Introduction
The purpose of the demonstrator is to show with a practical implementation how group membership attributes or other attributes from multiple sources can be used in a federated environment to regulate access to services.
The use of COmanage, as an attribute source, for managing the users’ attributes allows to regulate the authorization on services based on externally provided attributes. Such a service can be entirely managed by the research community, independently from service providers or identity providers. It simplifies the configuration at both the service provider and attribute authority level.
Detailed description
A detailed description can be find in this wiki page.
...
There was no need to create local accounts on the cloud framework, ephemeral users are used instead: it was creates a set of mapping rules that, depending on the entitlements provided by COmanage (ownership to the COs with a precise role), associate the external users to the right group defined into openstack, and each of them can access to a particular OpenStack project with different rights (either admin or simple user).
Demonstration workflow
| The research collaborations on COmanage | ||
|---|---|---|
| a) some research collaborations who want to access OpenStack services were created on a COmanage instance. In our case: | ||
| aarc-white.pilots.aarc-project.eu | aarc-yellow.pilots.aarc-project.eu | aarc-blue.pilots.aarc-project.eu |
 |  |  |
b) Each CO has got an admin who approves the membership requests and several users registered c) Each CO has got a corresponding project into OpenStack, reserved to its members | ||
...