Create an X-Auth-Region header during the token request process
In our organization, we have distributed our Keystone servers. Every region has it own. However we have made it so that users can authenticate in any region, but only get role/permissions on those regions where they have been granted. In a multi region deployment there are functions or services that are deemed centralizable, they are functions that are shared across regions, but do not reside on every region. In order to make those functions partake on keystone validation, even when keystone is distributed, we need a mechanism for knowing from which keystone a token was generated. This request is to enhance the Keystone GET Token API. When a Token is generated and provided via the X-Auth-Token header, Keystone will also provide the region value of where it exists. That value will be a new header X-Auth-Region. An application can then present that header, together with the X-Auth-Token. The centralized function/service can then utilize that header to identify the Keystone it needs to use to validate the token. This would be useful to anyone in the community who has any service that has API's running in a centralized fashion.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Nick Klenke
- Direction:
- Needs approval
- Assignee:
- Nick Klenke
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Lance Bragstad
Related branches
Related bugs
Sprints
Whiteboard
(lbragstad) 19-02-12: Does each region have its own keystone deployment? The proposed solution in the description sounds like each token is only validatable in that specific region (e.g,, a uuid token isn't replication to all keystone databases, or fernet tokens are encrypted with separate key repositories). Regardless, I'd be curious to hear more about the use case to see if there is an existing solution. I'm going to mark this as obsolete for the time being. If you'd still like discuss this topic, please propose a specification to the openstack/
[0] http://