[openstack-dev] [TripleO][keystone] internal endpoints vs sanity

Dmitry Tantsur dtantsur at redhat.com
Mon Jul 24 08:53:14 UTC 2017 

These questions are to the operators, and should be asked on openstack-operators 
IMO (maybe with tuning the overall tone to be a bit less aggressive).

On 07/24/2017 10:23 AM, Attila Fazekas wrote:
> Thanks for your answer.
> 
> The real question is do we agree in the
> internalULR usage what suggested in [1] is a bad security practice
> and should not be told to operators at all.
> 
> Also we should try to get rid off the enpointTypes in keystone v4.

Let's not seriously talk about keystone v4 at this point, we haven't gotten rid 
of v2 so far.

> 
> Do we have any good (not just making happy funny dev envs) to keep
> endpoint types ?

I suspect any external SSL termination proxy. And anything else that will make 
the URLs exposed to end users look different from ones exposed to services.

Speaking of DNS, I also suspect there may be a micro-optimization in not making 
the services use it when talking to each other, while still providing names to 
end users.

> 
> 
> 
> On Fri, Jul 21, 2017 at 1:37 PM, Giulio Fidente <gfidente at redhat.com 
> <mailto:gfidente at redhat.com>> wrote:
> 
>     Only a comment about the status in TripleO
> 
>     On 07/21/2017 12:40 PM, Attila Fazekas wrote:
> 
>     [...]
> 
>     > We should seriously consider using names instead of ip address also
>     > on the devstack gates to avoid people thinking the catalog entries
>     > meant to be used with ip address and keystone is a replacement for DNS.
> 
>     this is configurable, you can have names or ips in the keystone
>     endpoints ... actually you can chose to use names or ips independently
>     for each service and even for the different endpoints
>     (Internal/Admin/Public) of the same service
> 
>     if an operator, like you suggested, configures the DNS to resolve
>     different IPs for the same name basing on where the request comes from,
>     then he can use the same 'hostname' for all Public, Admin and Internal
>     endpoints which I *think* is what you're suggesting
> 
>     also using names is the default when ssl is enabled
> 
>     check environments/ssl/tls-endpoints-public-dns.yaml and note how
>     EndpointMap can resolve to CLOUDNAME or IP_ADDRESS
> 
>     adding Juan on CC as he did a great work around this and can help further
>     --
>     Giulio Fidente
>     GPG KEY: 08D733BA
> 
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list