Open Stack

A question for the general team and the ‘KEYSTONE’ Edge team in particular.

It seems like we are going down the solution path of ‘federated’ keystone.
( i.e. the first option described at https://wiki.openstack.org/wiki/Keystone_edge_architectures )

My understanding of ‘federated’ keystone (and this solution) is that
·  All clouds run a Keystone Instance (service provider)
·  But all Keystone Instances leverage some remote IdentityProvider as the backend for User Authentication
o    i.e. there is a remote IdentityProvider with all the user credentials
·  i.e. local Keystone instances (in edge clouds), if they lose connectivity to remote IdentityProvider,
can NOT do authentication of user or validation of tokens.

If this is the case, then how does the ‘federated’ keystone option meet the requirement that
“There may be significant times where an edge cloud has no remote connectivity and all functions (e.g. autoscaling) must continue to function”  ?

I would have thought that we would have ruled this out immediately ?

Greg.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/edge-computing/attachments/20180621/518f17b4/attachment-0001.html>