[keystone][horizon][kolla-ansible] user access specific domain
Hi all,
I am playing around with the domain in the yoga version of OpenStack using kolla-ansible as the deployment tool. I have set up Globus as my authentication tool. However, I am curious if it is possible to log in to an existing OpenStack user account via federated login (based on Gmail)
In my case, first, I created a user named "James" in one of the domains called federated_login. When I attempt to log in, a new user is created in the default domain instead of the federated_login domain. Below is a sample of my globus.json.
[{"local": [ { "user": { "name":"{0}, "email":"{2} }, "group":{ "name": "federated_user", "domain: {"name":"{1} } } ], "remote": [ { "type":"OIDC-name"}, { "type":"OIDC-organization"},{"type":"OIDC-email"} ] }]
Apart from the above question, is there another easier way of restricting users from login in via federated? For example, allow only existing users on OpenStack with a specific email to access the OpenStack dashboard via federated login.
Best Regards, James
Hello. This is my example.
{ "local": [ { "user": { "name": "{0}", "email": "{1}" }, "group": { "name": "your keystone group", "domain": { "name": "Default" } } } ], "remote": [ { "type": "OIDC-preferred_username", "any_one_of": [ "xxx@gmail.com", "xxx1@gmail.com ] }, { "type": "OIDC-preferred_username" }, { "type": "OIDC-email" } ] }
Nguyen Huu Khoi
On Mon, May 15, 2023 at 5:41 AM James Leong jamesleong123098@gmail.com wrote:
Hi all,
I am playing around with the domain in the yoga version of OpenStack using kolla-ansible as the deployment tool. I have set up Globus as my authentication tool. However, I am curious if it is possible to log in to an existing OpenStack user account via federated login (based on Gmail)
In my case, first, I created a user named "James" in one of the domains called federated_login. When I attempt to log in, a new user is created in the default domain instead of the federated_login domain. Below is a sample of my globus.json.
[{"local": [ { "user": { "name":"{0}, "email":"{2} }, "group":{ "name": "federated_user", "domain: {"name":"{1} } } ], "remote": [ { "type":"OIDC-name"}, { "type":"OIDC-organization"},{"type":"OIDC-email"} ] }]
Apart from the above question, is there another easier way of restricting users from login in via federated? For example, allow only existing users on OpenStack with a specific email to access the OpenStack dashboard via federated login.
Best Regards, James
Thanks! I have also tried your example, it works the same as mine, except that it checked the user's email. However, I am curious if it is possible to login to an existing user on openstack via federated login.
Best, James.
On Sun, May 14, 2023 at 10:03 PM Nguyễn Hữu Khôi nguyenhuukhoinw@gmail.com wrote:
Hello. This is my example.
{ "local": [ { "user": { "name": "{0}", "email": "{1}" }, "group": { "name": "your keystone group", "domain": { "name": "Default" } } } ], "remote": [ { "type": "OIDC-preferred_username", "any_one_of": [ "xxx@gmail.com", "xxx1@gmail.com ] }, { "type": "OIDC-preferred_username" }, { "type": "OIDC-email" } ] }Nguyen Huu Khoi
On Mon, May 15, 2023 at 5:41 AM James Leong jamesleong123098@gmail.com wrote:
Hi all,
I am playing around with the domain in the yoga version of OpenStack using kolla-ansible as the deployment tool. I have set up Globus as my authentication tool. However, I am curious if it is possible to log in to an existing OpenStack user account via federated login (based on Gmail)
In my case, first, I created a user named "James" in one of the domains called federated_login. When I attempt to log in, a new user is created in the default domain instead of the federated_login domain. Below is a sample of my globus.json.
[{"local": [ { "user": { "name":"{0}, "email":"{2} }, "group":{ "name": "federated_user", "domain: {"name":"{1} } } ], "remote": [ { "type":"OIDC-name"}, { "type":"OIDC-organization"},{"type":"OIDC-email"} ] }]
Apart from the above question, is there another easier way of restricting users from login in via federated? For example, allow only existing users on OpenStack with a specific email to access the OpenStack dashboard via federated login.
Best Regards, James
Hello. I doest try this. Nguyen Huu Khoi
On Tue, May 16, 2023 at 5:04 AM James Leong jamesleong123098@gmail.com wrote:
Thanks! I have also tried your example, it works the same as mine, except that it checked the user's email. However, I am curious if it is possible to login to an existing user on openstack via federated login.
Best, James.
On Sun, May 14, 2023 at 10:03 PM Nguyễn Hữu Khôi < nguyenhuukhoinw@gmail.com> wrote:
Hello. This is my example.
{ "local": [ { "user": { "name": "{0}", "email": "{1}" }, "group": { "name": "your keystone group", "domain": { "name": "Default" } } } ], "remote": [ { "type": "OIDC-preferred_username", "any_one_of": [ "xxx@gmail.com", "xxx1@gmail.com ] }, { "type": "OIDC-preferred_username" }, { "type": "OIDC-email" } ] }Nguyen Huu Khoi
On Mon, May 15, 2023 at 5:41 AM James Leong jamesleong123098@gmail.com wrote:
Hi all,
I am playing around with the domain in the yoga version of OpenStack using kolla-ansible as the deployment tool. I have set up Globus as my authentication tool. However, I am curious if it is possible to log in to an existing OpenStack user account via federated login (based on Gmail)
In my case, first, I created a user named "James" in one of the domains called federated_login. When I attempt to log in, a new user is created in the default domain instead of the federated_login domain. Below is a sample of my globus.json.
[{"local": [ { "user": { "name":"{0}, "email":"{2} }, "group":{ "name": "federated_user", "domain: {"name":"{1} } } ], "remote": [ { "type":"OIDC-name"}, { "type":"OIDC-organization"},{"type":"OIDC-email"} ] }]
Apart from the above question, is there another easier way of restricting users from login in via federated? For example, allow only existing users on OpenStack with a specific email to access the OpenStack dashboard via federated login.
Best Regards, James
participants (2)
-
James Leong
-
Nguyễn Hữu Khôi