On 11/10/2013 07:26 PM, Paul Belanger wrote:
Greeting,
In a previous thread I talked about building an application atop of
horizon and keystone. So far things are working out pretty well. One
thing I have been trying to figure out is how to move forward with
user registration for the horizon application. A few moons ago, IIRC,
horizon actually use django-registration however the move to Keystone
removed that functionality.
For me, I'd like to expose some functionality within my web
application allow users to register vs having an admin provisioning
accounts.
So, I'm curious if there is anything interest in having such a module
back in horizon but leveraging keystone this time around. I'm actually
curious to hear how people see this working since this is the next
thing I need to deal with.
So...A couple things to think about when registering users:
The User entry in Keystone is really thin. Not much more than a string
identifier and a password.
Passwords are the lowest common denominator of authentication
mechanism. I wouldn't argue if someone said they are insecure by default.
Most companies need to keep a slew of User Data beyond the that in user
table. Lets split it into two forms: Customer and Employees. You are
not really going to add either by hand in Horizon. Customers need
billing info, employees need alot more.
So, that leaves users that are not customers and are not employees. Call
these "additional accounts" and are bascially a way a customer can add
additional users from their organization to a paying account. For all
intents and purposes, they are really additional credentials off a
single account. Only these would be managed in Keystone, and even then
there is not enough information to track them; there is no way to track
them to the billing account unless they are all under a single domain.
I would argue that this form of user management is outside the scope of
Horizon and Open Stack. It is really a factor of the implementing
organization. For the employee use case, I would recommend using
something like FreeIPA (shameless plug for a previous project) and for
the external you need a real CRM (sorry, don't have on for you, but
there are lots).
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
