OpenStack:Horizon User Registration Blueprint

Allow users to register. Right now only admin can create a new user. Option1 1) First create a role (Eg:security_role) in keystone.

2) Then add 'security_role' to following actions (we need to edit /etc/keystone/policy.json) create_user list_projects list_roles create_grant


 * This way we can limit the user privileges

3) Create a user (Eg:security_user) with role 'security_role'.

4) Use the credentials of "security_user" to create new user. When the user submit sign-up form: a)First, get the token for "security_user" (Separate keystone API call, don't use openstack_auth directly) b)Then, get the id of project and domain, and submit the "create_user" action. c)Then, find the id of 'member' role and submit the "create_grant" action.

5) We can add a user table in horizon to store extra user details ?. Or We can save it in keystone in json format

Option2

* We need admin access to keystone to create a new user. * We can't login to keystone as admin from horizon, that is a security risk, right ?. * So I am planning to login to keystone as admin from "security service" * "security service" will makes an API call to keystone to create a new user * We can also save additional user details in the field 'text' of keystaon's 'user' table as json object. Or use our on Local DB.
 * Add a new signup form in horizon
 * Onsubmit event of signup form, send user details to an external service (called it "security service")
 * "security service" is nothing it is a webservice (We can use paste.httpserver or flask)
 * Why we need an additional service?
 * Security service creates user in disable mode and return the response back to horizon
 * horizon will send account activation url to user's email id.
 * Once the user clicks on activation link, flow is again same. First comes to horizon, then to 'security service' and makes keystone api call for user activation.

Workflow Diagram



Mailing List

Mailig List Discussion