[keystone][horizon] Integration with GuardianKey
Colleen Murphy
colleen at gazlene.net
Fri Apr 5 17:50:06 UTC 2019
On Fri, Apr 5, 2019, at 06:38, Ben Nemec wrote:
> Tagging with relevant projects for visibility.
>
> On 3/30/19 3:54 PM, Paulo Angelo wrote:
> > Hi all,
> >
> >
> > We are trying to integrate OpenStack (Horizon or Keystone) with
> > GuardianKey. However, we have doubts related to the best way to do this
> > and the best point in the code for this integration.
> >
> >
> > GuardianKey is a solution to protect systems against authentication
> > attacks. It uses Machine Learning and analyses the user's behavior,
> > threat intelligence and psychometrics (or behavioral biometrics). The
> > protected system (in the concrete case, OpenStack admin interface) must
> > send an event via REST for the GuardianKey on each login attempt. More
> > info at https://guardiankey.io <https://guardiankey.io>.
> >
> > The best way to integrate would be on having a hook in the procedure
> > that process the user credentials submission in OpenStack (the script
> > that receives the POST), something such as:
> >
> >
> > if(<POST IN AUTH FORM>) {
> >
> > boolean loginFailed = checkLogin();
> >
> > GuardianKeyEvent event = createEventForGuardianKey(username,loginFailed);
> >
> > boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
> >
> > if(GuardianKeyValidation){
> >
> > // Allow access
> >
> > } else {
> >
> > // Deny access
> >
> > }
> >
> > }
> >
> >
> > Where is the best place to create this integration? Horizon or Keystone?
> > Is there a way to create a hook for this purpose? Should we create an
> > extension?
Keystone would be the best place for this. Horizon is only one way a user can log in to OpenStack, so hooking into Horizon would not cover your attack vector. Keystone has a built-in auditing system specifically for this, using CADF notifications to emit events when a user logs in:
https://docs.openstack.org/keystone/latest/admin/event_notifications.html
All you need to do is create a consumer for those notifications.
Colleen
> >
> >
> > Any help is welcome.
> >
> >
> > Thank you in advance.
> >
> >
> > Best regards,
> >
> >
> > Paulo Angelo
>
>
More information about the openstack-discuss
mailing list