Hi All, I thought it is already well know fact the endpoint types are there ONLY for historical reasons, today they just exists to confuse the one who tries to deploy OpenStack, but it is considered as a deprecated concept and it will die out sooner or later.
The keystone v3 API already allows to not define internal or admin endpoints at all. I just noticed the current documentation encourages the internal endpoint usage. [1] Is there anybody here who thinks it is a great idea to show private address to the end users ? Even tough some people might consider this cwe-200, but I hope at least looks bad to everyone. The internal endpoints should not be used for telling internal information to the OpenStack services itself. We are not putting mariadb and rabbitmq address to the catalog as well, we have config files for that. Ideally the end users should not even know we are using different network paths or not, so the internalURL entries should not be different addresses than the public one or they should not be defined at all. I hope nobody really thinks the public catalog entries expected to contain ip address instead of domain names by any best practice guide. We are just using ip address in the catalog for dev/test environment, but in an ideal case the identity url should start with https:// , and it should continue with a domain name, which have several A and AAAA entry and the certificate wound not be for a self signed private ip address. Is there anybody who really thinks we are putting http://<ip address>/.. into the catalog on the gate because it is the best practice ? You can configure your DNS server properly [2] or use the /etc/hosts file, when for some reason you want some nodes to use different ip address for reaching the OpenStack services. Keystone does not needs to solve anything there, these issues are solved decodes before OpenStack even existed. I cannot take the single internalURL usage as a serious response for `isolated networks` , because it does not scales when you want divide your network even more. Adding internal2URL, internal3URL is not a great idea either. We should seriously consider using names instead of ip address also on the devstack gates to avoid people thinking the catalog entries meant to be used with ip address and keystone is a replacement for DNS. Using https likely a bad idea in a regular dev environment, but I hope we agree sending unencrypted credentials over the wire is not a recommended best practice. Best Regards, Attila [1] https://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html [2] https://serverfault.com/questions/332440/dns-bind-how-to-return-a-different-ip-based-on-requests-subnet
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev