On 12/21/2013 04:19 PM, Ryan Lane wrote:
On Sat, Dec 21, 2013 at 4:07 PM, Jay Pipes <jaypi...@gmail.com <mailto:jaypi...@gmail.com>> wrote:On 12/21/2013 03:27 PM, Ryan Lane wrote: On Thu, Dec 19, 2013 at 9:05 PM, 陈锐 <chenrui.m...@gmail.com <mailto:chenrui.m...@gmail.com> <mailto:chenrui.m...@gmail.com <mailto:chenrui.m...@gmail.com>__>> wrote: I think you should use UUID token and backend should be sql or memcache If you want this to work across regions, redis or sql is likely what you want (with replication). sql with galera is likely the best option if you want to avoid a SPOF for writes. For the identity backend, yes :) But definitely not for the token backend! Really? Why shouldn't the tokens be shared between the regions? Wouldn't that mean you need to authenticate for each region to get unscoped tokens?
I don't really see much of a use case for cross-region token sharing, but then again, I might be misunderstanding the use case :)
We have multiple deployment zones (regions), that share a Keystone identity database, however each zone's Keystone service uses the memcache token backend. Users of the deployment don't know that each deployment zone is authenticating tokens separately, because users simply hit the region's Keystone endpoint (which gives the region's service catalog), and all API calls go to that particular region's endpoints.
Can you describe the use case for this unscoped token you refer to above? By unscoped, you are referring to "this token may be used to authenticate in multiple regions"? or are you referring to something else?
Thanks! -jay _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
