[Openstack-operators] Service Catalog TNG urls

Mathieu Gagné mgagne at internap.com
Wed Dec 16 16:36:14 UTC 2015


On 2015-12-16 11:11 AM, Anne Gentle wrote:
> 
> Another use case I hadn't heard yet is if a public URL is DDoSed, you
> can have a second URL on internal-only systems that can't be attacked
> from the outside world. So it's a publicURL in that you can access the
> service, but an internal-only URL so we can protect.

This is one of the reason we have a split catalog.

We are using Keystone templated catalog to publish different URLs for
users and services. (no SQL catalog) This is so services can continue to
work if public API is DDoSed.

This is done by having 2 sets of Keystone services (all fed from the
same database for auth and assignments) but with different templated
catalog. Users use the public one and services the private one which all
have a dedicated URL.

We also don't use split DNS to ease debug and preserve our sanity. By
having an explicitly different URL, you can easily see and understand
which API is contacted (public vs internal). This greatly reduce
misunderstanding or gotcha: oh, you are querying DNS from this desktop,
nan, you won't get the "right" internal IP.

We do not use the internalURL field as we do not wish to publish those
endpoints to the end users. Our understanding is that they were meant
for a different use case than ours.

We could provide an other set of internal URLs so they can access our
API from within the cloud network but that's an other need we haven't
encounter yet.

-- 
Mathieu



More information about the OpenStack-operators mailing list