openstack/horizon
Code Issues Proposed changes
73a0bbd43e
horizon/releasenotes/notes/add-domain-dropdown-65006187e5605735.yaml
Colleen Murphy f5924e6785 Add config settings for login domain dropdown 
On clouds that use domain-specific Identity configuration[1], a user
must provide both their username and domain in order to log into
horizon. Without this patch, users must be aware of their domain's name
and enter it into a text box at login. This is sensible on public
clouds, because supplying potential domains to an unauthenticated user
exposes too much information about other customers and makes potential
attacks easier. On private clouds, however, it is a hinderance to
usability. For example, when migrating from a single-domain
configuration to a multi-domain configuration, users must now guess or
be informed of their domain in order to enter it in the text box. As
another example, when keystone domains are mapped to Active Directory
domains, the user may not be used to having to know their AD domains and
would prefer to select a likely one based on their geographical location
or department from a dropdown menu.

This patch adds the config file examples and documentation for new
config options, "OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN" for enabling a
dropdown menu instead of a textbox when MULTIDOMAIN_SUPPORT is enabled,
and "OPENSTACK_KEYSTONE_DOMAIN_CHOICES" for providing domains to choose
from. The behavior changes corresponding to these new options are
implemented in django_openstack_auth in a corresponding patch.

[1] https://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers

Change-Id: I71d64182524d1f54745d9e42347b3a605fa2a920
Depends-On: Ie0a7e36b9975342fab81ddebb87880608d3ef187
2017-07-04 13:50:25 +00:00

12 lines
627 B
YAML
Raw Blame History

---
features:
- |
Added settings OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN (boolean) and
OPENSTACK_KEYSTONE_DOMAIN_CHOICES (tuple of tuples) to support a dropdown
list of keystone domains to choose from at login. This should NOT be enabled
for public clouds, as advertising enabled domains to unauthenticated users
irresponsibly exposes private information. This is useful for private clouds
that sit behind a corprate firewall and that have a small number of domains
mapped to known corporate structures, such as an LDAP directory, Active
Directory domains, geopgraphical regions or business units.
View Git Blame Copy Permalink