← Back to team overview

sws team mailing list archive

  1. sws team
  2. Mailing list archive
  3. Message #00225

[Blueprint federated-horizon] Modifying horizon with federated access

  Thread PreviousDate PreviousThread Next 
Blueprint changed by Lin Hua Cheng:

Whiteboard changed:
  And yes we will be using the federated keystone, to which Horizon will
  be communicating through the api in openstack-auth.
  
  No we are not using swift client, instead there is a federation api used by swift client in the demo
  (http://sec.cs.kent.ac.uk/demos/keystone.html), same as ( https://github.com/kwss/python-swiftclient/tree/master/swiftclient/contrib/federated)  which can be abstracted and modified in a way it can be used in Horizon client. Is there any better way to achieve this ?
  
  [e0ne 12.02.2013] It's a bad idea to use swiftclient in django_openstack_auth. We need to implement it in a django_openstack_auth or create separate [federated_]openstack_auth package
  I think, We can use the following module https://github.com/kwss/python-swiftclient/tree/master/swiftclient/contrib/federated. Import this module in django_openstack_auth and modify the method authentication.
  
  currently, the dashboard has a dependency on django_openstack_auth. You
  might want to fix that, too. Authentication plugins are meant to be
  pluggable/replaceable.
  
  [david-lyle 11.28.2013] keystone will still be the identity endpoint.
  So using openstack_auth will still be useful.  There will need to be
  changes in both horizon and openstack_auth, but they will likely not be
  extensive.  Replacing openstack_auth should not be necessary.
  Theoretically, the backends are swappable in openstack_auth anyway.  We
  just don't have support for a different identity provider at this point.
  
  [david-lyle Dec 2 2013] I mis-understood the original intent.  Why
  aren't you planning to use keystone for this?  Keystone is working on
  supporting federated IDPs in Icehouse.
+ 
+ [lin-hua-cheng Dec 3 2013]  In the workflow, before the token from IDP
+ is submitted to Keystone should there be a step to push the SAML
+ assertions into keystone first. So that the federated user is created
+ and mapping is performed?
+ 
+ Another thing to consider is we need to turn off the update of
+ user/role/group for a federated user - should go on a separate
+ blueprint.

-- 
Modifying horizon with federated access
https://blueprints.launchpad.net/horizon/+spec/federated-horizon
  Thread PreviousDate PreviousThread Next