[openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size

Adam Young ayoung at redhat.com
Tue Mar 17 13:59:38 UTC 2015

On 03/17/2015 02:51 AM, joehuang wrote:
> It’s not reality to deploy KeyStone service ( including backend store 
> ) in each site if the number, for example, is more than 10.  The 
> reason is that the stored data including data related to revocation 
> need to be replicated to all sites in synchronization manner. 
> Otherwise, the API server might attempt to use the token before it's 
> able to be validated in the target site.

Replicating revocati9on data across 10 sites will be tricky, but far 
better than replicating all of the token data.  Revocations should be 
relatively rare.
> When Fernet token is used in multisite scenario, each API request will 
> ask for token validation from KeyStone. The cloud will be out of 
> service if KeyStone stop working, therefore KeyStone service need to 
> run in several sites.

There will be multiple Keystone servers, so each should talk to their 
local instance.
> For reliability purpose, I suggest that the keystone client should 
> provide a fail-safe design: primary KeyStone server, the second 
> KeyStone server (or even the third KeySont server) . If the primary 
> KeyStone server is out of service, then the KeyStone client will try 
> the second KeyStone server. Different KeyStone client may be 
> configured with different primary KeyStone server and the second 
> KeyStone server.

Makes sense, but that can be handled outside of Keystone using HA and 
Heartbear and awhole slew of technologies.  Each Keystone server can 
validate each other's tokens.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150317/bb96c129/attachment.html>

More information about the OpenStack-dev mailing list