[openstack-dev] [keystone] Autoprovisioning, per-user projects, and Federation

Adam Young ayoung at redhat.com
Thu Nov 5 17:34:12 UTC 2015

Can people help me work through the right set of tools for this use case 
(has come up from several Operators) and map out a plan to implement it:

Large cloud with many users coming from multiple Federation sources has 
a policy of providing a minimal setup for each user upon first visit to 
the cloud:  Create a project for the user with a minimal quota, and 
provide them a role assignment.

Here are the gaps, as I see it:

1.  Keystone provides a notification that a user has logged in, but 
there is nothing capable of executing on this notification at the 
moment.  Only Ceilometer listens to Keystone notifications.

2.  Keystone does not have a workflow engine, and should not be 
auto-creating projects.  This is something that should be performed via 
a Heat template, and Keystone does not know about Heat, nor should it.

3.  The Mapping code is pretty static; it assumes a user entry or a 
group entry in identity when creating a role assignment, and neither 
will exist.

We can assume a special domain for Federated users to have per-user 

So; lets assume a Heat Template that does the following:

1. Creates a user in the per-user-projects domain
2. Assigns a role to the Federated user in that project
3. Sets the minimal quota for the user
4. Somehow notifies the user that the project has been set up.

This last probably assumes an email address from the Federated 
assertion.  Otherwise, the user hits Horizon, gets a "not authenticated 
for any projects" error, and is stumped.

How is quota assignment done in the other projects now?  What happens 
when a project is created in Keystone?  Does that information gets 
transferred to the other services, and, if so, how?  Do most people use 
a custom provisioning tool for this workflow?

More information about the OpenStack-dev mailing list