[openstack-dev] [TripleO][keystone] internal endpoints vs sanity
Attila Fazekas
afazekas at redhat.com
Fri Jul 21 10:40:03 UTC 2017
Hi All,
I thought it is already well know fact the endpoint types are there ONLY
for historical reasons, today they just exists to confuse the one who tries
to deploy OpenStack,
but it is considered as a deprecated concept and it will die out sooner or
later.
The keystone v3 API already allows to not define internal or admin
endpoints at all.
I just noticed the current documentation encourages the internal endpoint
usage. [1]
Is there anybody here who thinks it is a great idea to show private address
to the end users ?
Even tough some people might consider this cwe-200, but I hope at least
looks bad to everyone.
The internal endpoints should not be used for telling internal information
to the
OpenStack services itself. We are not putting mariadb and rabbitmq address
to the catalog as well, we have config files for that.
Ideally the end users should not even know we are using different network
paths or not,
so the internalURL entries should not be different addresses than the
public one
or they should not be defined at all.
I hope nobody really thinks the public catalog entries expected to contain
ip address instead
of domain names by any best practice guide.
We are just using ip address in the catalog for dev/test environment,
but in an ideal case the identity url should start with https:// ,
and it should continue with a domain name, which have several A and AAAA
entry
and the certificate wound not be for a self signed private ip address.
Is there anybody who really thinks we are putting http://<ip address>/..
into the catalog on the gate because it is the best practice ?
You can configure your DNS server properly [2] or use the /etc/hosts file,
when for some reason you want some nodes to use different ip address
for reaching the OpenStack services.
Keystone does not needs to solve anything there,
these issues are solved decodes before OpenStack even existed.
I cannot take the single internalURL usage as a serious response for
`isolated networks` ,
because it does not scales when you want divide your network even more.
Adding internal2URL, internal3URL is not a great idea either.
We should seriously consider using names instead of ip address also
on the devstack gates to avoid people thinking the catalog entries
meant to be used with ip address and keystone is a replacement for DNS.
Using https likely a bad idea in a regular dev environment,
but I hope we agree sending unencrypted credentials over the wire
is not a recommended best practice.
Best Regards,
Attila
[1]
https://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html
[2]
https://serverfault.com/questions/332440/dns-bind-how-to-return-a-different-ip-based-on-requests-subnet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170721/cf2ceeb9/attachment-0001.html>
More information about the OpenStack-dev
mailing list