Hello OpenStack-dev, We have been developing a new service for our cloud called StackTask and last week it went live. It is presently used to allow users to self manage additional users and roles on their projects without being admin, but in future will grow to handle other normally admin restricted tasks.
It is opensource, build using Django and Django Rest Framework, well tested, and now running in our production environment. It is currently up on our github and we are likely to move it to the openstack/* repos with future development done there rather than our own gerrit to allow external contributions. At its core it is more than just a user managment system and is a basic workflow framework that can act as a proxy to allow users to request certain allowed admin functions via the OpenStack APIs. Rather than build anything too drastic or attempt to rewrite Keystone to be something it wasn't meant to be, this leverages the existing features of Keystone and builds on them instead while allowing required business logic. Not only that but it is built to allow pluggable actions that the maintainers can config/develop which can do nearly anything as part of the workflow, including talk to non-OpenStack services. Our first deployment is focused on user self management through Keystone. We needed users to be able to invite new people to their projects, manage their roles, and also be able to reset their own passwords. StackTask is capable of more, but that was the first stage we wanted working and served as a good vertical slice to help us focus on ensuring the framework functioned as intended. Now that we have the core functionality of the framework tested, stable, and in place, adding additional actions will not require as much work. What it does now: - project_admin and project_mod can invite a new user to their project with chosen roles. - If user exists in openstack they must confirm their invite via emailed token, and roles with be added. - If new user, they will be emailed a token to setup their password, and then the user is created and given roles. - project_admin can manage roles for users in their project, including entirely revoke all roles on their project from a given user. - users can ask for a password reset - email token for inputting a new password. Near future: - user sign up -user submits details -username -email -project name -admin has to approve -project created, and then email with token sent to user to setup password. - quote update - users can ask for a larger quota on their project - system will auto approve if within safe threshold of increase or time since last quota change, or admin will need to approve. - Pluggable user backends - LDAP Problems we tried to solve: - Keystone is not a good user management solution, but even with an LDAP backend Keystone is still needed for a lot of features. - you need admin to do anything truly useful when it comes to Keystone. - a project_admin like role and functions are coming in future keystone, but not here yet. We are happy with how this service is going right now, and we have every intention to expand and maintain it for ourselves, but this might be something others can find useful for their own or future OpenStack deployments, or even just a quick and easy way to get user self management working with raw Keystone. For any interested parties: StackTask git repo: https://github.com/catalyst/stacktask Python client repo: https://github.com/catalyst/python-stacktaskclient The client is now also on pypi as python-stacktaskclient Ported Horizon changes: https://github.com/catalyst/horizon/tree/stable/mitaka_stacktask Horizon screenshots: https://github.com/catalyst/horizon/blob/stable/mitaka_stacktask/README.rst Devstack deployment guide: https://github.com/catalyst/stacktask/blob/master/DEVSTACK_GUIDE.md Until we switch to openstack gerrit our github will likely be only updated for releases from our internal gerrit, but should never lag behind long, and we should be shifting soon anyway. If you any any questions, criticisms, or want to join us on this project, feel free to email me back. Cheers, - Adrian Turjak __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev