[openstack-dev] [Heat][Keystone] Native keystone resources in Heat
Zane Bitter
zbitter at redhat.com
Mon Feb 2 22:26:41 UTC 2015
On 30/01/15 02:19, Thomas Spatzier wrote:
>> From: Zane Bitter <zbitter at redhat.com>
>> To: openstack Development Mailing List
> <openstack-dev at lists.openstack.org>
>> Date: 29/01/2015 17:47
>> Subject: [openstack-dev] [Heat][Keystone] Native keystone resources in
> Heat
>>
>> I got a question today about creating keystone users/roles/tenants in
>> Heat templates. We currently support creating users via the
>> AWS::IAM::User resource, but we don't have a native equivalent.
>>
>> IIUC keystone now allows you to add users to a domain that is otherwise
>> backed by a read-only backend (i.e. LDAP). If this means that it's now
>> possible to configure a cloud so that one need not be an admin to create
>> users then I think it would be a really useful thing to expose in Heat.
>> Does anyone know if that's the case?
>>
>> I think roles and tenants are likely to remain admin-only, but we have
>> precedent for including resources like that in /contrib... this seems
>> like it would be comparably useful.
>>
>> Thoughts?
>
> I am really not a keystone expert, so don't know what the security
> implications would be, but I have heard the requirement or wish to be able
> to create users, roles etc. from a template many times. I've talked to
> people who want to explore this for onboarding use cases, e.g. for
> onboarding of lines of business in a company, or for onboarding customers
> in a public cloud case. They would like to be able to have templates that
> lay out the overall structure for authentication stuff, and then
> parameterize it for each onboarding process.
> If this is something to be enabled, that would be interesting to explore.
Thanks for the input everyone. I raised a spec + blueprint here:
https://review.openstack.org/152309
I don't have any immediate plans to work on this, so if anybody wants to
grab it they'd be more than welcome :)
cheers,
Zane.
More information about the OpenStack-dev
mailing list