On 04/13/2016 07:46 PM, Serguei Bezverkhi (sbezverk) wrote: > Hello folks, > > I was wondering if you let me know if enabling keystone to listen on public > interface for ports 5000 and 35357 is considered as a normal practice. > Example if a customer wants to authenticate not via horizon or some other > proxy but setting up OS_AUTH_URL=http://blah variable to be able to run > OpenStack commands in cli. > > Thank you in advance > > Serguei > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >
That's a normal practice. I guess you might be surprised to learn that we already host ports 5000 and 35357 on the Public API address? All that is needed is to point to http://<public VIP IP>:5000/ (or HTTPS if using SSL). In general, you want to use port 5000 for all remote Keystone connections, with the exception that if you want to use the API for creating users or tenants you need to use the admin API. The only difference between the two is that 35357 can perform admin functions on the user database. -- Dan Sneddon | Principal OpenStack Engineer dsned...@redhat.com | redhat.com/openstack 650.254.4025 | dsneddon:irc @dxs:twitter _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators