[Openstack-operators] keystone authentication on public interface

Dan Sneddon dsneddon at redhat.com
Thu Apr 14 17:04:47 UTC 2016


On 04/13/2016 07:46 PM, Serguei Bezverkhi (sbezverk) wrote:
> Hello folks,
> 
> I was wondering if you let me know if enabling keystone to listen on public interface for ports 5000 and 35357 is considered as a normal practice. Example if a customer wants to authenticate not via horizon or some other proxy but setting up OS_AUTH_URL=http://blah  variable to be able to run OpenStack commands in cli.
> 
> Thank you in advance
> 
> Serguei  
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 

That's a normal practice. I guess you might be surprised to learn that
we already host ports 5000 and 35357 on the Public API address? All
that is needed is to point to http://<public VIP IP>:5000/ (or HTTPS if
using SSL).

In general, you want to use port 5000 for all remote Keystone
connections, with the exception that if you want to use the API for
creating users or tenants you need to use the admin API. The only
difference between the two is that 35357 can perform admin functions on
the user database.

-- 
Dan Sneddon         |  Principal OpenStack Engineer
dsneddon at redhat.com |  redhat.com/openstack
650.254.4025        |  dsneddon:irc   @dxs:twitter



More information about the OpenStack-operators mailing list