[openstack-dev] [keystone][horizon] new service for user management and admin tasks with keystone

Adrian Turjak adriant at catalyst.net.nz
Mon Apr 18 05:39:20 UTC 2016

Hello OpenStack-dev,

We have been developing a new service for our cloud called StackTask and
last week it went live. It is presently used to allow users to self
manage additional users and roles on their projects without being admin,
but in future will grow to handle other normally admin restricted tasks.

It is opensource, build using Django and Django Rest Framework, well
tested, and now running in our production environment. It is currently
up on our github and we are likely to move it to the openstack/* repos
with future development done there rather than our own gerrit to allow
external contributions.

At its core it is more than just a user managment system and is a basic
workflow framework that can act as a proxy to allow users to request
certain allowed admin functions via the OpenStack APIs. Rather than
build anything too drastic or attempt to rewrite Keystone to be
something it wasn't meant to be, this leverages the existing features of
Keystone and builds on them instead while allowing required business logic.

Not only that but it is built to allow pluggable actions that the
maintainers can config/develop which can do nearly anything as part of
the workflow, including talk to non-OpenStack services.

Our first deployment is focused on user self management through
Keystone. We needed users to be able to invite new people to their
projects, manage their roles, and also be able to reset their own
passwords. StackTask is capable of more, but that was the first stage we
wanted working and served as a good vertical slice to help us focus on
ensuring the framework functioned as intended. Now that we have the core
functionality of the framework tested, stable, and in place, adding
additional actions will not require as much work.

What it does now:
- project_admin and project_mod can invite a new user to their project
with chosen roles.
    - If user exists in openstack they must confirm their invite via
emailed token, and roles with be added.
    - If new user, they will be emailed a token to setup their password,
and then the user is created and given roles.
- project_admin can manage roles for users in their project, including
entirely revoke all roles on their project from a given user.
- users can ask for a password reset
    - email token for inputting a new password.

Near future:
- user sign up
    -user submits details
        -project name
    -admin has to approve
    -project created, and then email with token sent to user to setup
- quote update
    - users can ask for a larger quota on their project
    - system will auto approve if within safe threshold of increase or
time since last quota change, or admin will need to approve.
- Pluggable user backends
    - LDAP

Problems we tried to solve:
- Keystone is not a good user management solution, but even with an LDAP
backend Keystone is still needed for a lot of features.
- you need admin to do anything truly useful when it comes to Keystone.
- a project_admin like role and functions are coming in future keystone,
but not here yet.

We are happy with how this service is going right now, and we have every
intention to expand and maintain it for ourselves, but this might be
something others can find useful for their own or future OpenStack
deployments, or even just a quick and easy way to get user self
management working with raw Keystone.

For any interested parties:

StackTask git repo: https://github.com/catalyst/stacktask
Python client repo: https://github.com/catalyst/python-stacktaskclient

The client is now also on pypi as python-stacktaskclient

Ported Horizon changes:
Horizon screenshots:

Devstack deployment guide:

Until we switch to openstack gerrit our github will likely be only
updated for releases from our internal gerrit, but should never lag
behind long, and we should be shifting soon anyway.

If you any any questions, criticisms, or want to join us on this
project, feel free to email me back.

- Adrian Turjak

More information about the OpenStack-dev mailing list