Authentication and Authorization in the Cloud CPE and SD-WAN Solutions
The Cloud CPE and SD-WAN solutions use OpenStack Keystone to authenticate and authorize Contrail Service Orchestration (CSO) operations. You can implement the Keystone in several different ways, and you specify which method you use when you install CSO:
A CSO Keystone, which is integrated with CSO and resides on the central CSO server.
This option offers enhanced security because the Keystone is dedicated to CSO and is not shared with any other applications. Consequently, this option is generally recommended.
An external Keystone, which resides on a different server to the CSO server:
The Contrail OpenStack Keystone in the Contrail Cloud Implementation for a centralized deployment is an example of an external Keystone.
In this case, customers and Cloud CPE infrastructure components use the same Keystone token.
You can also use an external Keystone that is specific to your network.
See Table 1 for guidelines about using the Keystone options with different types of deployments.
Table 1: Guidelines for Keystone Options for Different Deployments
Distributed Deployment and SD-WAN Implementation
The CSO Keystone (recommended)
The Contrail OpenStack Keystone on the Contrail Cloud Platform (external Keystone)
An external Keystone that is specific to your network.
You specify the IP address and access details for your Keystone when you install CSO.