Skip to content
/ cloudusers Public
forked from larsks/cloudusers

A web application for self-service account provisioning in OpenStack.

0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

huit/cloudusers

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits

cloudusers

cloudusers

 
 

static

static

 
 

utils

utils

 
 

views

views

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

adapter.wsgi

adapter.wsgi

 
 

cloudusers-sample.yaml

cloudusers-sample.yaml

 
 

Repository files navigation

cloudusers

A web interface for automatically provisioning user accounts in OpenStack.

The general idea

  • You set up cloudusers to authenticate against some external source (local LDAP or AD, or really anything else supported by your web server of choice).
  • cloudusers receives the authenticated username from your webserver.
  • cloudusers creates a matching account in OpenStack with a randomly generated password.
  • Users can use the cloudusers interface to re-generate their OpenStack password at any time.

Requirements

  • python-novaclient
  • python-keystoneclient
  • Bottle >= 0.11.0

Cloudusers has explicit support for running using a Python virtual environment. If you create a virtual environment called env inside the application folder, cloudusers will add the appropriate site-packages directory to sys.path. You can set it up like this:

# cd cloudusers
# virtualenv --system-site-packages env
# ./env/bin/easy_install -U bottle

This will create a virtual environment that knows about third-party modules installed in your system Python library but that has the most recent version of Bottle, regardless of what is installed on your system.

Configuration

Configuring Apache

Cloudusers is designed to be run via mod_wsgi. You will need to add something similar to the following to your Apache configuration:

WSGIDaemonProcess cloudusers
WSGIProcessGroup cloudusers
WSGIScriptAlias /request /var/www/cloudusers/adapter.wsgi

## If you're just testing things out this may make your life
## easier: it prevents mod_ldap from verifying the certificate
## presented by your LDAP server.  In a production deployment
## you really want to get your certificate authorities configured
## correctly.
# LDAPVerifyServerCert off

<Location /request>
  Order allow,deny
  Allow from all
</Location>

## Everything under /request/auth needs to be password
## protected.  This example is using LDAP, but of course you 
## could use anything supported by Apache.
<Location /request/auth/>
  AuthName "Cloud"
  AuthType Basic
  AuthBasicProvider ldap

  AuthLDAPURL ldaps://ldap.example.com/ou=people,dc=example,dc=com

  Require valid-user
</Location>

Configuring cloudusers

Cloudusers reads configuration from the file cloudusers.yaml in the application directory. The repository includes a sample file named cloudusers-sample.yaml as an example:

---
# This defines the security rules created for the "default" security
# group when creating a new "user/<username>" tenant.
security rules:
  # all icmp traffic
  - protocol: icmp
    from port: -1
    to port: -1
  # ssh
  - protocol: tcp
    from port: 22
    to port: 22
  # http and https
  - protocol: tcp
    from port: 80
    to port: 80
  - protocol: tcp
    from port: 443
    to port: 443

# Set this to False to disable the /auth/debug screen.
debug: True

# Keystone endpoint and admin token.
service_endpoint: http://127.0.0.1:35357/v2.0/
service_token: SECRET

You will need to make sure that service_endpoint is pointing to your local Keystone instance and that service_token is your admin token. This example includes security rules that enable icmp, ssh, and http/https traffic.

About

A web application for self-service account provisioning in OpenStack.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

24 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published