Hi -
Can you or anyone else explain the technical reason for admin endpoint
being deprecated?
Is it because domain admins have to create user/project using public
endpoint, or something more benign - like we don't think it matters in
terms of security, and are deprecating the admin endpoint?
Thanks,
Reza
On 4/8/2016 1:14 AM, Morgan Fainberg wrote:
On Fri, Apr 8, 2016 at 1:06 AM, Shinobu Kinjo <shinobu...@gmail.com
<mailto:shinobu...@gmail.com>> wrote:
On Fri, Apr 8, 2016 at 1:46 PM, Morgan Fainberg
<morgan.fainb...@gmail.com <mailto:morgan.fainb...@gmail.com>> wrote:
>
>
> On Thu, Apr 7, 2016 at 6:07 PM, Remo Mattei <r...@italy1.com
<mailto:r...@italy1.com>> wrote:
>>
>> I did a project where we had all three of them in a sep VLAN,
sep net.
>>
>> So to answer your question, this depends how much you want to
secure, what
>> is the requirements of your env, with access etc..
>> here is one of the answer from OpenStack
>>
>> Keep in mind that public URL are just read only in most cases,
where Admin
>> URL are used to set password change roles, add roles etc..
>>
>>
>>
>>
https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/
>>
>>
>>
>> Remo
>> > On Apr 7, 2016, at 14:48, Kaustubh Kelkar
>> > <kaustubh.kel...@casa-systems.com
<mailto:kaustubh.kel...@casa-systems.com>> wrote:
>> >
>> >
>> > -----Original Message-----
>> > From: D'ANDREA, JOE (JOE) [mailto:jdand...@research.att.com
<mailto:jdand...@research.att.com>]
>> > Sent: Thursday, April 7, 2016 4:28 PM
>> > To: openstack@lists.openstack.org
<mailto:openstack@lists.openstack.org>
>> > Subject: [Openstack] [keystone] publicurl vs adminurl
reachability
>> >
>> >
>> > More to the point: It's unclear to me whether adminurl
endpoints are
>> > designed such that they may be restricted to private
networks, or if they
>> > are expected to be as reachable as publicurl endpoints are.
>> > [Kaustubh] I haven't tried this out, but this seems to be
supported.
>> >
(http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1),
>> > point 2:
>> > "In a production environment, the variants might reside on
separate
>> > networks that service different types of users for security
reasons". It
>> > does makes sense to isolate at least the public API (read
customer traffic
>> > )network from the admin and internal API endpoints.
>> >
>> >
>> > -Kaustubh
>
>
> Also keep in mind there is no real differentiation between
"admin" and
> "public" in keystone V3. The difference (public for auth only
and a few
> other minor things) was an artifact of the V2 implementation.
So regarding to v3, the difference between them does not make at all
in terms of functionality?
The API (routers) for V3 are used by default (duplicated) between the
public and admin entries in the catalog for Keystone. In general it is
possible to make some minor modifications but largely the
differentiation and ability to differentiate the API paths has been
eliminated in Keystone V3.
--Morgan
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack