OpenStack Heat

Multi-Cloud remote stacks using Keystone federation

Registered by Zane Bitter on 2015-09-09

Extend our existing multi-region remote stacks to multi-cloud, so that a remote stack can be created on a separate cloud with its own Keystone, provided that Keystone federation is supported between clouds.

The user-facing change will involve adding an optional "auth_url" subproperty to the context in the OS::Heat::Stack resource type. This should be all we need to direct heatclient at the other cloud.

We'll also need to obtain the correct token to authenticate with. Discussions on the ML indicate that we should be able to obtain it from the remote Keystone using our current token. Any authentication that requires Heat knowing the password for the remote cloud is explicitly *out of scope* for this blueprint.

Blueprint information

Status:: Not started

Approver:: Zane Bitter

Priority:: High

Drafter:: None

Direction:: Approved

Assignee:: None

Definition:: Discussion

Series goal:: Accepted for future

Implementation:: Not started

Milestone target:: next

Related branches

Related bugs

Sprints

Whiteboard

please assign to me (Tomer Shtilman)
Is anyone still working on this blueprint? (Rohit C Katakol)
(ricolin) Hi guys, feel free to directly join the discussion or raise a meeting topic if you would like this to happen. we can do it together:)
Still, I think this blueprint kind of blocked by the known issue that trusted token (which we consist use) can't work with the federation. I think we will have to wait for keystone team to resolve it before we take action for this.
Few months back we had written an article on openstack Federated Cloud services ( https://www.slideshare.net/SudheendraHarwalkar/openstack-federated-cloud-services-using-apiproxy-and-third-party-solutions ), I think we can use this solution to address Multi-Cloud remote stacks using Keystone federation blueprint, feedback/discussions most welcome.