be handled outside of Keystone using HA and 
Heartbear and awhole slew of technologies.  Each Keystone server can 
validate each other's tokens.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150317/bb96c129/attachment.html>


More information about the OpenStack-dev mailing list