Jump to: navigation, search

Difference between revisions of "OpenStack:Horizon User Registration Blueprint"

 
Line 21: Line 21:
 
Use the credentials of "security_user" to create new user.
 
Use the credentials of "security_user" to create new user.
 
When the user submit sign-up form:
 
When the user submit sign-up form:
  * First, get the token for "security_user" (Separate keystone API call,
+
  a)First, get the token for "security_user" (Separate keystone API call,
 
don't use openstack_auth directly)
 
don't use openstack_auth directly)
  * Then, get the id of project and domain and submit the "create_user"
+
  b)Then, get the id of project and domain, and submit the "create_user"
 
action.
 
action.
  * Then, find the id of member role and submit the "create_grant" action.
+
  c)Then, find the id of 'member' role and submit the "create_grant" action.
  
 
5)
 
5)

Latest revision as of 09:07, 6 January 2014

Allow users to register. Right now only admin can create a new user. Option1 1) First create a role (Eg:security_role) in keystone.

2) Then add 'security_role' to following actions (we need to edit /etc/keystone/policy.json) create_user list_projects list_roles create_grant

  • This way we can limit the user privileges

3) Create a user (Eg:security_user) with role 'security_role'.

4) Use the credentials of "security_user" to create new user. When the user submit sign-up form:

a)First, get the token for "security_user" (Separate keystone API call,

don't use openstack_auth directly)

b)Then, get the id of project and domain, and submit the "create_user"

action.

c)Then, find the id of 'member' role and submit the "create_grant" action.

5) We can add a user table in horizon to store extra user details ?. Or We can save it in keystone in json format


Option2

  • Add a new signup form in horizon
  • Onsubmit event of signup form, send user details to an external service (called it "security service")
  • "security service" is nothing it is a webservice (We can use paste.httpserver or flask)
  • Why we need an additional service?
  * We need admin access to keystone to create a new user.
  * We can't login to keystone as admin from horizon, that is a security risk, right ?.
  * So I am planning to login to keystone as admin from "security service"
  * "security service" will makes an API call to keystone to create a new user
  * We can also save additional user details in the field 'text' of keystaon's 'user' table as json object. Or use our on Local DB.
  • Security service creates user in disable mode and return the response back to horizon
  • horizon will send account activation url to user's email id.
  • Once the user clicks on activation link, flow is again same. First comes to horizon, then to 'security service' and makes keystone api call for user activation.

Workflow Diagram

File:Diagram user registartion.pdf

Mailing List

Mailig List Discussion