OpenStack Identity (keystone)

Create an X-Auth-Region header during the token request process

Registered by Nick Klenke

In our organization, we have distributed our Keystone servers. Every region has it own. However we have made it so that users can authenticate in any region, but only get role/permissions on those regions where they have been granted. In a multi region deployment there are functions or services that are deemed centralizable, they are functions that are shared across regions, but do not reside on every region. In order to make those functions partake on keystone validation, even when keystone is distributed, we need a mechanism for knowing from which keystone a token was generated. This request is to enhance the Keystone GET Token API. When a Token is generated and provided via the X-Auth-Token header, Keystone will also provide the region value of where it exists. That value will be a new header X-Auth-Region. An application can then present that header, together with the X-Auth-Token. The centralized function/service can then utilize that header to identify the Keystone it needs to use to validate the token. This would be useful to anyone in the community who has any service that has API's running in a centralized fashion.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Nick Klenke
Direction:
Needs approval
Assignee:
Nick Klenke
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Lance Bragstad

Related branches

Sprints

Whiteboard

(lbragstad) 19-02-12: Does each region have its own keystone deployment? The proposed solution in the description sounds like each token is only validatable in that specific region (e.g,, a uuid token isn't replication to all keystone databases, or fernet tokens are encrypted with separate key repositories). Regardless, I'd be curious to hear more about the use case to see if there is an existing solution. I'm going to mark this as obsolete for the time being. If you'd still like discuss this topic, please propose a specification to the openstack/keystone-specs repository [0]. If/when there is agreement on an approach, we will create a blueprint to track the work. This reduces duplication between Launchpad blueprint and specs.openstack.org.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/template.html

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.