add user registration option
Allow users to register. Right now only admin can create a new user.
This signup feature is important when build a Public cloud like AWS using Openstack
Implementation
==========
1)
First create a role (Eg:security_role) in keystone.
2)
Then add 'security_role' to following actions (we need to edit
/etc/keystone/
create_user
list_projects
list_roles
create_grant
* This way we can limit the user privileges
3)
Create a user (Eg:security_user) with role 'security_role'.
4)
Use the credentials of "security_user" to create new user.
When the user submit sign-up form:
* First, get the token for "security_user" (Separate keystone API call,
don't use openstack_auth directly)
* Then, get the id of project and domain and submit the "create_user"
action.
* Then, find the id of member role and submit the "create_grant" action.
5)
We can add a user table in horizon to store extra user details ?.
Or
We can save it in keystone in json format
Mailing List
=======
http://
Ref Sites
========
http://
http://
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- High
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Blocked
- Milestone target:
- None
- Started by
- David Lyle
- Completed by
- David Lyle
Related branches
Related bugs
Sprints
Whiteboard
[2014-03-06 lblanchard]
Hi All,
I put together a few very basic wireframes to cover this feature. I would be happy make any additions or updates that you all see fit. Let me know!
http://
Thanks,
Liz
[2014-02-01 amotoki]
<amotoki> I am not familiar with this area (identity management), but what i can say is all services should work without openstack dashboard.
<amotoki> from this point of view, "separate service" sounds reasonable to me too.
[2014-01-31 kspear]
<kspear> basically what i would suggest is to create an external service that will receive new user registration requests from horizon via rpc
<kspear> you don't want to store any keystone admin credentials on the dashboard host
<kspear> because a public-facing web server is a security risk
<kspear> a separate server that has admin credentials that can receive messages over rpc
<kspear> it would basically listen on a message queue and call keystone user-create when necessary
<kspear> alternatively you could use the ldap backend for keystone, and use some other ldap-compatible software to manage user account creation
<kspear> the idea of a restricted user/role is good, but i don't think the service belongs inside horizon itself
<saju_m> https:/
<kspear> what you have done there seems fine
kspear> well there are ways to scale out http too
<kspear> you can just put a load balancer in front of multiple web servers
<kspear> the hard part is the database
<saju_m> I would like to get it reviewed https:/
<kspear> you can try to put it on stackforge
<kspear> http://
[2014-01-30 mrunge]
Thank you for your suggestion!
this looks for me like giving anonymous users access to your cloud ressources, and I'm not sure, if that's acceptable. You could register users from outside of horizon, there is no need to do that.
A weak point is: list roles/projects: that would make them effectively public.
You may need to store arbitrary data, such as credit card numbers, etc. And probably you need to implement a gui for that arbitrary data fields. Horizon does not store any data to a database.
[2014-02-05 lblanchard]
Would the goal be to add a "Register" or "Create New Account" link on the login page? The the user would be able to fill out a form of some sorts to give the necessary account information? I'm happy to help with what this might look like in Horizon and put some wireframes together if needed, let me know.
[2014-02-05 sajuptpm, reply to lblanchard]
Would the goal be to add a "Register" or "Create New Account" link on the login page?
* I am planning to add both
The the user would be able to fill out a form of some sorts to give the necessary account information?
* Yes
I'm happy to help with what this might look like in Horizon and put some wireframes together if needed, let me know.
* Yes, I need
[2014-12-26 LIU Yulong]
The third TODO in the 'Work Items' below need keystone API V3 support. V2 can not do that. The V2 api only check whether request user is admin role or not. The definitions like 'identity:xxxxxx': "rule:xxxxxxx" only used for v3.
[2015-06-26 LIU Zabolzadeh]
I think having a registration capability in openstack dashboard is not what an enterprise are looking for. Creating a new user is a role of external service and is not fit into openstack dashboard realm.
Openstack dashboard is not public facing page for free users, and its not resonable to give free access to non-premium users to create a new account.
[2015-07-10 LIU Yulong]
It's better to add some AuthMiddleware and API to keystone that only allow to create_user, create_project, list/get role and grant permission.
[david-lyle | 2015-08-12] This is something keystone does not support. If someone gets this ability into keystone, we can discuss further, for now this is permanently blocked and not needed to track.
Work Items
Work items:
[sajuptpm] Create a special role (new_role1) with permission to do actions (restricted) like create_user, create_project, list/get role and grant permission : TODO
[sajuptpm] Create a user with special role new_role1 and use that user to create new user during signup : TODO
[sajuptpm] Modify /etc/keystone/
[sajuptpm] Make separate API call to Keystone to create new user : TODO
[sajuptpm] Create a new project while creating new user and grant permission : TODO
[sajuptpm] Configure Quotas (nova, cinder and nw) on project level : TODO
