[openstack-dev] [Heat][Keystone] Native keystone resources in Heat

Udi Kalifon ukalifon at redhat.com
Tue Feb 3 08:31:45 UTC 2015


I think the user resource should not have "roles" in it. There should be a "Role Assignment" resource that grants roles to users on either tenants (projects) or domains. On the other hand, the user resource should have a domain association. Also, consider adding support for groups and in the future maybe also federation. As for trusts, I don't think it should be Heat's responsibility to set them  up, because it's up to the users themselves to create and grant trusts to their trustees.

----- Original Message -----
From: "Zane Bitter" <zbitter at redhat.com>
To: openstack-dev at lists.openstack.org
Sent: Tuesday, 3 February, 2015 12:26:41 AM
Subject: Re: [openstack-dev] [Heat][Keystone] Native keystone resources in Heat

On 30/01/15 02:19, Thomas Spatzier wrote:
>> From: Zane Bitter <zbitter at redhat.com>
>> To: openstack Development Mailing List
> <openstack-dev at lists.openstack.org>
>> Date: 29/01/2015 17:47
>> Subject: [openstack-dev] [Heat][Keystone] Native keystone resources in
> Heat
>>
>> I got a question today about creating keystone users/roles/tenants in
>> Heat templates. We currently support creating users via the
>> AWS::IAM::User resource, but we don't have a native equivalent.
>>
>> IIUC keystone now allows you to add users to a domain that is otherwise
>> backed by a read-only backend (i.e. LDAP). If this means that it's now
>> possible to configure a cloud so that one need not be an admin to create
>> users then I think it would be a really useful thing to expose in Heat.
>> Does anyone know if that's the case?
>>
>> I think roles and tenants are likely to remain admin-only, but we have
>> precedent for including resources like that in /contrib... this seems
>> like it would be comparably useful.
>>
>> Thoughts?
>
> I am really not a keystone expert, so don't know what the security
> implications would be, but I have heard the requirement or wish to be able
> to create users, roles etc. from a template many times. I've talked to
> people who want to explore this for onboarding use cases, e.g. for
> onboarding of lines of business in a company, or for onboarding customers
> in a public cloud case. They would like to be able to have templates that
> lay out the overall structure for authentication stuff, and then
> parameterize it for each onboarding process.
> If this is something to be enabled, that would be interesting to explore.

Thanks for the input everyone. I raised a spec + blueprint here:

https://review.openstack.org/152309

I don't have any immediate plans to work on this, so if anybody wants to 
grab it they'd be more than welcome :)

cheers,
Zane.

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list