[Openstack] [keystone] publicurl vs adminurl reachability

Morgan Fainberg morgan.fainberg at gmail.com
Fri Apr 8 05:14:29 UTC 2016


On Fri, Apr 8, 2016 at 1:06 AM, Shinobu Kinjo <shinobu.kj at gmail.com> wrote:

> On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg
> <morgan.fainberg at gmail.com> wrote:
> >
> >
> > On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <remo at italy1.com> wrote:
> >>
> >> I did a project where we had all three of them in a sep VLAN, sep net.
> >>
> >> So to answer your question, this depends how much you want to secure,
> what
> >> is the requirements of your env, with access etc..
> >> here is one of the answer from OpenStack
> >>
> >> Keep in mind that public URL are just read only in most cases, where
> Admin
> >> URL are used to set password change roles, add roles etc..
> >>
> >>
> >>
> >>
> https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/
> >>
> >>
> >>
> >> Remo
> >> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar
> >> > <kaustubh.kelkar at casa-systems.com> wrote:
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: D'ANDREA, JOE (JOE) [mailto:jdandrea at research.att.com]
> >> > Sent: Thursday, April 7, 2016 4:28 PM
> >> > To: openstack at lists.openstack.org
> >> > Subject: [Openstack] [keystone] publicurl vs adminurl reachability
> >> >
> >> >
> >> > More to the point: It's unclear to me whether adminurl endpoints are
> >> > designed such that they may be restricted to private networks, or if
> they
> >> > are expected to be as reachable as publicurl endpoints are.
> >> > [Kaustubh] I haven't tried this out, but this seems to be supported.
> >> > (
> http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1
> ),
> >> > point 2:
> >> > "In a production environment, the variants might reside on separate
> >> > networks that service different types of users for security reasons".
> It
> >> > does makes sense to isolate at least the public API (read customer
> traffic
> >> > )network from the admin and internal API endpoints.
> >> >
> >> >
> >> > -Kaustubh
> >
> >
> > Also keep in mind there is no real differentiation between "admin" and
> > "public" in keystone V3. The difference (public for auth only and a few
> > other minor things) was an artifact of the V2 implementation.
>
> So regarding to v3, the difference between them does not make at all
> in terms of functionality?
>
>
The API (routers) for V3 are used by default (duplicated) between the
public and admin entries in the catalog for Keystone. In general it is
possible to make some minor modifications but largely the differentiation
and ability to differentiate the API paths has been eliminated in Keystone
V3.

--Morgan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160408/e0ffd5fb/attachment.html>


More information about the Openstack mailing list