On 05/08/2015 19:28, Thai Q Tran wrote: > I agree with Lance. Quite honestly, the list of Idps does not belong > in horizon's settings. Just throwing out some ideas, why not white-list > the Idps you want public it in keystone's settings, and have an API call > for that?
that was the conclusion reached many months ago the last time this was discussed. regards David > > > > ----- Original message ----- > From: Lance Bragstad <lbrags...@gmail.com> > To: "OpenStack Development Mailing List (not for usage questions)" > <openstack-dev@lists.openstack.org> > Cc: > Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login > Date: Wed, Aug 5, 2015 11:19 AM > > > > On Wed, Aug 5, 2015 at 1:02 PM, Steve Martinelli > <steve...@ca.ibm.com <mailto:steve...@ca.ibm.com>> wrote: > > Some folks said that they'd prefer not to list all associated > idps, which i can understand. > > Actually, I like jamie's suggestion of just making horizon a bit > smarter, and expecting the values in the horizon settings > (idp+protocol) > > > This *might* lead to a more complicated user experience, unless we > deduce the protocol for the IdP selected (but that would defeat the > point?). Also, wouldn't we have to make changes to Horizon every > time we add an IdP? This might be case by case, but if you're > consistently adding Identity Providers, then your ops team might not > be too happy reconfiguring Horizon all the time. > > > > > Thanks, > > Steve Martinelli > OpenStack Keystone Core > > Inactive hide details for Dolph Mathews ---2015/08/05 01:38:09 > PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick > <d.w.chadwicDolph Mathews ---2015/08/05 01:38:09 PM---On Wed, > Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadw...@kent.ac.uk > <mailto:d.w.chadw...@kent.ac.uk>> wrote: > > From: Dolph Mathews <dolph.math...@gmail.com > <mailto:dolph.math...@gmail.com>> > To: "OpenStack Development Mailing List (not for usage > questions)" <openstack-dev@lists.openstack.org > <mailto:openstack-dev@lists.openstack.org>> > Date: 2015/08/05 01:38 PM > Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login > > > ------------------------------------------------------------------------ > > > > > On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick > <_d.w.chadw...@kent.ac.uk_ <mailto:d.w.chadw...@kent.ac.uk>> wrote: > > > > > * On 04/08/2015 18:59, Steve Martinelli wrote: > > Right, but that API is/should be protected. If we want to > list IdPs > > *before* authenticating a user, we either need: 1) a new > API for listing > > public IdPs or 2) a new policy that doesn't protect that API. > > Hi Steve > > yes this was my understanding of the discussion that took > place many > months ago. I had assumed (wrongly) that something had been > done about > it, but I guess from your message that we are no further > forward on this > Actually 2) above might be better reworded as - a new > policy/engine that > allows public access to be a bona fide policy rule > > > The existing policy simply seems wrong. Why protect the list of > IdPs? > > > > * regards > > David > > > > > Thanks, > > > > Steve Martinelli > > OpenStack Keystone Core > > > > Inactive hide details for Lance Bragstad ---2015/08/04 > 01:49:29 PM---On > > Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish > <drfish@us.iLance Bragstad > > ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 > AM, Douglas > > Fish <_drf...@us.ibm.com_ <mailto:drf...@us.ibm.com>> > wrote: > Hi David, > > > > From: Lance Bragstad <_lbragstad@gmail.com_ > <mailto:lbrags...@gmail.com>> > > To: "OpenStack Development Mailing List (not for usage > questions)" > > <_openstack-dev@lists.openstack.org_ > <mailto:openstack-dev@lists.openstack.org>> > > Date: 2015/08/04 01:49 PM > > Subject: Re: [openstack-dev] [Keystone] [Horizon] > Federated Login > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish > <_drf...@us.ibm.com_ > > <mailto:_drf...@us.ibm.com_ <mailto:drf...@us.ibm.com>>> > wrote: > > > > Hi David, > > > > This is a cool looking UI. I've made a minor comment > on it in InVision. > > > > I'm curious if this is an implementable idea - does > keystone support > > large > > numbers of 3rd party idps? is there an API to retreive > the list of > > idps or > > does this require carefully coordinated configuration > between > > Horizon and > > Keystone so they both recognize the same list of idps? > > > > > > There is an API call for getting a list of Identity > Providers from Keystone > > > > > > __http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers__ > > > > > > > > Doug Fish > > > > > > David Chadwick <_d.w.chadw...@kent.ac.uk_ > > <mailto:_d.w.chadw...@kent.ac.uk_ > <mailto:d.w.chadw...@kent.ac.uk>>> wrote on 08/01/2015 > 06:01:48 AM: > > > > > From: David Chadwick <_d.w.chadw...@kent.ac.uk_ > > <mailto:_d.w.chadw...@kent.ac.uk_ > <mailto:d.w.chadw...@kent.ac.uk>>> > > > To: OpenStack Development Mailing List > > <_openstack-dev@lists.openstack.org_ > > <mailto:_openstack-dev@lists.openstack.org_ > <mailto:openstack-dev@lists.openstack.org>>> > > > Date: 08/01/2015 06:05 AM > > > Subject: [openstack-dev] [Keystone] [Horizon] > Federated Login > > > > > > Hi Everyone > > > > > > I have a student building a GUI for federated login > with Horizon. The > > > interface supports both a drop down list of > configured IDPs, and also > > > Type Ahead for massive federations with hundreds of > IdPs. Screenshots > > > are visible in InVision here > > > > > > __https://invis.io/HQ3QN2123__ > > > > > > All comments on the design are appreciated. You can > make them directly > > > to the screens via InVision > > > > > > Regards > > > > > > David > > > > > > > > > > > > > > > > __________________________________________________________________________ > > > OpenStack Development Mailing List (not for usage > questions) > > > Unsubscribe:_ > > > > ___openstack-dev-requ...@lists.openstack.org?subject:unsubscribe__ > > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_> > > > > <_http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_> > > > > > __http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__ > > > > > > > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage > questions) > > Unsubscribe: > > > __openstack-dev-requ...@lists.openstack.org?subject:unsubscribe__ > > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_> > > > > <_http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_>_ > > > > ___http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__ > > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > _openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_ > > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > > > > _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_ > > > > > > > > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > _openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_ > > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > > > > _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_ > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > _openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_ > > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > > _http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_ > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev