[openstack-dev] [Keystone][Horizon] User self registration and management

Morgan Fainberg morgan.fainberg at gmail.com
Thu Jan 15 00:42:35 UTC 2015

> On Jan 13, 2015, at 9:06 PM, Adrian Turjak <adriant at catalyst.net.nz> wrote:
> Hello openstack-dev,
> I'm wondering if there is any interest or need for an open-source user
> registration and management service for people using OpenStack.
> We're currently at a point where we need a way for users to sign up
> themselves, choose their own password, and request new users to be added
> to their project. There doesn't seem to be anything out there, and most
> vendors seem to have built their own systems to handle this or even
> their own dashboard systems that do.
> Horizon is built around the client tools, and your own personal token,
> so it can't handle creating new users. Plus Keystone doesn't really have
> any good way of handling temporary (unapproved) users and projects.
> The suggested approach seems to be to build a service to sit along
> Keystone, have it's own admin creds so it can create new users, and also
> store temp user data locally until the user is approved.
> Unless we can find a suitable solution for us quickly, we're likely to
> be developing such a service. It would ideally have a pluggable approval
> workflow, allowing new user requests, new project requests, creation of
> clients in external client database/ERP systems. Plus it would have a
> password reset-token system for having new users supply their password
> once they are approved, which would also allow existing users to request
> password resets.
> Part of our requirements are easy to integrate into Horizon, fitting
> neatly into the OpenStack ecosystem along other services, and being easy
> to update/alter once we have hierarchical multi-tenancy and if it makes
> some things easier.
> I've written up a proposal to help us define our requirements, and a
> copy of that is attached, and on etherpad:
> https://etherpad.openstack.org/p/User_Management_Service
> Plus I've attached a couple of diagrams, which are sadly not UML, but
> should give you some idea of two of the primary use cases.
> Is this useful to anyone? Is this entirely the wrong approach? If it is
> a useful service is there any interest in collaboration?
> Thanks for any feedback.
> Cheers,
> -Adrian Turjak

I have an alternative recommendation (rather than using Keystone’s API and user-management). Keystone’s user management is lacking a lot of features a full fledged IDP (identity provider) would have. “Password reset”, “password complexity”, “password reuse”, failed login locking, etc. I would recommend that you implement this service to write to a full featured IDP (LDAP, FreeIPA, Active Directory, etc) and have Keystone hook into that more-full featured IDP. You might even find that the IDP selected has a lot of these features built-in (and/or could be fronted in a horizon panel).

This recommendation comes from past experience implementing almost exactly this feature (and having it go through a number of incarnations). The benefits of using a full-fledged IDP outweigh the ease of using the Keystone API to manage users, especially since there is non-trivial engineering that will go into the project.

You could also utilize an IDP that can issue SAML assertions and go with a Federated Identity setup for Keystone. Again your tool could work with an IDP that has a better set of features that Keystone’s current build-in identity (user/group) store does.


More information about the OpenStack-dev mailing list