The :5000 port of Keystone is designed to be exposed publicly via HTTPS. In
the /v2.0/ API, there's only a handful of calls exposed on that port. In
/v3/ the entire API is exposed, but wrapped by RBAC. If you're using
HTTPS, it should be safe to expose the public interfaces of all
the services to the Internet.

Remember that UUID and PKI tokens are both bearer tokens, and that it takes
minimal effort for an attacker to compromise your cloud if you're exposing
tokens over HTTP.

On Tuesday, October 14, 2014, Ed Lima <> wrote:

> I'm on the very early stages of developing an app for android to manage
> openstack services and would like to get the user credentials/tokens on
> keystone to get data and execute commands via the horizon URL. I'm using
> IceHouse on Ubuntu 14.04.
> In my particular use case I have keystone running on my internal server 
> "*http://localhost:5000/v3/auth/tokens
> <http://localhost:5000/v3/auth/tokens>*" which would allow me to use my
> app fine with JSON to get information from other services and execute
> commands however I'd have to be on the same network as my server for it to
> work.
> On the other hand I have my horizon URL published externally on the
> internet at the address "*
> <>*" which is available from anywhere
> and gives me access to my OpenStack services fine via browser on a desktop.
> I'd like to do the same on android, would it be possible? Is there a way
> for my app to send JSON requests to horizon at 
> *
> <>* and get the authentication tokens
> from keystone indirectly?
> I should mention I'm not a very experienced developer and any help would
> be amazing! Thanks
OpenStack-dev mailing list

Reply via email to