Hey all, We've had a topic come up a few times about making it so IDs can be specified in the API request when creating a project [0]. This has come up over several releases, including the Queens release and in today's keystone meeting [1]. The proposal is meant to solve spanning keystone in large deployments (deployments spanning multiple countries).
We've had federated keystone-to-keystone (k2k) support in upstream for years, and it was originally developed to solve this case. Keystone in deployment A can federate to keystone in deployment B, where deployments A and B are completely independent. It was mentioned in today's meeting that k2k hits performance issues at scale. I'm curious if anyone else has hit issues like this or been forced into weird workarounds as a result of not being able to use k2k, or federation in general? If so, would you be able to share details and performance results? We've been pushing people to use federated authentication for some time, and if there are performance issues with it that hinder usability, I want to get those bugs documented so we can fix them upstream. Thoughts? [0] https://review.openstack.org/#/c/323499/ [1] http://eavesdrop01.openstack.org/meetings/keystone/2017/keystone.2017-12-19-18.00.log.html#l-69
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
