[Openstack] [keystone] Multi-region with horizon
Adam Young
ayoung at redhat.com
Mon May 4 18:56:30 UTC 2015
On 05/04/2015 10:23 AM, rémi Le trocquer wrote:
> Hi,
>
> In multi-region configuration : multi keystone, multi database
> but with a common ldap. Is-it possible on Horizon to switch
> region without re-authenticate ?
Horizon talks to Keystone to get the service catalog, and uses the
service catalog to figure out which service to talk to. Horizon does
not have a Region select function, as far as I have seen.
With OPKI or Fernet tokens, you should be able to share tokens across
multiple regions. In both cases, it is a key distribution matter; for
PKI, all of the the Public keys need to be in all the endpoints, for
Fernet, all of the Keystone servers need the same set of signing keys.
SSO doesn't help. It is a question of token validation.
>
> For reason of latency or RTT, it is not possible to share the databases
> between the keystone indeed the sites could be geographically distant.
>
> Is there a solution perhaps using :
> Kerberos + SSO/ Fernet token/ K2K + SSO ?
>
> Regards,
>
> Rémi Le Trocquer
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list