[openstack-dev] [Keystone] Access to the cloud for "unconfirmed" users

Roman Bodnarchuk roman.bodnarchuk at indigitus.ch
Thu Apr 17 11:17:11 UTC 2014


Hello,

Right now I am trying to set-up a self-signup for users of our OpenStack 
cloud.  One of the essential points of this signup is verification of 
user's email address - until a user proves that this address belongs to 
him/her, he/she should not be able to do anything useful in the cloud.

In the same time, a partial access to the cloud is very desirable - at 
minimum, a user should be able to authenticate to Keystone and 
successfully obtain a token, but should not be able to change anything 
in other services or access information of other users.

It is possible to disable a user with corresponding field in User model, 
but this will not let us to use Keystone as a source of authentication 
data (Keystone returns 401 for request to /auth/token with credentials 
of disabled user).

Other way to do this would be to created a special role like 
`unconfirmed` for a default project/domain, and assign it to users with 
unconfirmed email (this will be the only role assigned for them).  Thus, 
it will be possible to authenticate them, but they won't able to use the 
system.

So, the question - does this approach make sense?  Are there any 
dangerous resources in OpenStack, which user with auth token and some 
"unknown" role can access?

Any comments about other possible solutions are also welcomed.

Thanks,
Roman



More information about the OpenStack-dev mailing list