[Openstack] best practise to add SAML into keystone deployment and keep local auth?

Don Waterloo don.waterloo at gmail.com
Fri Nov 14 15:50:16 UTC 2014


On 14 November 2014 10:29, Adam Young <ayoung at redhat.com> wrote:

>  On 11/14/2014 09:32 AM, Don Waterloo wrote:
>
> I have a system (juno/ubuntu 14.10) which currently has keystone as the
> master of the
> universe for identity and authentication.
> By convention, each user of my system is also a tenant, which is my intent
> to continue.
> My system is used by a combination of our team members, but also by 3rd
> parties
> (e.g. we use it for training on our products).
>
> So the intent is to split things up by domain.  I would say that your
> existing users should be in one domain (or multiple if they are already)
> and Federated/SAML users would go into....limbo today, as federated users
> are kindof domainless.  I'd like to fix that (each IdP has a minimum of one
> domain).
>
> The term "tenant" is kindof confusing here.  I think what you are saying
> is that each user of your system gets a default project autoprovisioned for
> them.  With Federation, you have to make sure you don't provision for users
> with Valid Federated Identities but no real relationship to your Cloud
> deployment.
>

So what i do today is manual, i run this script below for each new person.
[side note, i really don't want the 'admin', but then they cannot create a
port on my external network]. So yes, 1 user <-> 1 project/tenant, created
together.

What i'm hoping to achieve is to have 0 maintenance for my own team (so
that on first login, it creates a tenant/project, creates them, and away
they go). As a side project, i'll need to figure out some 'idle-out' for
resources etc (anyone done this already, something that cleans up users who
have been idle for some # of days?)

You mention 'auto-provision' above. with saml, i can't really query the
universe of 'who might login someday', only as each user comes do i find
out about them. I'm assuming there is some way to map this.

So today i have a single default domain. I guess i should look @ this
domain remains as-is and i add a new company domain for the saml.

#!/bin/bash
[ $# != 2 ] && echo "Usage: $0 username email" && exit 1
user="$1"
email="$2"
pass=$(dd if=/dev/urandom bs=1 count=64 2>/dev/null | sha1sum | cut -c1-10)
keystone tenant-create --name "$user" --description "Private space of
$user"
keystone user-create --email "$email" --name "$user" --tenant "$user"
--pass "$pass"
keystone user-role-add --user "$user" --role "admin" --tenant "$user"
keystone user-role-add --user "$user" --role "heat_stack_owner" --tenant
"$user"

echo "Created user '$user' with initial password '$pass'"


Thanks for the input and advice, i appreciate it.

--don
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20141114/e149ea10/attachment.html>


More information about the Openstack mailing list