| *** tkajinam is now known as Guest299 | 04:46 | |
| opendevreview | Hervé Beraud proposed openstack/oslo.limit master: Get ready for tox 4 https://review.opendev.org/c/openstack/oslo.limit/+/869342 | 10:31 |
|---|---|---|
| *** dviroel|ourt is now known as dviroel | 11:45 | |
| *** dasm|off is now known as dasm | 13:50 | |
| spatel | Hello Folk! | 14:30 |
| spatel | What is the difference between shared keystone Vs Keystone federation? | 14:31 |
| *** dviroel is now known as dviroel|lunch | 16:01 | |
| d34dh0r53 | spatel: I'm not directly familiar with the term shared keystone, but I believe that you may be referring to Keystone-to-Keystone federation in which keystone acts as both the SP and IdP (https://docs.openstack.org/keystone/latest/admin/federation/introduction.html#keystone-to-keystone). Federation is using keystone as the SP and federating authentication to an external | 17:07 |
| d34dh0r53 | IdP via either OIDC (https://docs.openstack.org/keystone/latest/admin/federation/introduction.html#openid-connect-authentication-flow) or SAML (https://docs.openstack.org/keystone/latest/admin/federation/introduction.html#id2) | 17:07 |
| d34dh0r53 | does that answer your question? | 17:07 |
| spatel | Thanks!! when i said shared keystone means cloud1 and cloud2 both using same keystone instances. | 17:08 |
| d34dh0r53 | ahh, ok | 17:09 |
| spatel | I am looking for solution where building two region (east and west) so how do i consolidate users/pass/auth etc.. | 17:09 |
| *** dviroel|lunch is now known as dviroel | 17:10 | |
| spatel | I would like to have single Horizon or any dashboard to select region instead of maintain two keystone. | 17:10 |
| d34dh0r53 | hmm, I would look at federated authentication or ldap backed keystone | 17:11 |
| spatel | Hmm! that is what i am thinking. | 17:11 |
| spatel | currently we have LDAP (freeIPA for keyston) but doesn't have option to select region east / west in horizon etc. | 17:12 |
| spatel | Trying to understand how does public cloud company use openstack keystone for their solution | 17:12 |
| d34dh0r53 | perhaps using a realm per region on something like keycloak backed by freeipa and then specifying each region (realm) as a different domain in keystone/horizon | 17:21 |
| spatel | hmm | 17:42 |
| *** dviroel is now known as dviroel|afk | 21:19 | |
| *** dasm is now known as dasm|off | 22:33 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!