[Openstack] Keystone active/active

Jay Pipes jaypipes at gmail.com
Sat Dec 21 22:19:08 UTC 2013


On 12/21/2013 04:19 PM, Ryan Lane wrote:
> On Sat, Dec 21, 2013 at 4:07 PM, Jay Pipes <jaypipes at gmail.com
> <mailto:jaypipes at gmail.com>> wrote:
>
>     On 12/21/2013 03:27 PM, Ryan Lane wrote:
>
>         On Thu, Dec 19, 2013 at 9:05 PM, 陈锐 <chenrui.momo at gmail.com
>         <mailto:chenrui.momo at gmail.com>
>         <mailto:chenrui.momo at gmail.com
>         <mailto:chenrui.momo at gmail.com>__>> wrote:
>
>              I think you should use UUID token and backend should be sql
>         or memcache
>
>
>         If you want this to work across regions, redis or sql is likely
>         what you
>         want (with replication). sql with galera is likely the best
>         option if
>         you want to avoid a SPOF for writes.
>
>
>     For the identity backend, yes :) But definitely not for the token
>     backend!
>
> Really? Why shouldn't the tokens be shared between the regions? Wouldn't
> that mean you need to authenticate for each region to get unscoped tokens?

I don't really see much of a use case for cross-region token sharing, 
but then again, I might be misunderstanding the use case :)

We have multiple deployment zones (regions), that share a Keystone 
identity database, however each zone's Keystone service uses the 
memcache token backend. Users of the deployment don't know that each 
deployment zone is authenticating tokens separately, because users 
simply hit the region's Keystone endpoint (which gives the region's 
service catalog), and all API calls go to that particular region's 
endpoints.

Can you describe the use case for this unscoped token you refer to 
above? By unscoped, you are referring to "this token may be used to 
authenticate in multiple regions"? or are you referring to something else?

Thanks!
-jay




More information about the Openstack mailing list