sws team mailing list archive
-
sws team
-
Mailing list archive
-
Message #00225
[Blueprint federated-horizon] Modifying horizon with federated access
Blueprint changed by Lin Hua Cheng:
Whiteboard changed:
And yes we will be using the federated keystone, to which Horizon will
be communicating through the api in openstack-auth.
No we are not using swift client, instead there is a federation api used by swift client in the demo
(http://sec.cs.kent.ac.uk/demos/keystone.html), same as ( https://github.com/kwss/python-swiftclient/tree/master/swiftclient/contrib/federated) which can be abstracted and modified in a way it can be used in Horizon client. Is there any better way to achieve this ?
[e0ne 12.02.2013] It's a bad idea to use swiftclient in django_openstack_auth. We need to implement it in a django_openstack_auth or create separate [federated_]openstack_auth package
I think, We can use the following module https://github.com/kwss/python-swiftclient/tree/master/swiftclient/contrib/federated. Import this module in django_openstack_auth and modify the method authentication.
currently, the dashboard has a dependency on django_openstack_auth. You
might want to fix that, too. Authentication plugins are meant to be
pluggable/replaceable.
[david-lyle 11.28.2013] keystone will still be the identity endpoint.
So using openstack_auth will still be useful. There will need to be
changes in both horizon and openstack_auth, but they will likely not be
extensive. Replacing openstack_auth should not be necessary.
Theoretically, the backends are swappable in openstack_auth anyway. We
just don't have support for a different identity provider at this point.
[david-lyle Dec 2 2013] I mis-understood the original intent. Why
aren't you planning to use keystone for this? Keystone is working on
supporting federated IDPs in Icehouse.
+
+ [lin-hua-cheng Dec 3 2013] In the workflow, before the token from IDP
+ is submitted to Keystone should there be a step to push the SAML
+ assertions into keystone first. So that the federated user is created
+ and mapping is performed?
+
+ Another thing to consider is we need to turn off the update of
+ user/role/group for a federated user - should go on a separate
+ blueprint.
--
Modifying horizon with federated access
https://blueprints.launchpad.net/horizon/+spec/federated-horizon