[Openstack] [OpenStack] [Keystone] How to use two keystone servers?

Adam Young ayoung at redhat.com
Thu Oct 20 03:20:22 UTC 2016 

On 09/23/2016 11:03 AM, Alexandr Porunov wrote:
> Hello,
>
> I have next nodes:
> swift_proxy1 - 192.168.0.11
> swift_proxy2 - 192.168.0.12
> keystone1 - 192.168.0.21
> keystone2 - 192.168.0.22
>
> I wonder to know if it is possible to use two keystone servers if we 
> use "uuid" or "fernet" tokens.
>
Yes, you want to use Fernet.  Make sure the same keys are on both servers.


> With uuid I can use Galera Cluster to use the same database. The 
> problem is I don't know what to write in endpoints. We can create an 
> endpoint only for one the keystone server as I understand. i.e. :
>
> openstack endpoint create --region RegionOne identity public 
> http://192.168.0.11:5000/v3
>
> openstack endpoint create --region RegionOne identity internal 
> http://192.168.0.11:5000/v3
> openstack endpoint create --region RegionOne identity admin 
> http://192.168.0.11:35357/v3
>
> Also what should I use when I create a swift endpoints? Does he have 
> to point on itself or on the keystone server?
>
> openstack endpoint create --region RegionOne \
>   object-store public http://192.168.0.11:8080/v1/AUTH_%\(tenant_id\)s 
> <http://192.168.0.11:8080/v1/AUTH_%%5C%28tenant_id%5C%29s>
> openstack endpoint create --region RegionOne \
>   object-store internal 
> http://192.168.0.11:8080/v1/AUTH_%\(tenant_id\)s 
> <http://192.168.0.11:8080/v1/AUTH_%%5C%28tenant_id%5C%29s>
> openstack endpoint create --region RegionOne \
>   object-store admin http://192.168.0.11:8080/v1
>
> i.e. if it points on the keystone then it is OK but if he point on 
> itself then which proxy IP address I should use?
>
> Also when we use fernet tokens, how to synchronize tokens between 
> nodes (they should always use the same tokens).
>
> My aim is to connect the keystone 1 to the proxy 1 and the keystone 2 
> to the proxy 2 to. i.e. : Proxy 1 should always check tokens only in 
> the keystone1 server and the proxy 2 should always check tokens only 
> in the keystone 2 server. But I want to be able to receive tokens from 
> any keystone server (a user can receive a token from the keystone 1 
> and be authenticated in the proxy 2 with that token).
>
> Sincerely,
> Alexandr
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161019/c771bcb6/attachment.html>

More information about the Openstack mailing list