[openstack-dev] [keystone] Keystone support of Multi-Factor Authentication ?

Adrian Turjak adriant at catalyst.net.nz
Tue Dec 18 17:36:24 UTC 2018


On 15/12/18 2:41 AM, Colleen Murphy wrote:
> Hi Greg,
>
> On Fri, Dec 14, 2018, at 2:07 PM, Waines, Greg wrote:
>> Keystone guys,
>>
>> What is the current status of Keystone supporting Multi-Factor Authentication ?
>>
>> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/mfa-auth-receipt.html
>>
>>   *   Does this work provide true MFA ?
> It's a component of a proper MFA solution. We had already implemented TOTP as a possible auth method as well as the ability to use multiple auth methods. The MFA receipts work is to make it easier for clients to use MFA in a more natural way than what we had before.
>
>>   *   Is this work still active ?
> The API work for the receipts features is more or less completed. We still need proper documentation and an update to the API reference. We also need to work this feature into keystoneauth and horizon. Adrian Turjak has been leading this effort. I think he's still on vacation but I expect he'll pick it up when he's back.

Yes this work is active, just slowed. My holiday has been more of a
holiday than a working holiday than expected, but the docs work will be
done soon, and hopefully merged soon into the new year.

I can then hopefully start work on Keystoneauth, but I don't know how
long that will take or if we can get it done before the end of Stein (I
hope so).

>
>> Are there other solutions for MFA for OpenStack Keystone ?
> Not in keystone, but keystone supports external authentication so if you have an external identity provider that supports MFA you can lean on that.

For our cloud we did a custom auth plugin for Keystone that solved this
for us, and most importantly, a migration path to the auth rules and
auth receipts method in keystone will be easy:

https://github.com/catalyst-cloud/adjutant-mfa

If running the latest version of Keystone won't be possible, this may be
an alternative and mostly works now, but if you can, and can wait, the
proper auth-receipt based method will be better.


>
>> Greg.
> Colleen
>



More information about the openstack-discuss mailing list