Multi-region management from Horizon requires endless authentications
Bug #1332726 reported by
Sukhdev Kapur
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Low
|
Unassigned |
Bug Description
I am deploying Horizon to manage multiple regions by updating AVAILABLE_REGIONS in /opt/stack/
I notice that it asks for authentication for each region to login - which is OK. However, once authenticated for all regions, when I try to switch to an already authenticated region, it asks for authentication regardless. This makes this solution very annoying.
Once authenticated for all regions, it should not require to keep authenticating.
Is there a work around for this?
tags: | added: keystone |
Changed in horizon: | |
assignee: | nobody → Vlad Okhrimenko (vokhrimenko) |
Changed in horizon: | |
assignee: | Vlad Okhrimenko (vokhrimenko) → nobody |
status: | In Progress → Confirmed |
importance: | Undecided → Low |
status: | Confirmed → Triaged |
To post a comment you must log in.
The preferred solution is to have a shared keystone across regions.
The main issue with maintaining multiple active tokens is size constraints. The default implementation for Horizon is to used signed cookies for session storage. This has an upper limit of ~4KB. One uncompressed PKI token takes up most of that, but even not using PKI it is easy to run into problems where there is more session data than can fit in a cookie. The errors when this happens are not always immediately evident and can manifest in all sorts of nasty ways.
As for hope for improvement. Couple of things, compressed tokens and potentially having the service catalog removed from the token. But these are items in varying degrees of completion.
If you are using a session backend other than signed cookies, you could store more tokens. This would take change in Horizon and django_ openstack_ auth to make work.