[openstack-dev] [horizon] User registrations

Adam Young ayoung at redhat.com
Fri Nov 15 20:13:26 UTC 2013

On 11/10/2013 07:26 PM, Paul Belanger wrote:
> Greeting,
> In a previous thread I talked about building an application atop of
> horizon and keystone.  So far things are working out pretty well.  One
> thing I have been trying to figure out is how to move forward with
> user registration for the horizon application.  A few moons ago, IIRC,
> horizon actually use django-registration however the move to Keystone
> removed that functionality.
> For me, I'd like to expose some functionality within my web
> application allow users to register vs having an admin provisioning
> accounts.
> So, I'm curious if there is anything interest in having such a module
> back in horizon but leveraging keystone this time around. I'm actually
> curious to hear how people see this working since this is the next
> thing I need to deal with.
So...A couple things to think about when registering users:

The User entry in Keystone is really thin.  Not much more than a string 
identifier and a password.
Passwords are the lowest common denominator of authentication 
mechanism.  I wouldn't argue if someone said they are insecure by default.
Most companies need to keep a slew of User Data beyond the that in user 
table.  Lets split it into two forms:  Customer and Employees. You are 
not really going to add either by hand in Horizon. Customers need 
billing info, employees need alot more.

So, that leaves users that are not customers and are not employees. Call 
these "additional accounts"  and are bascially a way a customer can add 
additional users from their organization to a paying account.  For all 
intents and purposes, they are really additional credentials off a 
single account.  Only these would be managed in Keystone, and even then 
there is not enough information to track them;  there is no way to track 
them to the billing account unless they are all under a single domain.

I would argue that this form of user management is outside the scope of 
Horizon and Open Stack.  It is really a factor of the implementing 
organization.  For the employee use case, I would recommend using 
something like FreeIPA (shameless plug for a previous project) and for 
the external you need a real CRM (sorry, don't have on for you, but 
there are lots).

More information about the OpenStack-dev mailing list