Thank you for good input. Cheers, S
On Fri, Apr 8, 2016 at 2:14 PM, Morgan Fainberg <morgan.fainb...@gmail.com> wrote: > > > On Fri, Apr 8, 2016 at 1:06 AM, Shinobu Kinjo <shinobu...@gmail.com> wrote: >> >> On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg >> <morgan.fainb...@gmail.com> wrote: >> > >> > >> > On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <r...@italy1.com> wrote: >> >> >> >> I did a project where we had all three of them in a sep VLAN, sep net. >> >> >> >> So to answer your question, this depends how much you want to secure, >> >> what >> >> is the requirements of your env, with access etc.. >> >> here is one of the answer from OpenStack >> >> >> >> Keep in mind that public URL are just read only in most cases, where >> >> Admin >> >> URL are used to set password change roles, add roles etc.. >> >> >> >> >> >> >> >> >> >> https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/ >> >> >> >> >> >> >> >> Remo >> >> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar >> >> > <kaustubh.kel...@casa-systems.com> wrote: >> >> > >> >> > >> >> > -----Original Message----- >> >> > From: D'ANDREA, JOE (JOE) [mailto:jdand...@research.att.com] >> >> > Sent: Thursday, April 7, 2016 4:28 PM >> >> > To: openstack@lists.openstack.org >> >> > Subject: [Openstack] [keystone] publicurl vs adminurl reachability >> >> > >> >> > >> >> > More to the point: It's unclear to me whether adminurl endpoints are >> >> > designed such that they may be restricted to private networks, or if >> >> > they >> >> > are expected to be as reachable as publicurl endpoints are. >> >> > [Kaustubh] I haven't tried this out, but this seems to be supported. >> >> > >> >> > (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1), >> >> > point 2: >> >> > "In a production environment, the variants might reside on separate >> >> > networks that service different types of users for security reasons". >> >> > It >> >> > does makes sense to isolate at least the public API (read customer >> >> > traffic >> >> > )network from the admin and internal API endpoints. >> >> > >> >> > >> >> > -Kaustubh >> > >> > >> > Also keep in mind there is no real differentiation between "admin" and >> > "public" in keystone V3. The difference (public for auth only and a few >> > other minor things) was an artifact of the V2 implementation. >> >> So regarding to v3, the difference between them does not make at all >> in terms of functionality? >> > > The API (routers) for V3 are used by default (duplicated) between the public > and admin entries in the catalog for Keystone. In general it is possible to > make some minor modifications but largely the differentiation and ability to > differentiate the API paths has been eliminated in Keystone V3. > > --Morgan > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > -- Email: shin...@linux.com GitHub: shinobu-x Blog: Life with Distributed Computational System based on OpenSource _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack