openstack team mailing list archive

[Brian Ipsen <brian.ipsen@xxxxxxxxxxxxxx>]

Hi

I am trying to figure out how to build a swift setup with Keystone identity management - and have the environment secured by a firewall.

I expect, that a number of proxy nodes are accessible through the firewall (traffic will be NAT'ed). The proxy nodes are connected to a private "storage network" (not accessible from the outside) on a second network interface. Will the keystone have to be on the "public" side of the proxy nodes - or can it be on the "private" side (see http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html - here it is on the "public" side)

But I am not quite sure about the configuration of the different service when it comes to specifying the different URL's...
For example, for the Keystone service:

Assuming, that storage/swift nodes are located in the range 172.21.100.20-172.21.100.80, the keystone server on 172.21.100.10 - and the proxies on 172.21.100.100-172.21.100.120 (and external 10.32.30.10-10.32.30.30). What would be the correct IP's to use on this command ?
keystone service-create --name keystone --type=identity --description "Keystone Identity Service"
keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl 'http://x.x.x.x5000/v2.0' --adminurl 'http://x.x.x.x:35357/v2.0' --internalurl 'http://x.x.x.x:5000/v2.0'

And for swift:
keystone service-create --name keystone --type=identity --description "Swift Storage Service"
keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl 'http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s' --adminurl ' http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s ' --internalurl ' http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s '

Regards
Brian