[Openstack-operators] OpenStack Security and Administrative Users

Mathieu Gagné mgagne at iweb.com
Thu May 22 19:27:55 UTC 2014

Hi Adam,

On 2014-05-22, 12:07 AM, Adam Young wrote:
> On 05/21/2014 01:49 PM, Mathieu Gagné wrote:
>> - Force ALL users to provide a client certificate if this config is in
>> keystone.conf:
> No.  I think that there is no way to say "user cannot authenticate with
> Password"  but you could do  X509 Client cert authentication via mod_nss
> or mod_ssl, and map that users ID to REMOTE_USER, and use the external
> login. They would have a separate Auth URL,

I'm not looking for a password-less authentication using X.509 client 
certificate. I more looking for a way to enforce the use of 2-factor 
authentication for specific users. (especially administrative users)

On a side note, I already disabled the AdminTokenAuthMiddleware 
middleware. Although mentioned in the keystone.conf.sample, it is 
curiously not mentioned in the OpenStack Security Guide:

# To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines

Maybe we should mention it somewhere.

> Note that this kindof implies HTTPD.  It might be possible to do this in
> Eventlet, but Python is really poor at doing cryptography, and adding a
> single threaded web server to the mix is probably going to perform poorly.

I'm open to all suggestions to make it work.

> I'd love it if Admin users could use X509 and/orKerberos across the
> board, but there is not yet support for Kerberos in the clients. That is
> changing soon, though.

2-factor authentication is therefore no possible with the current state 
of the keystoneclient. Am I understanding it right?

How can someone apply the OpenStack Security guideline previously 
mentioned as of today? Is it even possible? Any alternative?


More information about the OpenStack-operators mailing list