[Kimchi-devel] [RFC] LDAP integration in kimchi

Aline Manera alinefm at linux.vnet.ibm.com
Wed Oct 22 12:18:33 UTC 2014 

On 10/22/2014 06:52 AM, Royce Lv wrote:
> On 2014年10月22日 01:34, Aline Manera wrote:
>>
>>>>
>>> Since we are going to introduce roles/groups, as you suggested, the 
>>> roles are going to store in objstore,
>>> Still LDAP server holds a large number of people while our kimchi is 
>>> target to small provisioning for small group of people:
>>>
>>> Init status:
>>> 1. Admin in config file is in admin group with all admin role.
>>> 2. Alll users without tag are in the group user with all role of users.
>>>
>>> Assign vm to a group or user:
>>>
>>> 1. Create a group in objstore
>>>
>>>    Here reason I tend to avoid using filter string is:
>>>    (1) Query string will be inconstant for different LDAP setup, and 
>>> may require knowledge of tree structure of LDAP,
>>>         also filter string can be varied which needs many input from 
>>> user.
>>>
>>>    (2) We may just want to add small group of people in the LDAP 
>>> server from same group,e.g.:
>>>         we would like to add Zhengsheng and I in a group accessing a 
>>> kimchi testing machine, and exclude all other Chinese members in the 
>>> same orgnization,
>>>        this condition cannot be fulfiled by any filter in the LDAP, 
>>> because LDAP setup is for enterprise information collection,but not 
>>> dedicate for virtualization use.
>>>        While group needs to be the resource collection.
>>>
>>
>> While using PAM authentication and assigning groups to VM, I don't 
>> want to create those groups and only use them.
>> I know it is hard to do on LDAP, so I suggest only support user 
>> assignment when using LDAP authentication. For that we will need a 
>> different UI when LDAP is being used.
>>
>>> 2. Add user to this group
>>>     Aline gave suggestion to query a user's username and add it to 
>>> the group, I think this is a good idea.
>>>
>>
>> I think we can query the user's username when assigning an user to a 
>> VM but it is not related to any group.
>>
>>> Assign role to user
>>>
>>> 1. Roles:
>>>     Currently we have user/admin roles for each tab(we can 
>>> understand it as an array of APIs in controller)
>>>     These roles will go to objstore as default roles.
>>>
>>
>> By now, we don't need to store user/roles on objectstore as we just 
>> need to know what are the admin IDs
>>
>>> 2. We can assign user a role in the Authentication tab to determine 
>>> if it has access of a group of APIs.
>>>     View of user and following operation result will up to his role.
>>
>> Not sure I understood that point.
> I mean permissions whether you can delete or create vm/storage/network

Alright.
But we will not do it for 1.4.
I mean, when we add it we will add it for PAM and LDAP authentication as 
both will act the same for authorization.

More information about the Kimchi-devel mailing list