yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #76763
[Bug 1805817] Re: provide a 'whoami' service for authenticated users
Linked Horizon to this bug for historical context. The maintainers for
python-openstackclient no longer use launchpad, so we'll have to track
this separately with Storyboard [0].
[0] https://storyboard.openstack.org/#!/project_group/80
** Also affects: horizon
Importance: Undecided
Status: New
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1805817
Title:
provide a 'whoami' service for authenticated users
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Identity (keystone):
Invalid
Bug description:
It would be very helpful if keystone could provide a 'whoami' service
to users and other projects, for example for building clouds.yaml and
openstackrc files to horizon interface / openstack client and API
users
openstack user show admin
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 22b8b60e6***************b |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
This is not very useful. - and I need a working RC file to get this far!
Federated users have to build their own clouds.yaml and need to find out fairly low level details from multiple systems for example with a SAML user:
-os-auth-type v3samlpassword
--os-identity-provider <name of ido in keystone>
--os-identity-provider-url <ECP endpoint>
--os-protocol saml2
--os-username <federated username>
--os-password
--os-auth-url http://sp.keystone:5000/v3
--os-project-name demo
--os-project-domain-name Default
--os-identity-api-versione 3
I logged this with the horizon team, who suggested I log it here.
Currently Horizon builds environment variables for users in a static way, it's quite messy and will only ever work for manual users
export OS_AUTH_URL=
# With the addition of Keystone we have standardized on the term **project**
# as the entity that owns the resources.
export OS_PROJECT_ID=
export OS_PROJECT_NAME=
export OS_USER_DOMAIN_NAME=
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="default"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
# unset v2.0 items in case set
unset OS_TENANT_ID
unset OS_TENANT_NAME
# In addition to the owning entity (tenant), OpenStack stores the entity
# performing the action as the **user**.
export OS_USERNAME=
# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
# If your configuration has multiple regions, we set that information here.
# OS_REGION_NAME is optional and only valid in certain environments.
export OS_REGION_NAME="RegionOne"
# Don't leave a blank variable, unset it if it was empty
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=
export OS_IDENTITY_API_VERSION=
It's quite ironic given that keystone is a discovery service too ;-)
here's the original bug on Horizon
https://bugs.launchpad.net/horizon/+bug/1795851
and this is an abomination :-/
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template
thanks!
.....I love keystone
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1805817/+subscriptions
References
