Adrian, Rather than managing the user's passwords externally to keystone, you can allow your users to define their own passwords, and instead create your users and/or tenants in a disabled state, by toggling their enabled/disabled state within keystone (an attribute available for both through the API).
-Dolph Mathews On Apr 26, 2012, at 7:58 PM, Adrian Moya <[email protected]> wrote: > Hi everyone, I'm currently building a customer panel to offer public cloud > services based on openstack. I'd like to share my plans to validate my > approach is good and hear suggestions/feedback from others working on the > same kind of project. > > I'm trying to get the following behaviour: > > Users register and get access to the panel, I'm keeping user/pass and > permissions/groups in my own mysql DB. > I wish that the API is not active by default, the user can go to his/her > profile and tick a checkbox to get access to the API. > > For this, I came up with this plan: > > 1. The user registers, I keep his username/pass in my DB, generate a random > hashed keystoneuser/keystonepass and call keystone to create the user/tenant > (using keystoneuser as tenant-name). > I store this keystone user/pass/tenant info in my DB (which may be a security > hole if someone is able to access this DB as the pass is saved as plain text) > > 2. On user login with his panel credentials, I'll get his > keystoneuser/keystonepass to create a token and use this token during his > session on the panel. > > 3. If the user wish to activate access to the API, he'll go to his > profile/api page, where he'll see his keystoneuser/tenant name. > > 3.1. If he/she ticks activate, I'll show him his current keystonepass (from > my own DB). > > 3.2. If he/she ticks deactivate, I'll generate a new random keystonepass, and > call keystone to change the password in Openstack. > I don't show this password to the user, so he can't use the API anymore, but > the panel can get new tokens to continue working. > > Does this makes sense? Do you guys have any recommendation/suggestion to this > implementation? Keep in mind I'm not a python guy, I tried to > understand how to write a keystone driver for identity and policy but got > lost in the docs/code. > > Also, is it currently possible to implement a panel like VPS.net where you > buy "nodes" (1 node = 256MB/10GB) and then you launch > instances/services based on the number of nodes you have purchased? (And thus > get a fixed bill amount each month) Could anybody point me in the right > direction to achieve this? > > Thanks for your help! > > Adrian Moya > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
