Re: [Openstack] [OpenStack] [Keystone] How to use two keystone servers?

Wed, 19 Oct 2016 20:32:58 -0700 

On 09/23/2016 11:03 AM, Alexandr Porunov wrote:

Hello,

I have next nodes:
swift_proxy1 - 192.168.0.11
swift_proxy2 - 192.168.0.12
keystone1 - 192.168.0.21
keystone2 - 192.168.0.22
I wonder to know if it is possible to use two keystone servers if we use "uuid" or "fernet" tokens. 


Yes, you want to use Fernet.  Make sure the same keys are on both servers.
With uuid I can use Galera Cluster to use the same database. The problem is I don't know what to write in endpoints. We can create an endpoint only for one the keystone server as I understand. i.e. :
openstack endpoint create --region RegionOne identity public http://192.168.0.11:5000/v3
openstack endpoint create --region RegionOne identity internal http://192.168.0.11:5000/v3 openstack endpoint create --region RegionOne identity admin http://192.168.0.11:35357/v3
Also what should I use when I create a swift endpoints? Does he have to point on itself or on the keystone server? 

openstack endpoint create --region RegionOne \
object-store public http://192.168.0.11:8080/v1/AUTH_%\(tenant_id\)s <http://192.168.0.11:8080/v1/AUTH_%%5C%28tenant_id%5C%29s> 
openstack endpoint create --region RegionOne \
object-store internal http://192.168.0.11:8080/v1/AUTH_%\(tenant_id\)s <http://192.168.0.11:8080/v1/AUTH_%%5C%28tenant_id%5C%29s> 
openstack endpoint create --region RegionOne \
  object-store admin http://192.168.0.11:8080/v1
i.e. if it points on the keystone then it is OK but if he point on itself then which proxy IP address I should use?
Also when we use fernet tokens, how to synchronize tokens between nodes (they should always use the same tokens).
My aim is to connect the keystone 1 to the proxy 1 and the keystone 2 to the proxy 2 to. i.e. : Proxy 1 should always check tokens only in the keystone1 server and the proxy 2 should always check tokens only in the keystone 2 server. But I want to be able to receive tokens from any keystone server (a user can receive a token from the keystone 1 and be authenticated in the proxy 2 with that token). 

Sincerely,
Alexandr


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to