<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 14 November 2014 10:29, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 11/14/2014 09:32 AM, Don Waterloo
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">I have a system (juno/ubuntu 14.10) which currently
has keystone as the master of the
<div>universe for identity and authentication.
<div>By convention, each user of my system is also a tenant,
which is my intent to continue.</div>
<div>My system is used by a combination of our team members,
but also by 3rd parties</div>
<div>(e.g. we use it for training on our products).</div>
<div><br></div></div></div></div></div></blockquote>
So the intent is to split things up by domain. I would say that
your existing users should be in one domain (or multiple if they are
already) and Federated/SAML users would go into....limbo today, as
federated users are kindof domainless. I'd like to fix that (each
IdP has a minimum of one domain).<br>
<br>
The term "tenant" is kindof confusing here. I think what you are
saying is that each user of your system gets a default project
autoprovisioned for them. With Federation, you have to make sure
you don't provision for users with Valid Federated Identities but no
real relationship to your Cloud deployment.<br>
</div>
</blockquote></div><br></div><div class="gmail_extra">So what i do today is manual, i run this script below for each new person. [side note, i really don't want the 'admin', but then they cannot create a port on my external network]. So yes, 1 user <-> 1 project/tenant, created together.</div><div class="gmail_extra"><br></div><div class="gmail_extra">What i'm hoping to achieve is to have 0 maintenance for my own team (so that on first login, it creates a tenant/project, creates them, and away they go). As a side project, i'll need to figure out some 'idle-out' for resources etc (anyone done this already, something that cleans up users who have been idle for some # of days?)</div><div class="gmail_extra"><br></div><div class="gmail_extra">You mention 'auto-provision' above. with saml, i can't really query the universe of 'who might login someday', only as each user comes do i find out about them. I'm assuming there is some way to map this.</div><div class="gmail_extra"><br></div><div class="gmail_extra">So today i have a single default domain. I guess i should look @ this domain remains as-is and i add a new company domain for the saml.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra"><font face="monospace">#!/bin/bash</font></div><div class="gmail_extra"><font face="monospace">[ $# != 2 ] && echo "Usage: $0 username email" && exit 1</font></div><div class="gmail_extra"><font face="monospace">user="$1"</font></div><div class="gmail_extra"><font face="monospace">email="$2"</font></div><div class="gmail_extra"><font face="monospace">pass=$(dd if=/dev/urandom bs=1 count=64 2>/dev/null | sha1sum | cut -c1-10)</font></div><div class="gmail_extra"><font face="monospace">keystone tenant-create --name "$user" --description "Private space of $user" </font></div><div class="gmail_extra"><font face="monospace">keystone user-create --email "$email" --name "$user" --tenant "$user" --pass "$pass" </font></div><div class="gmail_extra"><font face="monospace">keystone user-role-add --user "$user" --role "admin" --tenant "$user" </font></div><div class="gmail_extra"><font face="monospace">keystone user-role-add --user "$user" --role "heat_stack_owner" --tenant "$user" </font></div><div class="gmail_extra"><font face="monospace"><br></font></div><div class="gmail_extra"><font face="monospace">echo "Created user '$user' with initial password '$pass'"</font></div><div><br></div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">Thanks for the input and advice, i appreciate it.</div><div class="gmail_extra"><br></div><div class="gmail_extra">--don</div><div><br></div></div></div>