[openstack-dev] [Keystone] [Horizon] Federated Login

Adam Young ayoung at redhat.com
Thu Aug 6 13:56:50 UTC 2015


On 08/06/2015 04:56 AM, David Chadwick wrote:
>
> On 05/08/2015 19:28, Thai Q Tran wrote:
>> I agree with Lance. Quite honestly, the list of Idps does not belong
>> in horizon's settings. Just throwing out some ideas, why not white-list
>> the Idps you want public it in keystone's settings, and have an API call
>> for that?
> that was the conclusion reached many months ago the last time this was
> discussed.
>
> regards
>
> David

Posted a spec for review here.  It needs a corresponding API change.

https://review.openstack.org/#/c/209941/


>
>>   
>>   
>>
>>      ----- Original message -----
>>      From: Lance Bragstad <lbragstad at gmail.com>
>>      To: "OpenStack Development Mailing List (not for usage questions)"
>>      <openstack-dev at lists.openstack.org>
>>      Cc:
>>      Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
>>      Date: Wed, Aug 5, 2015 11:19 AM
>>       
>>       
>>       
>>      On Wed, Aug 5, 2015 at 1:02 PM, Steve Martinelli
>>      <stevemar at ca.ibm.com <mailto:stevemar at ca.ibm.com>> wrote:
>>
>>          Some folks said that they'd prefer not to list all associated
>>          idps, which i can understand.
>>
>>          Actually, I like jamie's suggestion of just making horizon a bit
>>          smarter, and expecting the values in the horizon settings
>>          (idp+protocol)
>>
>>       
>>      This *might* lead to a more complicated user experience, unless we
>>      deduce the protocol for the IdP selected (but that would defeat the
>>      point?). Also, wouldn't we have to make changes to Horizon every
>>      time we add an IdP? This might be case by case, but if you're
>>      consistently adding Identity Providers, then your ops team might not
>>      be too happy reconfiguring Horizon all the time.
>>       
>>
>>
>>
>>          Thanks,
>>
>>          Steve Martinelli
>>          OpenStack Keystone Core
>>
>>          Inactive hide details for Dolph Mathews ---2015/08/05 01:38:09
>>          PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick
>>          <d.w.chadwicDolph Mathews ---2015/08/05 01:38:09 PM---On Wed,
>>          Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadwick at kent.ac.uk
>>          <mailto:d.w.chadwick at kent.ac.uk>> wrote:
>>
>>          From: Dolph Mathews <dolph.mathews at gmail.com
>>          <mailto:dolph.mathews at gmail.com>>
>>          To: "OpenStack Development Mailing List (not for usage
>>          questions)" <openstack-dev at lists.openstack.org
>>          <mailto:openstack-dev at lists.openstack.org>>
>>          Date: 2015/08/05 01:38 PM
>>          Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
>>
>>          ------------------------------------------------------------------------
>>
>>
>>
>>
>>          On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick
>>          <_d.w.chadwick at kent.ac.uk_ <mailto:d.w.chadwick at kent.ac.uk>> wrote:
>>
>>
>>
>>
>>            *   On 04/08/2015 18:59, Steve Martinelli wrote:
>>              > Right, but that API is/should be protected. If we want to
>>              list IdPs
>>              > *before* authenticating a user, we either need: 1) a new
>>              API for listing
>>              > public IdPs or 2) a new policy that doesn't protect that API.
>>
>>              Hi Steve
>>
>>              yes this was my understanding of the discussion that took
>>              place many
>>              months ago. I had assumed (wrongly) that something had been
>>              done about
>>              it, but I guess from your message that we are no further
>>              forward on this
>>              Actually 2) above might be better reworded as - a new
>>              policy/engine that
>>              allows public access to be a bona fide policy rule
>>
>>
>>          The existing policy simply seems wrong. Why protect the list of
>>          IdPs?
>>           
>>
>>
>>            * regards
>>
>>              David
>>
>>              >
>>              > Thanks,
>>              >
>>              > Steve Martinelli
>>              > OpenStack Keystone Core
>>              >
>>              > Inactive hide details for Lance Bragstad ---2015/08/04
>>              01:49:29 PM---On
>>              > Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish
>>              <drfish at us.iLance Bragstad
>>              > ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52
>>              AM, Douglas
>>              > Fish <_drfish at us.ibm.com_ <mailto:drfish at us.ibm.com>>
>>              wrote: > Hi David,
>>              >
>>              > From: Lance Bragstad <_lbragstad at gmail.com_
>>              <mailto:lbragstad at gmail.com>>
>>              > To: "OpenStack Development Mailing List (not for usage
>>              questions)"
>>              > <_openstack-dev at lists.openstack.org_
>>              <mailto:openstack-dev at lists.openstack.org>>
>>              > Date: 2015/08/04 01:49 PM
>>              > Subject: Re: [openstack-dev] [Keystone] [Horizon]
>>              Federated Login
>>              >
>>              >
>>              ------------------------------------------------------------------------
>>              >
>>              >
>>              >
>>              >
>>              >
>>              > On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish
>>              <_drfish at us.ibm.com_
>>              > <mailto:_drfish at us.ibm.com_ <mailto:drfish at us.ibm.com>>>
>>              wrote:
>>              >
>>              >     Hi David,
>>              >
>>              >     This is a cool looking UI. I've made a minor comment
>>              on it in InVision.
>>              >
>>              >     I'm curious if this is an implementable idea - does
>>              keystone support
>>              >     large
>>              >     numbers of 3rd party idps? is there an API to retreive
>>              the list of
>>              >     idps or
>>              >     does this require carefully coordinated configuration
>>              between
>>              >     Horizon and
>>              >     Keystone so they both recognize the same list of idps?
>>              >
>>              >
>>              > There is an API call for getting a list of Identity
>>              Providers from Keystone
>>              >
>>              >
>>              __http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers__
>>              >
>>              >
>>              >
>>              >     Doug Fish
>>              >
>>              >
>>              >     David Chadwick <_d.w.chadwick at kent.ac.uk_
>>              >     <mailto:_d.w.chadwick at kent.ac.uk_
>>              <mailto:d.w.chadwick at kent.ac.uk>>> wrote on 08/01/2015
>>              06:01:48 AM:
>>              >
>>              >     > From: David Chadwick <_d.w.chadwick at kent.ac.uk_
>>              >     <mailto:_d.w.chadwick at kent.ac.uk_
>>              <mailto:d.w.chadwick at kent.ac.uk>>>
>>              >     > To: OpenStack Development Mailing List
>>              >     <_openstack-dev at lists.openstack.org_
>>              >     <mailto:_openstack-dev at lists.openstack.org_
>>              <mailto:openstack-dev at lists.openstack.org>>>
>>              >     > Date: 08/01/2015 06:05 AM
>>              >     > Subject: [openstack-dev]  [Keystone] [Horizon]
>>              Federated Login
>>              >     >
>>              >     > Hi Everyone
>>              >     >
>>              >     > I have a student building a GUI for federated login
>>              with Horizon. The
>>              >     > interface supports both a drop down list of
>>              configured IDPs, and also
>>              >     > Type Ahead for massive federations with hundreds of
>>              IdPs. Screenshots
>>              >     > are visible in InVision here
>>              >     >
>>              >     > __https://invis.io/HQ3QN2123__
>>              >     >
>>              >     > All comments on the design are appreciated. You can
>>              make them directly
>>              >     > to the screens via InVision
>>              >     >
>>              >     > Regards
>>              >     >
>>              >     > David
>>              >     >
>>              >     >
>>              >     >
>>              >     >
>>              >
>>               __________________________________________________________________________
>>              >     > OpenStack Development Mailing List (not for usage
>>              questions)
>>              >     > Unsubscribe:_
>>              >
>>               ___OpenStack-dev-request at lists.openstack.org?subject:unsubscribe__
>>              <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>
>>              >
>>               <_http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>
>>              >     >
>>              __http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
>>              >     >
>>              >
>>              >
>>              >
>>               __________________________________________________________________________
>>              >     OpenStack Development Mailing List (not for usage
>>              questions)
>>              >     Unsubscribe:
>>              >
>>               __OpenStack-dev-request at lists.openstack.org?subject:unsubscribe__
>>              <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>
>>              >
>>               <_http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_>_
>>              >
>>               ___http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
>>              >
>>              >
>>              __________________________________________________________________________
>>              > OpenStack Development Mailing List (not for usage questions)
>>              > Unsubscribe:
>>              _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
>>              <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>              >
>>              _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>>              >
>>              >
>>              >
>>              >
>>              >
>>              __________________________________________________________________________
>>              > OpenStack Development Mailing List (not for usage questions)
>>              > Unsubscribe:
>>              _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
>>              <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>              >
>>              _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>>              >
>>
>>              __________________________________________________________________________
>>              OpenStack Development Mailing List (not for usage questions)
>>              Unsubscribe:
>>              _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
>>              <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>              _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>>
>>          __________________________________________________________________________
>>          OpenStack Development Mailing List (not for usage questions)
>>          Unsubscribe:
>>          OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>          <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>          http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>           
>>
>>           
>>
>>
>>          __________________________________________________________________________
>>          OpenStack Development Mailing List (not for usage questions)
>>          Unsubscribe:
>>          OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>          <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>          http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>           
>>
>>      __________________________________________________________________________
>>      OpenStack Development Mailing List (not for usage questions)
>>      Unsubscribe:
>>      OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>      http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>   
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list