Difference between revisions of "OpenStack:Horizon User Registration Blueprint"
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | Allow users to register. Right now only admin can create a new user. | ||
| + | '''Option1''' | ||
| + | 1) | ||
| + | First create a role (Eg:security_role) in keystone. | ||
| + | 2) | ||
| + | Then add 'security_role' to following actions (we need to edit | ||
| + | /etc/keystone/policy.json) | ||
| + | create_user | ||
| + | list_projects | ||
| + | list_roles | ||
| + | create_grant | ||
| + | |||
| + | * This way we can limit the user privileges | ||
| + | |||
| + | 3) | ||
| + | Create a user (Eg:security_user) with role 'security_role'. | ||
| + | |||
| + | 4) | ||
| + | Use the credentials of "security_user" to create new user. | ||
| + | When the user submit sign-up form: | ||
| + | a)First, get the token for "security_user" (Separate keystone API call, | ||
| + | don't use openstack_auth directly) | ||
| + | b)Then, get the id of project and domain, and submit the "create_user" | ||
| + | action. | ||
| + | c)Then, find the id of 'member' role and submit the "create_grant" action. | ||
| + | |||
| + | 5) | ||
| + | We can add a user table in horizon to store extra user details ?. | ||
| + | Or | ||
| + | We can save it in keystone in json format | ||
| + | |||
| + | |||
| + | '''Option2''' | ||
| + | |||
| + | * Add a new signup form in horizon | ||
| + | * Onsubmit event of signup form, send user details to an external service (called it "security service") | ||
| + | * "security service" is nothing it is a webservice (We can use paste.httpserver or flask) | ||
| + | * Why we need an additional service? | ||
| + | * We need admin access to keystone to create a new user. | ||
| + | * We can't login to keystone as admin from horizon, that is a security risk, right ?. | ||
| + | * So I am planning to login to keystone as admin from "security service" | ||
| + | * "security service" will makes an API call to keystone to create a new user | ||
| + | * We can also save additional user details in the field 'text' of keystaon's 'user' table as json object. Or use our on Local DB. | ||
| + | * Security service creates user in disable mode and return the response back to horizon | ||
| + | * horizon will send account activation url to user's email id. | ||
| + | * Once the user clicks on activation link, flow is again same. First comes to horizon, then to 'security service' and makes keystone api call for user activation. | ||
| + | |||
| + | '''Workflow Diagram''' | ||
[[File:Diagram_user_registartion.pdf]] | [[File:Diagram_user_registartion.pdf]] | ||
| + | |||
| + | '''Mailing List''' | ||
| + | |||
| + | [http://lists.openstack.org/pipermail/openstack-dev/2013-November/018523.html Mailig List Discussion] | ||
Latest revision as of 09:07, 6 January 2014
Allow users to register. Right now only admin can create a new user. Option1 1) First create a role (Eg:security_role) in keystone.
2) Then add 'security_role' to following actions (we need to edit /etc/keystone/policy.json) create_user list_projects list_roles create_grant
- This way we can limit the user privileges
3) Create a user (Eg:security_user) with role 'security_role'.
4) Use the credentials of "security_user" to create new user. When the user submit sign-up form:
a)First, get the token for "security_user" (Separate keystone API call,
don't use openstack_auth directly)
b)Then, get the id of project and domain, and submit the "create_user"
action.
c)Then, find the id of 'member' role and submit the "create_grant" action.
5) We can add a user table in horizon to store extra user details ?. Or We can save it in keystone in json format
Option2
- Add a new signup form in horizon
- Onsubmit event of signup form, send user details to an external service (called it "security service")
- "security service" is nothing it is a webservice (We can use paste.httpserver or flask)
- Why we need an additional service?
* We need admin access to keystone to create a new user. * We can't login to keystone as admin from horizon, that is a security risk, right ?. * So I am planning to login to keystone as admin from "security service" * "security service" will makes an API call to keystone to create a new user * We can also save additional user details in the field 'text' of keystaon's 'user' table as json object. Or use our on Local DB.
- Security service creates user in disable mode and return the response back to horizon
- horizon will send account activation url to user's email id.
- Once the user clicks on activation link, flow is again same. First comes to horizon, then to 'security service' and makes keystone api call for user activation.
Workflow Diagram
File:Diagram user registartion.pdf
Mailing List
