[Openstack] Integrating keystone for a public cloud panel

[Adrian Moya]

Hi everyone, I'm currently building a customer panel to offer public cloud
services based on openstack. I'd like to share my plans to validate my
approach is good and hear suggestions/feedback from others working on the
same kind of project.

I'm trying to get the following behaviour:

Users register and get access to the panel, I'm keeping user/pass and
permissions/groups in my own mysql DB.
I wish that the API is not active by default, the user can go to his/her
profile and tick a checkbox to get access to the API.

For this, I came up with this plan:

1. The user registers, I keep his username/pass in my DB, generate a random
hashed keystoneuser/keystonepass and call keystone to create the
user/tenant (using keystoneuser as tenant-name).
I store this keystone user/pass/tenant info in my DB (which may be a
security hole if someone is able to access this DB as the pass is saved as
plain text)

2. On user login with his panel credentials, I'll get his
keystoneuser/keystonepass to create a token and use this token during his
session on the panel.

3. If the user wish to activate access to the API, he'll go to his
profile/api page, where he'll see his keystoneuser/tenant name.

3.1. If he/she ticks activate, I'll show him his current keystonepass (from
my own DB).

3.2. If he/she ticks deactivate, I'll generate a new random keystonepass,
and call keystone to change the password in Openstack.
I don't show this password to the user, so he can't use the API anymore,
but the panel can get new tokens to continue working.

Does this makes sense? Do you guys have any recommendation/suggestion to
this implementation? Keep in mind I'm not a python guy, I tried to
understand how to write a keystone driver for identity and policy but got
lost in the docs/code.

Also, is it currently possible to implement a panel like VPS.net where you
buy nodes (1 node = 256MB/10GB) and then you launch
instances/services based on the number of nodes you have purchased? (And
thus get a fixed bill amount each month) Could anybody point me in the
right direction to achieve this?

Thanks for your help!

Adrian Moya
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Integrating keystone for a public cloud panel

[Dolph Mathews]

Adrian,

Rather than managing the user's passwords externally to keystone, you can allow 
your users to define their own passwords, and instead create your users and/or 
tenants in a disabled state, by toggling their enabled/disabled state within 
keystone (an attribute available for both through the API).

-Dolph Mathews

On Apr 26, 2012, at 7:58 PM, Adrian Moya adrianm...@gmail.com wrote:

 Hi everyone, I'm currently building a customer panel to offer public cloud 
 services based on openstack. I'd like to share my plans to validate my 
 approach is good and hear suggestions/feedback from others working on the 
 same kind of project.
 
 I'm trying to get the following behaviour:
 
 Users register and get access to the panel, I'm keeping user/pass and 
 permissions/groups in my own mysql DB.
 I wish that the API is not active by default, the user can go to his/her 
 profile and tick a checkbox to get access to the API. 
 
 For this, I came up with this plan:
 
 1. The user registers, I keep his username/pass in my DB, generate a random 
 hashed keystoneuser/keystonepass and call keystone to create the user/tenant 
 (using keystoneuser as tenant-name).
 I store this keystone user/pass/tenant info in my DB (which may be a security 
 hole if someone is able to access this DB as the pass is saved as plain text)
 
 2. On user login with his panel credentials, I'll get his 
 keystoneuser/keystonepass to create a token and use this token during his 
 session on the panel.
 
 3. If the user wish to activate access to the API, he'll go to his 
 profile/api page, where he'll see his keystoneuser/tenant name. 
 
 3.1. If he/she ticks activate, I'll show him his current keystonepass (from 
 my own DB).
 
 3.2. If he/she ticks deactivate, I'll generate a new random keystonepass, and 
 call keystone to change the password in Openstack. 
 I don't show this password to the user, so he can't use the API anymore, but 
 the panel can get new tokens to continue working.
 
 Does this makes sense? Do you guys have any recommendation/suggestion to this 
 implementation? Keep in mind I'm not a python guy, I tried to 
 understand how to write a keystone driver for identity and policy but got 
 lost in the docs/code.
 
 Also, is it currently possible to implement a panel like VPS.net where you 
 buy nodes (1 node = 256MB/10GB) and then you launch 
 instances/services based on the number of nodes you have purchased? (And thus 
 get a fixed bill amount each month) Could anybody point me in the right 
 direction to achieve this? 
 
 Thanks for your help!
 
 Adrian Moya
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp