Open Stack

Hey all,

We've had a topic come up a few times about making it so IDs can be
specified in the API request when creating a project [0]. This has come
up over several releases, including the Queens release and in today's
keystone meeting [1]. The proposal is meant to solve spanning keystone
in large deployments (deployments spanning multiple countries).

We've had federated keystone-to-keystone (k2k) support in upstream for
years, and it was originally developed to solve this case. Keystone in
deployment A can federate to keystone in deployment B, where deployments
A and B are completely independent. It was mentioned in today's meeting
that k2k hits performance issues at scale.

I'm curious if anyone else has hit issues like this or been forced into
weird workarounds as a result of not being able to use k2k, or
federation in general? If so, would you be able to share details and
performance results? We've been pushing people to use federated
authentication for some time, and if there are performance issues with
it that hinder usability, I want to get those bugs documented so we can
fix them upstream.

Thoughts?

[0] https://review.openstack.org/#/c/323499/
[1]
http://eavesdrop01.openstack.org/meetings/keystone/2017/keystone.2017-12-19-18.00.log.html#l-69


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171219/04cc0a24/attachment.sig>