[openstack-dev] [Keystone] [Horizon] Federated Login
Adam Young
ayoung at redhat.com
Thu Aug 6 13:56:50 UTC 2015
On 08/06/2015 04:56 AM, David Chadwick wrote:
>
> On 05/08/2015 19:28, Thai Q Tran wrote:
>> I agree with Lance. Quite honestly, the list of Idps does not belong
>> in horizon's settings. Just throwing out some ideas, why not white-list
>> the Idps you want public it in keystone's settings, and have an API call
>> for that?
> that was the conclusion reached many months ago the last time this was
> discussed.
>
> regards
>
> David
Posted a spec for review here. It needs a corresponding API change.
https://review.openstack.org/#/c/209941/
>
>>
>>
>>
>> ----- Original message -----
>> From: Lance Bragstad <lbragstad at gmail.com>
>> To: "OpenStack Development Mailing List (not for usage questions)"
>> <openstack-dev at lists.openstack.org>
>> Cc:
>> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
>> Date: Wed, Aug 5, 2015 11:19 AM
>>
>>
>>
>> On Wed, Aug 5, 2015 at 1:02 PM, Steve Martinelli
>> <stevemar at ca.ibm.com <mailto:stevemar at ca.ibm.com>> wrote:
>>
>> Some folks said that they'd prefer not to list all associated
>> idps, which i can understand.
>>
>> Actually, I like jamie's suggestion of just making horizon a bit
>> smarter, and expecting the values in the horizon settings
>> (idp+protocol)
>>
>>
>> This *might* lead to a more complicated user experience, unless we
>> deduce the protocol for the IdP selected (but that would defeat the
>> point?). Also, wouldn't we have to make changes to Horizon every
>> time we add an IdP? This might be case by case, but if you're
>> consistently adding Identity Providers, then your ops team might not
>> be too happy reconfiguring Horizon all the time.
>>
>>
>>
>>
>> Thanks,
>>
>> Steve Martinelli
>> OpenStack Keystone Core
>>
>> Inactive hide details for Dolph Mathews ---2015/08/05 01:38:09
>> PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick
>> <d.w.chadwicDolph Mathews ---2015/08/05 01:38:09 PM---On Wed,
>> Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadwick at kent.ac.uk
>> <mailto:d.w.chadwick at kent.ac.uk>> wrote:
>>
>> From: Dolph Mathews <dolph.mathews at gmail.com
>> <mailto:dolph.mathews at gmail.com>>
>> To: "OpenStack Development Mailing List (not for usage
>> questions)" <openstack-dev at lists.openstack.org
>> <mailto:openstack-dev at lists.openstack.org>>
>> Date: 2015/08/05 01:38 PM
>> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>>
>> On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick
>> <_d.w.chadwick at kent.ac.uk_ <mailto:d.w.chadwick at kent.ac.uk>> wrote:
>>
>>
>>
>>
>> * On 04/08/2015 18:59, Steve Martinelli wrote:
>> > Right, but that API is/should be protected. If we want to
>> list IdPs
>> > *before* authenticating a user, we either need: 1) a new
>> API for listing
>> > public IdPs or 2) a new policy that doesn't protect that API.
>>
>> Hi Steve
>>
>> yes this was my understanding of the discussion that took
>> place many
>> months ago. I had assumed (wrongly) that something had been
>> done about
>> it, but I guess from your message that we are no further
>> forward on this
>> Actually 2) above might be better reworded as - a new
>> policy/engine that
>> allows public access to be a bona fide policy rule
>>
>>
>> The existing policy simply seems wrong. Why protect the list of
>> IdPs?
>>
>>
>>
>> * regards
>>
>> David
>>
>> >
>> > Thanks,
>> >
>> > Steve Martinelli
>> > OpenStack Keystone Core
>> >
>> > Inactive hide details for Lance Bragstad ---2015/08/04
>> 01:49:29 PM---On
>> > Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish
>> <drfish at us.iLance Bragstad
>> > ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52
>> AM, Douglas
>> > Fish <_drfish at us.ibm.com_ <mailto:drfish at us.ibm.com>>
>> wrote: > Hi David,
>> >
>> > From: Lance Bragstad <_lbragstad at gmail.com_
>> <mailto:lbragstad at gmail.com>>
>> > To: "OpenStack Development Mailing List (not for usage
>> questions)"
>> > <_openstack-dev at lists.openstack.org_
>> <mailto:openstack-dev at lists.openstack.org>>
>> > Date: 2015/08/04 01:49 PM
>> > Subject: Re: [openstack-dev] [Keystone] [Horizon]
>> Federated Login
>> >
>> >
>> ------------------------------------------------------------------------
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish
>> <_drfish at us.ibm.com_
>> > <mailto:_drfish at us.ibm.com_ <mailto:drfish at us.ibm.com>>>
>> wrote:
>> >
>> > Hi David,
>> >
>> > This is a cool looking UI. I've made a minor comment
>> on it in InVision.
>> >
>> > I'm curious if this is an implementable idea - does
>> keystone support
>> > large
>> > numbers of 3rd party idps? is there an API to retreive
>> the list of
>> > idps or
>> > does this require carefully coordinated configuration
>> between
>> > Horizon and
>> > Keystone so they both recognize the same list of idps?
>> >
>> >
>> > There is an API call for getting a list of Identity
>> Providers from Keystone
>> >
>> >
>> __http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers__
>> >
>> >
>> >
>> > Doug Fish
>> >
>> >
>> > David Chadwick <_d.w.chadwick at kent.ac.uk_
>> > <mailto:_d.w.chadwick at kent.ac.uk_
>> <mailto:d.w.chadwick at kent.ac.uk>>> wrote on 08/01/2015
>> 06:01:48 AM:
>> >
>> > > From: David Chadwick <_d.w.chadwick at kent.ac.uk_
>> > <mailto:_d.w.chadwick at kent.ac.uk_
>> <mailto:d.w.chadwick at kent.ac.uk>>>
>> > > To: OpenStack Development Mailing List
>> > <_openstack-dev at lists.openstack.org_
>> > <mailto:_openstack-dev at lists.openstack.org_
>> <mailto:openstack-dev at lists.openstack.org>>>
>> > > Date: 08/01/2015 06:05 AM
>> > > Subject: [openstack-dev] [Keystone] [Horizon]
>> Federated Login
>> > >
>> > > Hi Everyone
>> > >
>> > > I have a student building a GUI for federated login
>> with Horizon. The
>> > > interface supports both a drop down list of
>> configured IDPs, and also
>> > > Type Ahead for massive federations with hundreds of
>> IdPs. Screenshots
>> > > are visible in InVision here
>> > >
>> > > __https://invis.io/HQ3QN2123__
>> > >
>> > > All comments on the design are appreciated. You can
>> make them directly
>> > > to the screens via InVision
>> > >
>> > > Regards
>> > >
>> > > David
>> > >
>> > >
>> > >
>> > >
>> >
>> __________________________________________________________________________
>> > > OpenStack Development Mailing List (not for usage
>> questions)
>> > > Unsubscribe:_
>> >
>> ___OpenStack-dev-request at lists.openstack.org?subject:unsubscribe__
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>
>> >
>> <_http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>
>> > >
>> __http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
>> > >
>> >
>> >
>> >
>> __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage
>> questions)
>> > Unsubscribe:
>> >
>> __OpenStack-dev-request at lists.openstack.org?subject:unsubscribe__
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>
>> >
>> <_http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>_
>> >
>> ___http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
>> >
>> >
>> __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> >
>> _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>> >
>> >
>> >
>> >
>> >
>> __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> >
>> _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>> >
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list