[Openstack] [OpenStack] [keystone] How to make keystone highly available?

Clint Byrum clint at fewbar.com
Sat Oct 1 04:36:45 UTC 2016


Excerpts from Alexandr Porunov's message of 2016-09-30 18:51:02 +0300:
> > How do you handle database high availability and replication?
> 
> Especially in my case, I don't care about tokens which will be lost after
> first keystone server dies. My services can authenticate again and get new
> tokens. It isn't critical. But if in your case it isn't acceptable then I
> would have used fernet tokens on your place (but they are a little bit
> bigger than uuid tokens). If you need small tokens, fast checks and you
> can't lose tokens then I would have used MariaDB Galera Cluster for the
> token replication.
> 

This assumes you have very little churn in your identity database, which
may not be true if you're using Heat, which creates users for software
configurations unless you use s3 tempurls.

There is also important realtime data with Fernet tokens in the
revocation_event table, but it is highly temporal, so if you lose it,
the effect is that for $token_ttl length of time, you might allow tokens
that were previously revoked to validate.




More information about the Openstack mailing list