Open Stack

Hi -
Can you or anyone else explain the technical reason for admin endpoint 
being deprecated?
Is it because domain admins have to create user/project using public 
endpoint, or something more benign - like we don't think it matters in 
terms of security, and are deprecating the admin endpoint?
Thanks,
Reza

On 4/8/2016 1:14 AM, Morgan Fainberg wrote:
>
>
> On Fri, Apr 8, 2016 at 1:06 AM, Shinobu Kinjo <shinobu.kj at gmail.com 
> <mailto:shinobu.kj at gmail.com>> wrote:
>
>     On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg
>     <morgan.fainberg at gmail.com <mailto:morgan.fainberg at gmail.com>> wrote:
>     >
>     >
>     > On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <remo at italy1.com
>     <mailto:remo at italy1.com>> wrote:
>     >>
>     >> I did a project where we had all three of them in a sep VLAN,
>     sep net.
>     >>
>     >> So to answer your question, this depends how much you want to
>     secure, what
>     >> is the requirements of your env, with access etc..
>     >> here is one of the answer from OpenStack
>     >>
>     >> Keep in mind that public URL are just read only in most cases,
>     where Admin
>     >> URL are used to set password change roles, add roles etc..
>     >>
>     >>
>     >>
>     >>
>     https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/
>     >>
>     >>
>     >>
>     >> Remo
>     >> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar
>     >> > <kaustubh.kelkar at casa-systems.com
>     <mailto:kaustubh.kelkar at casa-systems.com>> wrote:
>     >> >
>     >> >
>     >> > -----Original Message-----
>     >> > From: D'ANDREA, JOE (JOE) [mailto:jdandrea at research.att.com
>     <mailto:jdandrea at research.att.com>]
>     >> > Sent: Thursday, April 7, 2016 4:28 PM
>     >> > To: openstack at lists.openstack.org
>     <mailto:openstack at lists.openstack.org>
>     >> > Subject: [Openstack] [keystone] publicurl vs adminurl
>     reachability
>     >> >
>     >> >
>     >> > More to the point: It's unclear to me whether adminurl
>     endpoints are
>     >> > designed such that they may be restricted to private
>     networks, or if they
>     >> > are expected to be as reachable as publicurl endpoints are.
>     >> > [Kaustubh] I haven't tried this out, but this seems to be
>     supported.
>     >> >
>     (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1),
>     >> > point 2:
>     >> > "In a production environment, the variants might reside on
>     separate
>     >> > networks that service different types of users for security
>     reasons". It
>     >> > does makes sense to isolate at least the public API (read
>     customer traffic
>     >> > )network from the admin and internal API endpoints.
>     >> >
>     >> >
>     >> > -Kaustubh
>     >
>     >
>     > Also keep in mind there is no real differentiation between
>     "admin" and
>     > "public" in keystone V3. The difference (public for auth only
>     and a few
>     > other minor things) was an artifact of the V2 implementation.
>
>     So regarding to v3, the difference between them does not make at all
>     in terms of functionality?
>
>
> The API (routers) for V3 are used by default (duplicated) between the 
> public and admin entries in the catalog for Keystone. In general it is 
> possible to make some minor modifications but largely the 
> differentiation and ability to differentiate the API paths has been 
> eliminated in Keystone V3.
>
> --Morgan
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160408/234eab0f/attachment.html>