Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

Tue, 08 Mar 2016 09:03:06 -0800 

On 03/08/2016 11:06 AM, Matt Fischer wrote:
This would be complicated to setup. How would the Openstack services validate the token? Which keystone node would they use? A better question is why would you want to do this? 


On Tue, Mar 8, 2016 at 8:45 AM, rezroo <openst...@roodsari.us 
<mailto:openst...@roodsari.us>> wrote:


    Keystone supports both tokens and ec2 credentials simultaneously,
    but as far as I can tell, will only do a single token format
    (uuid, pki/z, fernet) at a time. Is it possible or advisable to
    configure keystone to issue multiple token formats? For example, I
    could configure two keystone servers, each using a different token
    format, so depending on endpoint used, I could get a uuid or pki
    token. Each service can use either token format, so is there a
    conceptual or implementation issue with this setup?
    Thanks,
    Reza

    __________________________________________________________________________
    OpenStack Development Mailing List (not for usage questions)
    Unsubscribe:
    openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
    <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Theoretically:


Two different Keystone servers could independently issue different token 
formats.  They would need to share a common backend, so that they could 
all be verified online.  PKIZ  could be issued from multiple servers, 
each using different signing certs, so long as all the services got all 
the certs.


Practically:

You'd be insane to do this in production

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to