I think the user resource should not have "roles" in it. There should be a "Role Assignment" resource that grants roles to users on either tenants (projects) or domains. On the other hand, the user resource should have a domain association. Also, consider adding support for groups and in the future maybe also federation. As for trusts, I don't think it should be Heat's responsibility to set them up, because it's up to the users themselves to create and grant trusts to their trustees.
----- Original Message ----- From: "Zane Bitter" <[email protected]> To: [email protected] Sent: Tuesday, 3 February, 2015 12:26:41 AM Subject: Re: [openstack-dev] [Heat][Keystone] Native keystone resources in Heat On 30/01/15 02:19, Thomas Spatzier wrote: >> From: Zane Bitter <[email protected]> >> To: openstack Development Mailing List > <[email protected]> >> Date: 29/01/2015 17:47 >> Subject: [openstack-dev] [Heat][Keystone] Native keystone resources in > Heat >> >> I got a question today about creating keystone users/roles/tenants in >> Heat templates. We currently support creating users via the >> AWS::IAM::User resource, but we don't have a native equivalent. >> >> IIUC keystone now allows you to add users to a domain that is otherwise >> backed by a read-only backend (i.e. LDAP). If this means that it's now >> possible to configure a cloud so that one need not be an admin to create >> users then I think it would be a really useful thing to expose in Heat. >> Does anyone know if that's the case? >> >> I think roles and tenants are likely to remain admin-only, but we have >> precedent for including resources like that in /contrib... this seems >> like it would be comparably useful. >> >> Thoughts? > > I am really not a keystone expert, so don't know what the security > implications would be, but I have heard the requirement or wish to be able > to create users, roles etc. from a template many times. I've talked to > people who want to explore this for onboarding use cases, e.g. for > onboarding of lines of business in a company, or for onboarding customers > in a public cloud case. They would like to be able to have templates that > lay out the overall structure for authentication stuff, and then > parameterize it for each onboarding process. > If this is something to be enabled, that would be interesting to explore. Thanks for the input everyone. I raised a spec + blueprint here: https://review.openstack.org/152309 I don't have any immediate plans to work on this, so if anybody wants to grab it they'd be more than welcome :) cheers, Zane. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
