Himlar onboarding page for Dataporten users.
When a user logs in to this page using Dataporten, a personal group and project are created and access granted to it for the user.
From then on, the user can log in direct to the OpenStack dashboard.
The page is a tiny Pyramid web application using Authomatic for OpenID Connect logon. It has been tested with Python 2.7.10 and 3.5.1.
The application must be registered as a client in Dataporten. See the Dataporten documentation. The redirect URL should be the application's /login, and the scopes profile, userid, email and openid should be accepted.
For testing and development, a client has already been registered with the following parameters:
- Client ID
- 1375546d-7476-4ed7-a61a-92fd841f36a2
- Client Secret
- a244b4c8-8e9a-40e6-858d-c4b66cd9454c
- Redirect URI
- http://localhost:6543/login
The OpenStack dashboard also has to be registered in Dataporten. See the himlar-connect documentation.
All parameters are entered in the app:main section of the
configuration file (development.ini or production.ini). Copy
development.ini.example to development.ini and add the parameters.
The following are OpenStack parameters. Values for the Vagrant based himlar-connect development environment are shown.
- horizon_url
- URL for the OpenStack dashboard. E.g. http://10.0.3.11
- keystone_url
- URL for the OpenStack Keystone Identity Service, v3. E.g. http://10.0.3.11:5000/v3
- admin_pw
- Administrator password for OpenStack. E.g. himlardev
- project_name
- Name of project which creates resources. E.g.: admin
- dp_domain_name
- Name of domain resources will belong to. E.g.: connect
- default_domain_name
- Name of default domain. E.g.: default
- member_role_name
- Name of member role. E.g.: _member_
- with_local_user
- If 'true', a local user will be created in the same group, with the Dataporten email as username.
- keystone_cachain
- Certificate chain for keystone. Optional.
The following are parameters from the client's page on the Dataporten dashboard, OAuth Details / OAuth Client credentials section:
- oauth_client_id
- E.g. the client ID above
- oauth_client_secret
- E.g. the client secret above
If the project was checked out from git, first make sure that the submodule with the theme is fetched:
git submodule init
git submodule update
The app will typically be installed inside a virtualenv
python setup.py develop
or
python setup.py install
To run it as a standalone web server:
pserve --reload developent.ini
or
pserve production.ini
You can also access the functionality as a script. You can delete resources, provision resources, or both. Here is how to delete resources for a user:
python himlar_dp_prep/dp_provisioner.py --pw=topsecret \
--dp-domain-name=connect --id=donald@duck.com \
--url=http://10.0.3.11:5000/v3 \
--delete=1 --provision=0
Arguments:
- --id
- Identity to provision for. Typically email
- --pw
- Admin password
- --url
- Keystone url
- --project-name
- Admin project name
- --dp-domain-name
- Dataporten domain name
- --delete
- Set to 1 to delete resources
- --provision
- Set to 1 to provision resources
- --with-local-user
- Set to 1 to provision a local user for local access