[Openstack] Keystone active/active

Ryan Lane rlane at wikimedia.org
Sat Dec 21 23:36:21 UTC 2013


On Sat, Dec 21, 2013 at 5:19 PM, Jay Pipes <jaypipes at gmail.com> wrote:

> On 12/21/2013 04:19 PM, Ryan Lane wrote:
>
>> On Sat, Dec 21, 2013 at 4:07 PM, Jay Pipes <jaypipes at gmail.com
>> <mailto:jaypipes at gmail.com>> wrote:
>>
>>     On 12/21/2013 03:27 PM, Ryan Lane wrote:
>>
>>         On Thu, Dec 19, 2013 at 9:05 PM, 陈锐 <chenrui.momo at gmail.com
>>         <mailto:chenrui.momo at gmail.com>
>>         <mailto:chenrui.momo at gmail.com
>>
>>         <mailto:chenrui.momo at gmail.com>__>> wrote:
>>
>>              I think you should use UUID token and backend should be sql
>>         or memcache
>>
>>
>>         If you want this to work across regions, redis or sql is likely
>>         what you
>>         want (with replication). sql with galera is likely the best
>>         option if
>>         you want to avoid a SPOF for writes.
>>
>>
>>     For the identity backend, yes :) But definitely not for the token
>>     backend!
>>
>> Really? Why shouldn't the tokens be shared between the regions? Wouldn't
>> that mean you need to authenticate for each region to get unscoped tokens?
>>
>
> I don't really see much of a use case for cross-region token sharing, but
> then again, I might be misunderstanding the use case :)
>
> We have multiple deployment zones (regions), that share a Keystone
> identity database, however each zone's Keystone service uses the memcache
> token backend. Users of the deployment don't know that each deployment zone
> is authenticating tokens separately, because users simply hit the region's
> Keystone endpoint (which gives the region's service catalog), and all API
> calls go to that particular region's endpoints.
>
> Can you describe the use case for this unscoped token you refer to above?
> By unscoped, you are referring to "this token may be used to authenticate
> in multiple regions"? or are you referring to something else?
>
>
For this thread's record:

A number of us discussed this via IRC. My use case was SSO for a web
application that has a unified view of regions and projects. I don't
require users to re-authenticate for each region.

For this, I'd like to replicate my tokens across regions, which should
work, but will be slow due to the large number of tokens generated by
normal use. Some alternatives were the use of PKI tokens, the use of oauth
in my web interface, or my web interface enumerating the keystone
endpoints, authenticating to each and keeping track of the scoped and
unscoped tokens.

I'm likely going with the replication approach, and may implement a simple
redis token backend since the dogpile code only handles some caching logic.

Anyway, this is slightly off-topic of the original thread, but I thought it
would be good to update the thread in case others need this kind of info.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131221/9dbac79a/attachment.html>


More information about the Openstack mailing list