Re: [openstack-dev] [horizon] User registrations
Hi I've been thinking of ideas on how to fulfill this user self registration requirement for our startup's private beta. So far, i'm of the opinion that storage of customer data (contacts, physical address, billing info, etc) by commercial entities can be handled by Keystone via extension(s), ( http://docs.openstack.org/developer/keystone/EXTENSIONS_HOWTO.html) Such an extension could at least :- -- implement API Extension to facilitate CRUD ops on customer data. -- implement a backend to store customer data, say in an additional cust-info table in keystone's db. -- have a customizable customer model/schema to allow different OpenStack IaaS providers to store whatever info they require on their clients (and employees). -- be capable of being disabled for those who do not need this extended functionality e.g some private clouds. There should be a corresponding client lib for this extended API that can be used by:- -- *a horizon django self-registration app, * -- a billing system -- a CRM system -- (the list goes on on) *I'll avail a proof of concept for the above in a few days. *peer review and scrutiny will be very much appreciated. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
Hi, I added a new blueprint https://blueprints.launchpad.net/horizon/+spec/user-registration. Please check attached file for the plan. That local DB is optional, we can save extra informations in the field 'text' of keystone's 'user' table as json object. Regards Saju Madhavan +91 09535134654 dia_user_signup.pdf Description: Adobe PDF document ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
On 11/10/2013 07:26 PM, Paul Belanger wrote: Greeting, In a previous thread I talked about building an application atop of horizon and keystone. So far things are working out pretty well. One thing I have been trying to figure out is how to move forward with user registration for the horizon application. A few moons ago, IIRC, horizon actually use django-registration however the move to Keystone removed that functionality. For me, I'd like to expose some functionality within my web application allow users to register vs having an admin provisioning accounts. So, I'm curious if there is anything interest in having such a module back in horizon but leveraging keystone this time around. I'm actually curious to hear how people see this working since this is the next thing I need to deal with. So...A couple things to think about when registering users: The User entry in Keystone is really thin. Not much more than a string identifier and a password. Passwords are the lowest common denominator of authentication mechanism. I wouldn't argue if someone said they are insecure by default. Most companies need to keep a slew of User Data beyond the that in user table. Lets split it into two forms: Customer and Employees. You are not really going to add either by hand in Horizon. Customers need billing info, employees need alot more. So, that leaves users that are not customers and are not employees. Call these additional accounts and are bascially a way a customer can add additional users from their organization to a paying account. For all intents and purposes, they are really additional credentials off a single account. Only these would be managed in Keystone, and even then there is not enough information to track them; there is no way to track them to the billing account unless they are all under a single domain. I would argue that this form of user management is outside the scope of Horizon and Open Stack. It is really a factor of the implementing organization. For the employee use case, I would recommend using something like FreeIPA (shameless plug for a previous project) and for the external you need a real CRM (sorry, don't have on for you, but there are lots). ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
On 13-11-11 01:31 AM, Lyle, David wrote: I think there is certainly interest. I do think it will need to be highly configurable to be useful. The problem, as Dolph points out, is that each deployment has its own workflow. Points of configuration: -Does the local keystone deployment policy support self-registration? The default is no. So, at that point access to self-registration should be hidden. -How many steps are required in the registration process? -Is payment information required? Address? -How is the registration confirmed, email, text, ? -CAPTCHA? I think the two main reasons such a facility is not present in Horizon are: 1. Until recently determining keystone's access policy was not possible. 2. The actual implementation is highly deployment dependent. So, if we are talking features, I think the one I can see being the most useful for me is when an admin is adding user accounts with the dashboard, is the email subsystem notifies the users with onetime login URL, forcing the user to setup a password. This way the admin doesn't have to deal with transmitting passwords to each user. Actually, I guess I am talking about a password reset token. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
Garry Chen - iPhone On 2013年11月13日, at 上午5:44, Paul Belanger paul.belan...@polybeacon.com wrote: On 13-11-11 01:31 AM, Lyle, David wrote: I think there is certainly interest. I do think it will need to be highly configurable to be useful. The problem, as Dolph points out, is that each deployment has its own workflow. Points of configuration: -Does the local keystone deployment policy support self-registration? The default is no. So, at that point access to self-registration should be hidden. -How many steps are required in the registration process? -Is payment information required? Address? -How is the registration confirmed, email, text, ? -CAPTCHA? I think the two main reasons such a facility is not present in Horizon are: 1. Until recently determining keystone's access policy was not possible. 2. The actual implementation is highly deployment dependent. So, if we are talking features, I think the one I can see being the most useful for me is when an admin is adding user accounts with the dashboard, is the email subsystem notifies the users with onetime login URL, forcing the user to setup a password. This way the admin doesn't have to deal with transmitting passwords to each user. Actually, I guess I am talking about a password reset token. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
the most important is the user can get back password, modify own email address. On Mon, Nov 11, 2013 at 2:31 PM, Lyle, David david.l...@hp.com wrote: I think there is certainly interest. I do think it will need to be highly configurable to be useful. The problem, as Dolph points out, is that each deployment has its own workflow. Points of configuration: -Does the local keystone deployment policy support self-registration? The default is no. So, at that point access to self-registration should be hidden. -How many steps are required in the registration process? -Is payment information required? Address? -How is the registration confirmed, email, text, ? -CAPTCHA? I think the two main reasons such a facility is not present in Horizon are: 1. Until recently determining keystone's access policy was not possible. 2. The actual implementation is highly deployment dependent. -David From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Monday, November 11, 2013 8:57 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [horizon] User registrations So, there's a bunch of use case questions here where I suspect there are no correct answers (so preferences will vary per deployment). The first ones that come to mind- Are the users accessing this web form trusted or untrusted? Do they need to be verified, somehow? Are they going to be billed for their resource consumption? After registration, should they own their own domain in keystone? Or be assigned their own project in an existing domain? Or simply be added to an existing group with limited authorization? On Sun, Nov 10, 2013 at 6:26 PM, Paul Belanger paul.belan...@polybeacon.com wrote: Greeting, In a previous thread I talked about building an application atop of horizon and keystone. So far things are working out pretty well. One thing I have been trying to figure out is how to move forward with user registration for the horizon application. A few moons ago, IIRC, horizon actually use django-registration however the move to Keystone removed that functionality. For me, I'd like to expose some functionality within my web application allow users to register vs having an admin provisioning accounts. So, I'm curious if there is anything interest in having such a module back in horizon but leveraging keystone this time around. I'm actually curious to hear how people see this working since this is the next thing I need to deal with. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Shake Chen ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
David's questions are good ones. I do like the idea of self-registration, but the admin will almost certainly want some controls over their initial placement in the system (domain, project, roles, etc). I think part of this blueprint should include the specification / editing of these defaults in a new page on Horizon. Jeff -Original Message- From: Lyle, David Sent: Sunday, November 10, 2013 11:31 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [horizon] User registrations I think there is certainly interest. I do think it will need to be highly configurable to be useful. The problem, as Dolph points out, is that each deployment has its own workflow. Points of configuration: -Does the local keystone deployment policy support self-registration? The default is no. So, at that point access to self-registration should be hidden. -How many steps are required in the registration process? -Is payment information required? Address? -How is the registration confirmed, email, text, ? -CAPTCHA? I think the two main reasons such a facility is not present in Horizon are: 1. Until recently determining keystone's access policy was not possible. 2. The actual implementation is highly deployment dependent. -David From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Monday, November 11, 2013 8:57 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [horizon] User registrations So, there's a bunch of use case questions here where I suspect there are no correct answers (so preferences will vary per deployment). The first ones that come to mind- Are the users accessing this web form trusted or untrusted? Do they need to be verified, somehow? Are they going to be billed for their resource consumption? After registration, should they own their own domain in keystone? Or be assigned their own project in an existing domain? Or simply be added to an existing group with limited authorization? On Sun, Nov 10, 2013 at 6:26 PM, Paul Belanger paul.belan...@polybeacon.com wrote: Greeting, In a previous thread I talked about building an application atop of horizon and keystone. So far things are working out pretty well. One thing I have been trying to figure out is how to move forward with user registration for the horizon application. A few moons ago, IIRC, horizon actually use django-registration however the move to Keystone removed that functionality. For me, I'd like to expose some functionality within my web application allow users to register vs having an admin provisioning accounts. So, I'm curious if there is anything interest in having such a module back in horizon but leveraging keystone this time around. I'm actually curious to hear how people see this working since this is the next thing I need to deal with. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [horizon] User registrations
Greeting, In a previous thread I talked about building an application atop of horizon and keystone. So far things are working out pretty well. One thing I have been trying to figure out is how to move forward with user registration for the horizon application. A few moons ago, IIRC, horizon actually use django-registration however the move to Keystone removed that functionality. For me, I'd like to expose some functionality within my web application allow users to register vs having an admin provisioning accounts. So, I'm curious if there is anything interest in having such a module back in horizon but leveraging keystone this time around. I'm actually curious to hear how people see this working since this is the next thing I need to deal with. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
So, there's a bunch of use case questions here where I suspect there are no correct answers (so preferences will vary per deployment). The first ones that come to mind- Are the users accessing this web form trusted or untrusted? Do they need to be verified, somehow? Are they going to be billed for their resource consumption? After registration, should they own their own domain in keystone? Or be assigned their own project in an existing domain? Or simply be added to an existing group with limited authorization? On Sun, Nov 10, 2013 at 6:26 PM, Paul Belanger paul.belan...@polybeacon.com wrote: Greeting, In a previous thread I talked about building an application atop of horizon and keystone. So far things are working out pretty well. One thing I have been trying to figure out is how to move forward with user registration for the horizon application. A few moons ago, IIRC, horizon actually use django-registration however the move to Keystone removed that functionality. For me, I'd like to expose some functionality within my web application allow users to register vs having an admin provisioning accounts. So, I'm curious if there is anything interest in having such a module back in horizon but leveraging keystone this time around. I'm actually curious to hear how people see this working since this is the next thing I need to deal with. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] User registrations
I think there is certainly interest. I do think it will need to be highly configurable to be useful. The problem, as Dolph points out, is that each deployment has its own workflow. Points of configuration: -Does the local keystone deployment policy support self-registration? The default is no. So, at that point access to self-registration should be hidden. -How many steps are required in the registration process? -Is payment information required? Address? -How is the registration confirmed, email, text, ? -CAPTCHA? I think the two main reasons such a facility is not present in Horizon are: 1. Until recently determining keystone's access policy was not possible. 2. The actual implementation is highly deployment dependent. -David From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Monday, November 11, 2013 8:57 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [horizon] User registrations So, there's a bunch of use case questions here where I suspect there are no correct answers (so preferences will vary per deployment). The first ones that come to mind- Are the users accessing this web form trusted or untrusted? Do they need to be verified, somehow? Are they going to be billed for their resource consumption? After registration, should they own their own domain in keystone? Or be assigned their own project in an existing domain? Or simply be added to an existing group with limited authorization? On Sun, Nov 10, 2013 at 6:26 PM, Paul Belanger paul.belan...@polybeacon.com wrote: Greeting, In a previous thread I talked about building an application atop of horizon and keystone. So far things are working out pretty well. One thing I have been trying to figure out is how to move forward with user registration for the horizon application. A few moons ago, IIRC, horizon actually use django-registration however the move to Keystone removed that functionality. For me, I'd like to expose some functionality within my web application allow users to register vs having an admin provisioning accounts. So, I'm curious if there is anything interest in having such a module back in horizon but leveraging keystone this time around. I'm actually curious to hear how people see this working since this is the next thing I need to deal with. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev