Domain support for login
To support domains in the Keystone v3 API we need to alter the login process slightly. Within that, we should have three configurable cases. The requirements are as follows:
Login changes: requires domain name in addition to user name
Three cases:
* domains are "public", may want to simply select domain from a list (Implement similarly to region list, or can we query?)
* domains are "secret", user must type in domain name (simple text box)
* only default domain, hide domain input field
Blueprint information
- Status:
- Complete
- Approver:
- Gabriel Hurley
- Priority:
- High
- Drafter:
- None
- Direction:
- Approved
- Assignee:
- Lin Hua Cheng
- Definition:
- Approved
- Series goal:
- Accepted for havana
- Implementation:
-
Implemented
- Milestone target:
-
2013.2
- Started by
- Lin Hua Cheng
- Completed by
- Lin Hua Cheng
Related branches
Related bugs
Sprints
Whiteboard
Username is now only unique in the scope of the domain. To perform authentication in Keystone V3, the user_domain_id or user_domain_name must also be specified by the user on login.
Task breakdown:
1. Update openstack_auth to support Keystone V3 authentication. Store the domain_id in the user model.
2. Enhance the login page to support three modes:
- Display the list of Domain in a dropdown (configurable in settings.py). This is for supporting private cloud.
- Display the Domain as text field, this is for supporting public cloud where users should not see what other domains are available
- Don't display the domain field, in some cases the cloud operator don't want to support multiple domain. All projects and users will be created in the default domain.
3. Enhance the authentication and api.keystone facade to be able to support both version of keystone. The application could automatically discover the keystone version simply based on the value of OPENSTACK_
Keystone-client Auth V3 almost ready: https:/
[lin] Before starting on this work, we need to figure out the strategy for dynamically determining the client version to use based on capability, Addressed by: https:/
In keystone V3, the format of service catalog in the token response has changed. Based on the keystone version, the code should use different parsing strategy for the catalog.
Gerrit topic: https:/
Addressed by: https:/
Enable parsing of Identity Service V3 catalog.
Openstack_auth code ready for review: https:/
[gabrielhurley 2012-05-27] Bumping to H2 due to delays in keystoneclient, etc. Should be easy to wrap it up in H2.
Addressed by: https:/
Sync requirements for Keystone V3 Auth support.
[2013-07-16 | Gabriel] Unfortunately this is still blocked by requirements problems in Keystone, so the review cannot be merged in time for the H2 cut. If by some miracle it gets merged in the next few hours I'll put the blueprint back but I expect it will land too late.
[2013-08-12 | Lin] Code has been merged
To support the three modes:
1. Running in Keystone V3 with multi-domain - Display the Domain as text field, this is for supporting public cloud where users should not see what other domains are available.
The setting should look like:
OPENSTACK_
"identity": 3
}
OPENSTACK_
OPENSTACK_
OPENSTACK_
2. Running in Keystone V3 with single Domain - Don't display the domain field, in some cases the cloud operator don't want to support multiple domain. All projects and users will be created in the default domain.
The setting should look like:
OPENSTACK_
"identity": 3
}
OPENSTACK_
OPENSTACK_
OPENSTACK_
3. Running only in Keystone V2.
The setting should look like:
OPENSTACK_
"identity": 2.0
}
OPENSTACK_
OPENSTACK_
OPENSTACK_
