[Openstack] [keystone] Multi-region with horizon

Joe Topjian joe at topjian.net
Mon May 4 19:40:16 UTC 2015 

On Mon, May 4, 2015 at 12:56 PM, Adam Young <ayoung at redhat.com> wrote:

> On 05/04/2015 10:23 AM, rémi Le trocquer wrote:
>
>> Hi,
>>
>> In multi-region configuration : multi keystone, multi database
>> but with a common ldap. Is-it possible on Horizon to switch
>> region without re-authenticate ?
>>
>
> Horizon talks to Keystone to get the service catalog, and uses the service
> catalog to figure out which service to talk to.  Horizon does not have a
> Region select function, as far as I have seen.
>

By "Region select", do you mean any way for a user to specify a region? If
so, there are two ways that Horizon can do this (apologies if this is
already known):

The first is to add the regions to the AVAILABLE_REGIONS setting in the
local_settings.py file. Regions will then appear on the login screen.

The second way is to add all regions and services to each Keystone catalog.
Horizon will then detect the multiple regions when querying Keystone and
build a region list. That list appears once logged in (so not on the login
form).

By using this second method, if the Keystone database is shared amongst all
regions, users can seamlessly switch regions without re-authenticating.


> With OPKI or Fernet tokens, you should be able to share tokens across
> multiple regions. In both cases, it is a key distribution matter;  for PKI,
> all of the the Public keys need to be in all the endpoints, for Fernet, all
> of the Keystone servers need the same set of signing keys.
>
> SSO doesn't help.  It is a question of token validation.
>
>
>> For reason of latency or RTT, it is not possible to share the databases
>> between the keystone indeed the sites could be geographically distant.
>>
>> Is there a solution perhaps using :
>> Kerberos + SSO/ Fernet token/ K2K + SSO ?
>>
>> Regards,
>>
>> Rémi Le Trocquer
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150504/0e000c57/attachment.html>

More information about the Openstack mailing list