Ask Your Question

How to setup multiple authorization nodes (keystone HA)?

asked 2014-06-19 14:16:25 -0600

amxmachine gravatar image

updated 2014-06-20 16:11:01 -0600

smaffulli gravatar image

I am in charge of supplying a service utilizing swift, keystone, and a custom front end that needs to have High-Availability and security as its main function. This is my first development project of any kind so I may be missing some glaringly obvious things. I want to build a setup that spans 4 geographical locations, that will scale from there if need be. So far my plan is two of the nodes will include object storage and the other two nodes will supply authorization, identity v3, ssl termination, and load balancing services. I understand how to implement storage and proxy services, and I have all the goodies for a high-availability storage cluster; however, it is the load balancing and identity that I am stuck at. My questions are:

  1. is there a built in function for keystone to sync between two nodes? I have failed to find it anywhere
  2. is it even safe for me to terminate ssl at the auth node considering they will be colocated in different geographical regions?
  3. is there a better solution that does not leave me with an authorization bottleneck?
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-09-03 11:10:27 -0600

mpetason gravatar image

Here is the documentation from OpenStack:

We setup HA Keystone, however by default it isn't using SSL. You may want to use a load balancer that is able to apply SSL to your endpoint. You aren't really worried about keeping them all in sync as you are going to either have a MySQL back-end or you could use LDAP.

The harder configuration is going to be setting up MySQL HA that is available in each location so that you don't have tons of latency between user auths.

I would look into using geographic based DNS to send someone to the closest endpoint.

edit flag offensive delete link more


Definetly second the loadbalancer handling SSL. It is alot less work and more reliable in my opinion.

You can do some cool stuff with Galera w/ Percona or MariaDB and multisite active/active stuff. There is probably a solution in a configuration like that.

SamYaple gravatar imageSamYaple ( 2014-09-03 11:31:33 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-06-19 14:16:25 -0600

Seen: 2,300 times

Last updated: Sep 03 '14