openstack team mailing list archive

Thread
Date

Re: Integrating keystone for a public cloud panel

To: Adrian Moya <adrianmoya@xxxxxxxxx>
From: Dolph Mathews <dolph.mathews@xxxxxxxxx>
Date: Thu, 26 Apr 2012 21:01:24 -0500
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CANkvPBrUjtgjUpCCKkFEOd=n5RFxb1Fnk+5xU2NY8bXsM-s84g@mail.gmail.com>

Adrian,

Rather than managing the user's passwords externally to keystone, you can allow your users to define their own passwords, and instead create your users and/or tenants in a disabled state, by toggling their enabled/disabled state within keystone (an attribute available for both through the API).

-Dolph Mathews

On Apr 26, 2012, at 7:58 PM, Adrian Moya <adrianmoya@xxxxxxxxx> wrote:

> Hi everyone, I'm currently building a customer panel to offer public cloud services based on openstack. I'd like to share my plans to validate my approach is good and hear suggestions/feedback from others working on the same kind of project.
> 
> I'm trying to get the following behaviour:
> 
> Users register and get access to the panel, I'm keeping user/pass and permissions/groups in my own mysql DB.
> I wish that the API is not active by default, the user can go to his/her profile and tick a checkbox to get access to the API. 
> 
> For this, I came up with this plan:
> 
> 1. The user registers, I keep his username/pass in my DB, generate a random hashed keystoneuser/keystonepass and call keystone to create the user/tenant (using keystoneuser as tenant-name).
> I store this keystone user/pass/tenant info in my DB (which may be a security hole if someone is able to access this DB as the pass is saved as plain text)
> 
> 2. On user login with his panel credentials, I'll get his keystoneuser/keystonepass to create a token and use this token during his session on the panel.
> 
> 3. If the user wish to activate access to the API, he'll go to his profile/api page, where he'll see his keystoneuser/tenant name. 
> 
> 3.1. If he/she ticks activate, I'll show him his current keystonepass (from my own DB).
> 
> 3.2. If he/she ticks deactivate, I'll generate a new random keystonepass, and call keystone to change the password in Openstack. 
> I don't show this password to the user, so he can't use the API anymore, but the panel can get new tokens to continue working.
> 
> Does this makes sense? Do you guys have any recommendation/suggestion to this implementation? Keep in mind I'm not a python guy, I tried to 
> understand how to write a keystone driver for identity and policy but got lost in the docs/code.
> 
> Also, is it currently possible to implement a panel like VPS.net where you buy "nodes" (1 node = 256MB/10GB) and then you launch 
> instances/services based on the number of nodes you have purchased? (And thus get a fixed bill amount each month) Could anybody point me in the right direction to achieve this? 
> 
> Thanks for your help!
> 
> Adrian Moya
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

References

Integrating keystone for a public cloud panel
From: Adrian Moya, 2012-04-27