[Openstack] [keystone] publicurl vs adminurl reachability

Shinobu Kinjo shinobu.kj at gmail.com
Fri Apr 8 05:29:23 UTC 2016


Thank you for good input.

Cheers,
S

On Fri, Apr 8, 2016 at 2:14 PM, Morgan Fainberg
<morgan.fainberg at gmail.com> wrote:
>
>
> On Fri, Apr 8, 2016 at 1:06 AM, Shinobu Kinjo <shinobu.kj at gmail.com> wrote:
>>
>> On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg
>> <morgan.fainberg at gmail.com> wrote:
>> >
>> >
>> > On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <remo at italy1.com> wrote:
>> >>
>> >> I did a project where we had all three of them in a sep VLAN, sep net.
>> >>
>> >> So to answer your question, this depends how much you want to secure,
>> >> what
>> >> is the requirements of your env, with access etc..
>> >> here is one of the answer from OpenStack
>> >>
>> >> Keep in mind that public URL are just read only in most cases, where
>> >> Admin
>> >> URL are used to set password change roles, add roles etc..
>> >>
>> >>
>> >>
>> >>
>> >> https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/
>> >>
>> >>
>> >>
>> >> Remo
>> >> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar
>> >> > <kaustubh.kelkar at casa-systems.com> wrote:
>> >> >
>> >> >
>> >> > -----Original Message-----
>> >> > From: D'ANDREA, JOE (JOE) [mailto:jdandrea at research.att.com]
>> >> > Sent: Thursday, April 7, 2016 4:28 PM
>> >> > To: openstack at lists.openstack.org
>> >> > Subject: [Openstack] [keystone] publicurl vs adminurl reachability
>> >> >
>> >> >
>> >> > More to the point: It's unclear to me whether adminurl endpoints are
>> >> > designed such that they may be restricted to private networks, or if
>> >> > they
>> >> > are expected to be as reachable as publicurl endpoints are.
>> >> > [Kaustubh] I haven't tried this out, but this seems to be supported.
>> >> >
>> >> > (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1),
>> >> > point 2:
>> >> > "In a production environment, the variants might reside on separate
>> >> > networks that service different types of users for security reasons".
>> >> > It
>> >> > does makes sense to isolate at least the public API (read customer
>> >> > traffic
>> >> > )network from the admin and internal API endpoints.
>> >> >
>> >> >
>> >> > -Kaustubh
>> >
>> >
>> > Also keep in mind there is no real differentiation between "admin" and
>> > "public" in keystone V3. The difference (public for auth only and a few
>> > other minor things) was an artifact of the V2 implementation.
>>
>> So regarding to v3, the difference between them does not make at all
>> in terms of functionality?
>>
>
> The API (routers) for V3 are used by default (duplicated) between the public
> and admin entries in the catalog for Keystone. In general it is possible to
> make some minor modifications but largely the differentiation and ability to
> differentiate the API paths has been eliminated in Keystone V3.
>
> --Morgan
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>



-- 
Email:
shinobu at linux.com
GitHub:
shinobu-x
Blog:
Life with Distributed Computational System based on OpenSource




More information about the Openstack mailing list