Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Authentication and Authorization in the Cloud CPE and SD-WAN Solutions

 

The Cloud CPE and SD-WAN solutions use OpenStack Keystone to authenticate and authorize Contrail Service Orchestration (CSO) operations. You can implement the Keystone in several different ways, and you specify which method you use when you install CSO:

  • A CSO Keystone, which is integrated with CSO and resides on the central CSO server.

    This option offers enhanced security because the Keystone is dedicated to CSO and is not shared with any other applications. Consequently, this option is generally recommended.

  • An external Keystone, which resides on a different server to the CSO server:

    • The Contrail OpenStack Keystone in the Contrail Cloud Implementation for a centralized deployment is an example of an external Keystone.

      In this case, customers and Cloud CPE infrastructure components use the same Keystone token.

    • You can also use an external Keystone that is specific to your network.

See Table 1 for guidelines about using the Keystone options with different types of deployments.

Table 1: Guidelines for Keystone Options for Different Deployments

Centralized Deployment

Distributed Deployment and SD-WAN Implementation

Combined deployment

The CSO Keystone (recommended)

  • Installation of the Keystone occurs with the CSO installation.

  • After installation, you must use Administration Portal or the API to configure a service profile for each virtualized infrastructure monitor (VIM).

  • Installation occurs with the CSO installation.

  • You do not need to perform any configuration after installation.

  • Installation occurs with the CSO installation.

  • You do not need to perform any configuration after installation for the distributed portion of the deployment.

  • After installation, you must configure service profiles for VIMs in the centralized portion of the deployment.

The Contrail OpenStack Keystone on the Contrail Cloud Platform (external Keystone)

  • Installation occurs with Contrail OpenStack

  • You specify the IP address and access details for the Contrail OpenStack Keystone when you install CSO.

Not available

  • Available for the centralized portion of the deployment.

  • Installation occurs with Contrail OpenStack.

  • You specify the IP address and access details for the Contrail OpenStack Keystone when you install CSO.

An external Keystone that is specific to your network.

You specify the IP address and access details for your Keystone when you install CSO.