[Openstack] [keystone] publicurl vs adminurl reachability

Shinobu Kinjo shinobu.kj at gmail.com
Fri Apr 8 05:06:15 UTC 2016


On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg
<morgan.fainberg at gmail.com> wrote:
>
>
> On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <remo at italy1.com> wrote:
>>
>> I did a project where we had all three of them in a sep VLAN, sep net.
>>
>> So to answer your question, this depends how much you want to secure, what
>> is the requirements of your env, with access etc..
>> here is one of the answer from OpenStack
>>
>> Keep in mind that public URL are just read only in most cases, where Admin
>> URL are used to set password change roles, add roles etc..
>>
>>
>>
>> https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/
>>
>>
>>
>> Remo
>> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar
>> > <kaustubh.kelkar at casa-systems.com> wrote:
>> >
>> >
>> > -----Original Message-----
>> > From: D'ANDREA, JOE (JOE) [mailto:jdandrea at research.att.com]
>> > Sent: Thursday, April 7, 2016 4:28 PM
>> > To: openstack at lists.openstack.org
>> > Subject: [Openstack] [keystone] publicurl vs adminurl reachability
>> >
>> >
>> > More to the point: It's unclear to me whether adminurl endpoints are
>> > designed such that they may be restricted to private networks, or if they
>> > are expected to be as reachable as publicurl endpoints are.
>> > [Kaustubh] I haven't tried this out, but this seems to be supported.
>> > (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1),
>> > point 2:
>> > "In a production environment, the variants might reside on separate
>> > networks that service different types of users for security reasons". It
>> > does makes sense to isolate at least the public API (read customer traffic
>> > )network from the admin and internal API endpoints.
>> >
>> >
>> > -Kaustubh
>
>
> Also keep in mind there is no real differentiation between "admin" and
> "public" in keystone V3. The difference (public for auth only and a few
> other minor things) was an artifact of the V2 implementation.

So regarding to v3, the difference between them does not make at all
in terms of functionality?

>
> --Morgan
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>



-- 
Email:
shinobu at linux.com
GitHub:
shinobu-x
Blog:
Life with Distributed Computational System based on OpenSource




More information about the Openstack mailing list