These questions are to the operators, and should be asked on openstack-operators
IMO (maybe with tuning the overall tone to be a bit less aggressive).
On 07/24/2017 10:23 AM, Attila Fazekas wrote:
Thanks for your answer.
The real question is do we agree in the
internalULR usage what suggested in [1] is a bad security practice
and should not be told to operators at all.
Also we should try to get rid off the enpointTypes in keystone v4.
Let's not seriously talk about keystone v4 at this point, we haven't gotten rid
of v2 so far.
Do we have any good (not just making happy funny dev envs) to keep
endpoint types ?
I suspect any external SSL termination proxy. And anything else that will make
the URLs exposed to end users look different from ones exposed to services.
Speaking of DNS, I also suspect there may be a micro-optimization in not making
the services use it when talking to each other, while still providing names to
end users.
On Fri, Jul 21, 2017 at 1:37 PM, Giulio Fidente <[email protected]
<mailto:[email protected]>> wrote:
Only a comment about the status in TripleO
On 07/21/2017 12:40 PM, Attila Fazekas wrote:
[...]
> We should seriously consider using names instead of ip address also
> on the devstack gates to avoid people thinking the catalog entries
> meant to be used with ip address and keystone is a replacement for DNS.
this is configurable, you can have names or ips in the keystone
endpoints ... actually you can chose to use names or ips independently
for each service and even for the different endpoints
(Internal/Admin/Public) of the same service
if an operator, like you suggested, configures the DNS to resolve
different IPs for the same name basing on where the request comes from,
then he can use the same 'hostname' for all Public, Admin and Internal
endpoints which I *think* is what you're suggesting
also using names is the default when ssl is enabled
check environments/ssl/tls-endpoints-public-dns.yaml and note how
EndpointMap can resolve to CLOUDNAME or IP_ADDRESS
adding Juan on CC as he did a great work around this and can help further
--
Giulio Fidente
GPG KEY: 08D733BA
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
