[Openstack-operators] "Master" keystone and "sub" keystone

Matt Fischer matt at mattfischer.com
Mon Sep 28 20:06:00 UTC 2015

On Mon, Sep 28, 2015 at 1:46 PM, Jonathan Proulx <jon at csail.mit.edu> wrote:

> On Mon, Sep 28, 2015 at 03:31:54PM -0400, Adam Young wrote:
> :On 09/26/2015 11:19 PM, RunnerCheng wrote:
> :>Hi All,
> :>I'm a newbie of keystone, and I'm doing some research about it
> :>recently. I have a question about how to deploy it. The scenario is
> :>on below:
> :>
> :>One comany has one headquarter dc and 5 sub dc locate in different
> :>cities. We want to deploy separate OpenStack with "sub" keystone at
> :>the sub dc, and want to deploy one "master" keystone at headquarter
> :>dc. We want to manage all users, roles and tenants etc on the
> :>"master" keystone, however we want the end-user can authenticate
> :>with the "sub" keystone where he or she is locate.
> :
> :
> :Use LDAP for the users, don't keep them in Keystone.
> :
> :Replicate roles, projects etc from master to sub.
> :
> :Use Fernet tokens.  Replicate revocation events both ways.
> I'm hearing conflicting advice about the suitibility of Fernet tokens
> for production use.
> I like the idea. I did get them to work in kilo trivially for CLI, but
> Horizon was unhappy for reasons I didn't fully investigate as I heard
> they 'weren't quite ready in kilo' so I defered further investigation
> to next cycle.
> Though honestly if you're building somthing new right now starting
> with Liberty is probably the right thing anyway by the time you're
> done PoC it will be released.
> -Jon

We're using them in prod, generally happy except with Validation
performance. For Horizon we run off of master anyway but you have to pull
in some code from Liberty or it won't work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150928/e3e01f80/attachment.html>

More information about the OpenStack-operators mailing list