I've recently configured foreman-compute to integrate with our Openstack
environment. Unfortunately when adding a compute resource under
Infrastructure in foreman, you must select a single account to create this
resource. This limits me to ALL tenants because I'm configuring it using my
admin account. We have dozens of tenants, but I'd only like for users
logged into foreman (via AD/LDAP) to be able to provision hosts ONLY within
the tenants for which they're a member of in Openstack. Both Openstack and
Foreman use the same AD/LDAP credentials so it would be GREAT if I could
somehow have these credentials passed through, and not provide the level of
access for which the compute resource was initially configured with.
Is this possible? If not, how would one go about requesting this as a
feature or getting support from devs to begin possibly helping implement
this.
It's not possible, however you could create multiple compute
resources, one per tenant, and only allow users to use the appropriate
one. I realize that's a far inferior solution, but it might help in
the short term.
···
On 12 August 2014 00:09, Julian Barnett wrote:
> Hi,
>
> I've recently configured foreman-compute to integrate with our Openstack
> environment. Unfortunately when adding a compute resource under
> Infrastructure in foreman, you must select a single account to create this
> resource. This limits me to ALL tenants because I'm configuring it using my
> admin account. We have dozens of tenants, but I'd only like for users logged
> into foreman (via AD/LDAP) to be able to provision hosts ONLY within the
> tenants for which they're a member of in Openstack. Both Openstack and
> Foreman use the same AD/LDAP credentials so it would be GREAT if I could
> somehow have these credentials passed through, and not provide the level of
> access for which the compute resource was initially configured with.
>
> Is this possible? If not, how would one go about requesting this as a
> feature or getting support from devs to begin possibly helping implement
> this.
Thanks for the reply Greg…that's kind of what I figured, I'll open a
feature request for this.
Regards,
Julian
···
On Tuesday, August 12, 2014 2:47:10 AM UTC-7, Greg Sutcliffe wrote:
>
> On 12 August 2014 00:09, Julian Barnett <digi...@gmail.com > > wrote:
> > Hi,
> >
> > I've recently configured foreman-compute to integrate with our Openstack
> > environment. Unfortunately when adding a compute resource under
> > Infrastructure in foreman, you must select a single account to create
> this
> > resource. This limits me to ALL tenants because I'm configuring it using
> my
> > admin account. We have dozens of tenants, but I'd only like for users
> logged
> > into foreman (via AD/LDAP) to be able to provision hosts ONLY within the
> > tenants for which they're a member of in Openstack. Both Openstack and
> > Foreman use the same AD/LDAP credentials so it would be GREAT if I could
> > somehow have these credentials passed through, and not provide the level
> of
> > access for which the compute resource was initially configured with.
> >
> > Is this possible? If not, how would one go about requesting this as a
> > feature or getting support from devs to begin possibly helping implement
> > this.
>
> It's not possible, however you could create multiple compute
> resources, one per tenant, and only allow users to use the appropriate
> one. I realize that's a far inferior solution, but it might help in
> the short term.
>
> Feature requests (and bugs for that matter) can be raised at
> http://projects.theforeman.org/projects/foreman/issues/new
>
> Greg
>
···
On Wednesday, September 3, 2014 11:08:21 AM UTC-7, Julian Barnett wrote:
>
> Thanks for the reply Greg...that's kind of what I figured, I'll open a
> feature request for this.
>
> Regards,
> Julian
>
> On Tuesday, August 12, 2014 2:47:10 AM UTC-7, Greg Sutcliffe wrote:
>>
>> On 12 August 2014 00:09, Julian Barnett wrote:
>> > Hi,
>> >
>> > I've recently configured foreman-compute to integrate with our
>> Openstack
>> > environment. Unfortunately when adding a compute resource under
>> > Infrastructure in foreman, you must select a single account to create
>> this
>> > resource. This limits me to ALL tenants because I'm configuring it
>> using my
>> > admin account. We have dozens of tenants, but I'd only like for users
>> logged
>> > into foreman (via AD/LDAP) to be able to provision hosts ONLY within
>> the
>> > tenants for which they're a member of in Openstack. Both Openstack and
>> > Foreman use the same AD/LDAP credentials so it would be GREAT if I
>> could
>> > somehow have these credentials passed through, and not provide the
>> level of
>> > access for which the compute resource was initially configured with.
>> >
>> > Is this possible? If not, how would one go about requesting this as a
>> > feature or getting support from devs to begin possibly helping
>> implement
>> > this.
>>
>> It's not possible, however you could create multiple compute
>> resources, one per tenant, and only allow users to use the appropriate
>> one. I realize that's a far inferior solution, but it might help in
>> the short term.
>>
>> Feature requests (and bugs for that matter) can be raised at
>> http://projects.theforeman.org/projects/foreman/issues/new
>>
>> Greg
>>
>
Thanks Justin, this feature is actually quite critical, I'm surprised we
didn't have a ticket for this one… I'll generalize your issue as that's a
problem for all compute resources.
I'd actually think it'd be a good idea to quit shared Compute Resources
altogether and bake in Compute Resource credentials in the User profile, so
that access (and operations!) in the Compute Resource is done with the user
credentials and not shared ones. Basically my idea is when you log in, a
set of compute resources is created (if you didn't have them) from your
user credentials. This is especially important for enterprise users who are
auditing access and operations at the Compute Resource level.
Thoughts? I'm surely missing something important here.
···
On Wed, Sep 3, 2014 at 8:16 PM, Julian Barnett wrote:
Feature #7340 has been created.
On Wednesday, September 3, 2014 11:08:21 AM UTC-7, Julian Barnett wrote:
Thanks for the reply Greg…that’s kind of what I figured, I’ll open a
feature request for this.
Regards,
Julian
On Tuesday, August 12, 2014 2:47:10 AM UTC-7, Greg Sutcliffe wrote:
I’ve recently configured foreman-compute to integrate with our
Openstack
environment. Unfortunately when adding a compute resource under
Infrastructure in foreman, you must select a single account to create
this
resource. This limits me to ALL tenants because I’m configuring it
using my
admin account. We have dozens of tenants, but I’d only like for users
logged
into foreman (via AD/LDAP) to be able to provision hosts ONLY within
the
tenants for which they’re a member of in Openstack. Both Openstack and
Foreman use the same AD/LDAP credentials so it would be GREAT if I
could
somehow have these credentials passed through, and not provide the
level of
access for which the compute resource was initially configured with.
Is this possible? If not, how would one go about requesting this as a
feature or getting support from devs to begin possibly helping
implement
this.
It’s not possible, however you could create multiple compute
resources, one per tenant, and only allow users to use the appropriate
one. I realize that’s a far inferior solution, but it might help in
the short term.
Feature requests (and bugs for that matter) can be raised at Foreman
I can't speak to the generalization, as I've only been using Foreman with
Openstack, but I'm guessing the same behavior happens for other compute
resources.
I agree with you, users should login (via LDAP/AD credentials) and these
credentials should be the only ones necessary to handle all operations in
Foreman, so if there are compute resources defined, the credentials of the
logged in user should be used to access/display what that user has
permissions to do. This should be some kind of admin feature that can be
enabled globally (for all users) or customized (as I assume in some
enterprise environments there will be non domain/LDAP users that are
created in Foreman, where credential passthrough would not work).
But the main goal here is for foreman ldap credential passthrough to
compute resources.
–Julian
···
On Thu, Sep 4, 2014 at 12:28 AM, Daniel Lobato wrote:
Thanks Justin, this feature is actually quite critical, I’m surprised we
didn’t have a ticket for this one… I’ll generalize your issue as that’s a
problem for all compute resources.
I’d actually think it’d be a good idea to quit shared Compute Resources
altogether and bake in Compute Resource credentials in the User profile, so
that access (and operations!) in the Compute Resource is done with the user
credentials and not shared ones. Basically my idea is when you log in, a
set of compute resources is created (if you didn’t have them) from your
user credentials. This is especially important for enterprise users who are
auditing access and operations at the Compute Resource level.
Thoughts? I’m surely missing something important here.
I’ve recently configured foreman-compute to integrate with our
Openstack
environment. Unfortunately when adding a compute resource under
Infrastructure in foreman, you must select a single account to create
this
resource. This limits me to ALL tenants because I’m configuring it
using my
admin account. We have dozens of tenants, but I’d only like for users
logged
into foreman (via AD/LDAP) to be able to provision hosts ONLY within
the
tenants for which they’re a member of in Openstack. Both Openstack
and
Foreman use the same AD/LDAP credentials so it would be GREAT if I
could
somehow have these credentials passed through, and not provide the
level of
access for which the compute resource was initially configured with.
Is this possible? If not, how would one go about requesting this as a
feature or getting support from devs to begin possibly helping
implement
this.
It’s not possible, however you could create multiple compute
resources, one per tenant, and only allow users to use the appropriate
one. I realize that’s a far inferior solution, but it might help in
the short term.
Feature requests (and bugs for that matter) can be raised at Foreman
Greg
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
