[Openstack-operators] OpenStack Security and Administrative Users
mgagne at iweb.com
Thu May 22 19:27:55 UTC 2014
On 2014-05-22, 12:07 AM, Adam Young wrote:
> On 05/21/2014 01:49 PM, Mathieu Gagné wrote:
>> - Force ALL users to provide a client certificate if this config is in
> No. I think that there is no way to say "user cannot authenticate with
> Password" but you could do X509 Client cert authentication via mod_nss
> or mod_ssl, and map that users ID to REMOTE_USER, and use the external
> login. They would have a separate Auth URL,
I'm not looking for a password-less authentication using X.509 client
certificate. I more looking for a way to enforce the use of 2-factor
authentication for specific users. (especially administrative users)
On a side note, I already disabled the AdminTokenAuthMiddleware
middleware. Although mentioned in the keystone.conf.sample, it is
curiously not mentioned in the OpenStack Security Guide:
# To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines
Maybe we should mention it somewhere.
> Note that this kindof implies HTTPD. It might be possible to do this in
> Eventlet, but Python is really poor at doing cryptography, and adding a
> single threaded web server to the mix is probably going to perform poorly.
I'm open to all suggestions to make it work.
> I'd love it if Admin users could use X509 and/orKerberos across the
> board, but there is not yet support for Kerberos in the clients. That is
> changing soon, though.
2-factor authentication is therefore no possible with the current state
of the keystoneclient. Am I understanding it right?
How can someone apply the OpenStack Security guideline previously
mentioned as of today? Is it even possible? Any alternative?
More information about the OpenStack-operators