From f5924e67859efa92516a5e87efafe91af67c8575 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.com>
Date: Fri, 23 Jun 2017 15:44:01 +0200
Subject: [PATCH] Add config settings for login domain dropdown

On clouds that use domain-specific Identity configuration[1], a user
must provide both their username and domain in order to log into
horizon. Without this patch, users must be aware of their domain's name
and enter it into a text box at login. This is sensible on public
clouds, because supplying potential domains to an unauthenticated user
exposes too much information about other customers and makes potential
attacks easier. On private clouds, however, it is a hinderance to
usability. For example, when migrating from a single-domain
configuration to a multi-domain configuration, users must now guess or
be informed of their domain in order to enter it in the text box. As
another example, when keystone domains are mapped to Active Directory
domains, the user may not be used to having to know their AD domains and
would prefer to select a likely one based on their geographical location
or department from a dropdown menu.

This patch adds the config file examples and documentation for new
config options, "OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN" for enabling a
dropdown menu instead of a textbox when MULTIDOMAIN_SUPPORT is enabled,
and "OPENSTACK_KEYSTONE_DOMAIN_CHOICES" for providing domains to choose
from. The behavior changes corresponding to these new options are
implemented in django_openstack_auth in a corresponding patch.

[1] https://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers

Change-Id: I71d64182524d1f54745d9e42347b3a605fa2a920
Depends-On: Ie0a7e36b9975342fab81ddebb87880608d3ef187
---
 doc/source/configuration/settings.rst         | 26 +++++++++++++++++++
 .../local/local_settings.py.example           | 14 ++++++++++
 .../add-domain-dropdown-65006187e5605735.yaml | 11 ++++++++
 3 files changed, 51 insertions(+)
 create mode 100644 releasenotes/notes/add-domain-dropdown-65006187e5605735.yaml

diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst
index 50e455c6e8..2dd6e7f936 100644
--- a/doc/source/configuration/settings.rst
+++ b/doc/source/configuration/settings.rst
@@ -1091,6 +1091,32 @@ Default: ``False``
 Set this to True if running on multi-domain model. When this is enabled, it
 will require user to enter the Domain name in addition to username for login.
 
+``OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN``
+--------------------------------------
+
+.. versionadded:: 12.0.0(Pike)
+
+Default: ``False``
+Set this to True if you want available domains displayed as a dropdown menu on
+the login screen. It is strongly advised NOT to enable this for public clouds,
+as advertising enabled domains to unauthenticated customers irresponsibly
+exposes private information. This should only be used for private clouds where
+the dashboard sits behind a corporate firewall.
+
+``OPENSTACK_KEYSTONE_DOMAIN_CHOICES``
+-------------------------------------
+
+.. versionadded:: 12.0.0(Pike)
+
+Default::
+
+        (
+          ('Default', 'Default'),
+        )
+
+If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
+set the available domains to choose from. This is a list of pairs whose first
+value is the domain name and the second is the display name.
 
 ``OPENSTACK_KEYSTONE_URL``
 --------------------------
diff --git a/openstack_dashboard/local/local_settings.py.example b/openstack_dashboard/local/local_settings.py.example
index ee89d83807..17b2bdd303 100644
--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@@ -75,6 +75,20 @@ WEBROOT = '/'
 # for login.
 #OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
 
+# Set this to True if you want available domains displayed as a dropdown menu
+# on the login screen. It is strongly advised NOT to enable this for public
+# clouds, as advertising enabled domains to unauthenticated customers
+# irresponsibly exposes private information. This should only be used for
+# private clouds where the dashboard sits behind a corporate firewall.
+#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
+
+# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
+# set the available domains to choose from. This is a list of pairs whose first
+# value is the domain name and the second is the display name.
+#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
+#  ('Default', 'Default'),
+#)
+
 # Overrides the default domain used when running on single-domain model
 # with Keystone V3. All entities will be created in the default domain.
 # NOTE: This value must be the name of the default domain, NOT the ID.
diff --git a/releasenotes/notes/add-domain-dropdown-65006187e5605735.yaml b/releasenotes/notes/add-domain-dropdown-65006187e5605735.yaml
new file mode 100644
index 0000000000..2968e3fa74
--- /dev/null
+++ b/releasenotes/notes/add-domain-dropdown-65006187e5605735.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Added settings OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN (boolean) and
+    OPENSTACK_KEYSTONE_DOMAIN_CHOICES (tuple of tuples) to support a dropdown
+    list of keystone domains to choose from at login. This should NOT be enabled
+    for public clouds, as advertising enabled domains to unauthenticated users
+    irresponsibly exposes private information. This is useful for private clouds
+    that sit behind a corprate firewall and that have a small number of domains
+    mapped to known corporate structures, such as an LDAP directory, Active
+    Directory domains, geopgraphical regions or business units.