On 14 November 2014 10:29, Adam Young <ayo...@redhat.com> wrote: > On 11/14/2014 09:32 AM, Don Waterloo wrote: > > I have a system (juno/ubuntu 14.10) which currently has keystone as the > master of the > universe for identity and authentication. > By convention, each user of my system is also a tenant, which is my intent > to continue. > My system is used by a combination of our team members, but also by 3rd > parties > (e.g. we use it for training on our products). > > So the intent is to split things up by domain. I would say that your > existing users should be in one domain (or multiple if they are already) > and Federated/SAML users would go into....limbo today, as federated users > are kindof domainless. I'd like to fix that (each IdP has a minimum of one > domain). > > The term "tenant" is kindof confusing here. I think what you are saying > is that each user of your system gets a default project autoprovisioned for > them. With Federation, you have to make sure you don't provision for users > with Valid Federated Identities but no real relationship to your Cloud > deployment. >
So what i do today is manual, i run this script below for each new person. [side note, i really don't want the 'admin', but then they cannot create a port on my external network]. So yes, 1 user <-> 1 project/tenant, created together. What i'm hoping to achieve is to have 0 maintenance for my own team (so that on first login, it creates a tenant/project, creates them, and away they go). As a side project, i'll need to figure out some 'idle-out' for resources etc (anyone done this already, something that cleans up users who have been idle for some # of days?) You mention 'auto-provision' above. with saml, i can't really query the universe of 'who might login someday', only as each user comes do i find out about them. I'm assuming there is some way to map this. So today i have a single default domain. I guess i should look @ this domain remains as-is and i add a new company domain for the saml. #!/bin/bash [ $# != 2 ] && echo "Usage: $0 username email" && exit 1 user="$1" email="$2" pass=$(dd if=/dev/urandom bs=1 count=64 2>/dev/null | sha1sum | cut -c1-10) keystone tenant-create --name "$user" --description "Private space of $user" keystone user-create --email "$email" --name "$user" --tenant "$user" --pass "$pass" keystone user-role-add --user "$user" --role "admin" --tenant "$user" keystone user-role-add --user "$user" --role "heat_stack_owner" --tenant "$user" echo "Created user '$user' with initial password '$pass'" Thanks for the input and advice, i appreciate it. --don
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
