[Openstack-operators] "Master" keystone and "sub" keystone

RunnerCheng runner_cheng at hotmail.com
Mon Sep 28 05:47:39 UTC 2015

Hi Matt Fischer,
I'm really appreciating your help! 
I think you point out the directions (regions & federation) which I need to study and research on next setp. 
Best Regards,
Sam Cheng
Date: Sun, 27 Sep 2015 14:26:58 -0600
Subject: Re: [Openstack-operators] "Master" keystone and "sub" keystone
From: matt at mattfischer.com
To: runner_cheng at hotmail.com

As far as I know you have to do this with regions unless there's something special that can be done with federation. If you're not storing tokens in the DB (which you shouldn't be doing) I'm not sure why you'd want special read-only nodes. Where are your actual services running? Because it's not just the user getting the token, but all your services (cinder, glance, etc) need to validate that token and you'll need to determine which keystone cluster they'll be talking to.
On Sat, Sep 26, 2015 at 9:19 PM, RunnerCheng <runner_cheng at hotmail.com> wrote:

Hi All,
I'm a newbie of keystone, and I'm doing some research about it recently. I have a question about how to deploy it. The scenario is on below:
One comany has one headquarter dc and 5 sub dc locate in different cities. We want to deploy separate OpenStack with "sub" keystone at the sub dc, and want to deploy one "master" keystone at headquarter dc. We want to manage all users, roles and tenants etc on the "master" keystone, however we want the end-user can authenticate with the "sub" keystone where he or she is locate.
Is anyone understant this scenario? How to realize it without additionaly development?
Thanks in advance!
Sam Cheng


OpenStack-operators mailing list

OpenStack-operators at lists.openstack.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150928/839bc8ec/attachment.html>

More information about the OpenStack-operators mailing list