[Openstack] [keystone] publicurl vs adminurl reachability

Morgan Fainberg morgan.fainberg at gmail.com
Fri Apr 8 04:46:29 UTC 2016


On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <remo at italy1.com> wrote:

> I did a project where we had all three of them in a sep VLAN, sep net.
>
> So to answer your question, this depends how much you want to secure, what
> is the requirements of your env, with access etc..
> here is one of the answer from OpenStack
>
> Keep in mind that public URL are just read only in most cases, where Admin
> URL are used to set password change roles, add roles etc..
>
>
>
> https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/
>
>
>
> Remo
> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar <
> kaustubh.kelkar at casa-systems.com> wrote:
> >
> >
> > -----Original Message-----
> > From: D'ANDREA, JOE (JOE) [mailto:jdandrea at research.att.com]
> > Sent: Thursday, April 7, 2016 4:28 PM
> > To: openstack at lists.openstack.org
> > Subject: [Openstack] [keystone] publicurl vs adminurl reachability
> >
> >
> > More to the point: It's unclear to me whether adminurl endpoints are
> designed such that they may be restricted to private networks, or if they
> are expected to be as reachable as publicurl endpoints are.
> > [Kaustubh] I haven't tried this out, but this seems to be supported. (
> http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1),
> point 2:
> > "In a production environment, the variants might reside on separate
> networks that service different types of users for security reasons". It
> does makes sense to isolate at least the public API (read customer traffic
> )network from the admin and internal API endpoints.
> >
> >
> > -Kaustubh
>

Also keep in mind there is no real differentiation between "admin" and
"public" in keystone V3. The difference (public for auth only and a few
other minor things) was an artifact of the V2 implementation.

--Morgan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160408/87bf7cc2/attachment.html>


More information about the Openstack mailing list