Multi-region management from Horizon requires endless authentications

The preferred solution is to have a shared keystone across regions.

The main issue with maintaining multiple active tokens is size constraints. The default implementation for Horizon is to used signed cookies for session storage. This has an upper limit of ~4KB. One uncompressed PKI token takes up most of that, but even not using PKI it is easy to run into problems where there is more session data than can fit in a cookie. The errors when this happens are not always immediately evident and can manifest in all sorts of nasty ways.

As for hope for improvement. Couple of things, compressed tokens and potentially having the service catalog removed from the token. But these are items in varying degrees of completion.

If you are using a session backend other than signed cookies, you could store more tokens. This would take change in Horizon and django_openstack_auth to make work.

I've noticed the behavior that is somewhat different from the one mentioned in Bug Description: Switch Region dropdown in top right corner doesn't work for me.

Suppose I login into the Region1, then when I try to switch to Region2, it redirects me to the login view of django-openstack-auth https://github.com/openstack/horizon/blob/2014.2.rc1/horizon/templates/horizon/common/_region_selector.html#L11 and there I am being immediately redirected to the settings.LOGIN_REDIRECT_URL because I am already authenticated at Region1, so I cannot view Region2 resources if I switch to it via top right dropdown. Selecting region at login page works though.

Fix proposed to branch: master
Review: https://review.openstack.org/127544

I've filed a separate bug https://bugs.launchpad.net/horizon/+bug/1381413 for the behavior I had encountered.

I'm going to close this one as won't fix, as there hasn't been any activity on the original issue for a while, and there's no good way to solve this in Horizon.

As David mentions, if Keystone tokens can't be authenticated across regions, the only way to not require logging into a previously logged in region would be to store extra tokens in the session. That's highly undesirable.

We deal with this issue in our production environment currently (we currently use PKI tokens), and our plan is to use Fernet tokens. Fernet tokens should enable tokens to be authenticated across different Keystones, as long as the Keystones share Fernet keys.