OpenStack Identity (keystone)

Bug #1805817
Comment #3

Comment 3 for bug 1805817

Revision history for this message

Robert Duncan (rduncan-t) wrote on 2018-11-29:

Thanks Colleen, so the example would be an authenticated user in Horizon.
This is where users go to get their API credentials and there is no reliable resource either in Horizon or Keystone to get them.

insofar as Horizon is concerned, the admin user can configure web SSO, a trusted dashboard and a mapping from
federated protocol to federated identity provider, this all works well for Horizon users, however when a user selects 'API Access' from within horizon (so, an authenticated user) the clouds.yaml and openstackrc.sh file provided by horizon will be wrong, users then have to ask an admin, or dive pretty deep into keystone documentation to find out how they would build and openrc file.

I think keystone has all of required information in it's database with the exception of

--os-identity-provider-url <ECP endpoint>

so, perhaps this could be a flag when registering and IDP with keystone,

the whoami service would populate the values of these variables for an authenticated user:

--os-auth-type v3samlpassword
--os-identity-provider <name of idp in keystone>
--os-identity-provider-url <ECP endpoint>
--os-protocol <federated protocol>
--os-username <federated username>
--os-password
--os-auth-url <keystone endpoint>
--os-project-name <federated project id>
--os-project-domain-name <federated domain id>
--os-identity-api-version 3

I realize this would be different for other federation protocols/Identity providers, at the moment neither user not administrator can glean this information from keystone.

So, Users don't know how to configure the openstack client or get the information they need to use the API
and administrators can't

would be nice
openstack user show <user-id>

domain_id xxx
enabled True/False
id xxx
name xxx
email
federated True/False
identity_provider idp-remote-id
protocol federation protocol
authentication keystone authentication method
mapping federated projects
roles roles mapped to user
groups groups mapped to user
inherited_roles roles assigned to users groups

insofar as Horizon is concerned, the admin user can configure web SSO, a trusted dashboard and a mapping from 
federated protocol to federated identity provider, this all works well for Horizon users, however when a user  selects 'API Access' from within horizon (so, an authenticated user) the clouds.yaml and openstackrc.sh file provided by horizon will be wrong, users then have to ask an admin, or dive pretty deep into keystone documentation to find out how they would build and openrc file.

I think keystone has all of required information in it's database with the exception of

--os-identity-provider-url <ECP endpoint>

so, perhaps this could be a flag when registering and IDP with keystone,

openstack identity provider create --
--column          --domain          --format          --noindent        --remote-id
--description     --enable          --help            --prefix          --remote-id-file
--disable         --fit-width       --max-width       --print-empty     --variable

the whoami service would populate the values of these variables for an authenticated user:

I realize this would be different for other federation protocols/Identity providers, at the moment neither user not administrator can glean this information from keystone.

So, Users don't know how to configure the openstack client or get the information they need to use the API
and administrators can't

would be nice
openstack user show <user-id>

domain_id          xxx
enabled            True/False
id                 xxx
name               xxx
email
federated          True/False
identity_provider  idp-remote-id
protocol           federation protocol
authentication     keystone authentication method
mapping            federated projects
roles              roles mapped to user
groups             groups mapped to user
inherited_roles    roles assigned to users groups