[openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size
ayoung at redhat.com
Tue Mar 17 13:59:38 UTC 2015
On 03/17/2015 02:51 AM, joehuang wrote:
> It’s not reality to deploy KeyStone service ( including backend store
> ) in each site if the number, for example, is more than 10. The
> reason is that the stored data including data related to revocation
> need to be replicated to all sites in synchronization manner.
> Otherwise, the API server might attempt to use the token before it's
> able to be validated in the target site.
Replicating revocati9on data across 10 sites will be tricky, but far
better than replicating all of the token data. Revocations should be
> When Fernet token is used in multisite scenario, each API request will
> ask for token validation from KeyStone. The cloud will be out of
> service if KeyStone stop working, therefore KeyStone service need to
> run in several sites.
There will be multiple Keystone servers, so each should talk to their
> For reliability purpose, I suggest that the keystone client should
> provide a fail-safe design: primary KeyStone server, the second
> KeyStone server (or even the third KeySont server) . If the primary
> KeyStone server is out of service, then the KeyStone client will try
> the second KeyStone server. Different KeyStone client may be
> configured with different primary KeyStone server and the second
> KeyStone server.
Makes sense, but that can be handled outside of Keystone using HA and
Heartbear and awhole slew of technologies. Each Keystone server can
validate each other's tokens.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev