[Openstack-security] Authenticating User and Workstation/Device

Adam Young ayoung at redhat.com
Wed Aug 21 01:49:27 UTC 2013 

On 08/20/2013 12:11 PM, Bryan D. Payne wrote:
> Jeffrey,
>
> I'm not aware of something like this that is already in place. 
>  However, I am curious about your requirements as this may be 
> something one could put together with existing tools.  What type of 
> device level authentication did you have in mind?  For example, how 
> would you expect a device to prove it's identity to the cloud? 
>  Understanding this will guide the discussion and make it easier for 
> others to chime in.
>
> Cheers,
> -bryan
>
>
>
> On Tue, Aug 20, 2013 at 7:55 AM, Jeffrey Walton <noloader at gmail.com 
> <mailto:noloader at gmail.com>> wrote:
>
>     Hi All,
>
>     I've been through the OpenStack APIs, but I don't believe I've seen a
>     solution to my problem. I'm looking for a method to authenticate both
>     the user and his/her workstation or device.
>
>     In this scenario (or use case), the user would be given access to
>     low/medium/high value data if on their workstation; but only access to
>     low value data if on a mobile device.
>

FreeIPA provides something along these lines:  Host based access 
control. However, it has to be enforced by the device itself, via SSSD.

There is some support for Multifactor Auth in Keystone.   I would 
suggest that the right solution would be to use a combination of X509 on 
the device coupled with a device profile to modify the role assigments 
that are accessable to the token/auth controller.  We've talked about 
mechanisms along these lines, but nothing is in the blueprints.

>
>     Does OpenStack provide a solution to workstation/device provisioning
>     and authorizations based on the hardware and data sensitivity levels?
>
>     Thanks in advance,
>     Jeffrey Walton
>
>     _______________________________________________
>     Openstack-security mailing list
>     Openstack-security at lists.openstack.org
>     <mailto:Openstack-security at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130820/06a6359d/attachment.html>

More information about the Openstack-security mailing list