[Kimchi-devel] [RFC] LDAP integration in kimchi
Royce Lv
lvroyce at linux.vnet.ibm.com
Wed Oct 22 08:52:31 UTC 2014
On 2014年10月22日 01:34, Aline Manera wrote:
>
>>>
>> Since we are going to introduce roles/groups, as you suggested, the
>> roles are going to store in objstore,
>> Still LDAP server holds a large number of people while our kimchi is
>> target to small provisioning for small group of people:
>>
>> Init status:
>> 1. Admin in config file is in admin group with all admin role.
>> 2. Alll users without tag are in the group user with all role of users.
>>
>> Assign vm to a group or user:
>>
>> 1. Create a group in objstore
>>
>> Here reason I tend to avoid using filter string is:
>> (1) Query string will be inconstant for different LDAP setup, and
>> may require knowledge of tree structure of LDAP,
>> also filter string can be varied which needs many input from
>> user.
>>
>> (2) We may just want to add small group of people in the LDAP
>> server from same group,e.g.:
>> we would like to add Zhengsheng and I in a group accessing a
>> kimchi testing machine, and exclude all other Chinese members in the
>> same orgnization,
>> this condition cannot be fulfiled by any filter in the LDAP,
>> because LDAP setup is for enterprise information collection,but not
>> dedicate for virtualization use.
>> While group needs to be the resource collection.
>>
>
> While using PAM authentication and assigning groups to VM, I don't
> want to create those groups and only use them.
> I know it is hard to do on LDAP, so I suggest only support user
> assignment when using LDAP authentication. For that we will need a
> different UI when LDAP is being used.
>
>> 2. Add user to this group
>> Aline gave suggestion to query a user's username and add it to
>> the group, I think this is a good idea.
>>
>
> I think we can query the user's username when assigning an user to a
> VM but it is not related to any group.
>
>> Assign role to user
>>
>> 1. Roles:
>> Currently we have user/admin roles for each tab(we can understand
>> it as an array of APIs in controller)
>> These roles will go to objstore as default roles.
>>
>
> By now, we don't need to store user/roles on objectstore as we just
> need to know what are the admin IDs
>
>> 2. We can assign user a role in the Authentication tab to determine
>> if it has access of a group of APIs.
>> View of user and following operation result will up to his role.
>
> Not sure I understood that point.
I mean permissions whether you can delete or create vm/storage/network
More information about the Kimchi-devel
mailing list