<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 08/20/2013 12:11 PM, Bryan D. Payne
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
      type="cite">
      <div dir="ltr">Jeffrey,
        <div><br>
        </div>
        <div>I'm not aware of something like this that is already in
          place.  However, I am curious about your requirements as this
          may be something one could put together with existing tools.
           What type of device level authentication did you have in
          mind?  For example, how would you expect a device to prove
          it's identity to the cloud?  Understanding this will guide the
          discussion and make it easier for others to chime in.</div>
        <div><br>
        </div>
        <div>Cheers,</div>
        <div>-bryan</div>
        <div><br>
        </div>
        <div class="gmail_extra"><br>
          <br>
          <div class="gmail_quote">On Tue, Aug 20, 2013 at 7:55 AM,
            Jeffrey Walton <span dir="ltr"><<a
                moz-do-not-send="true" href="mailto:noloader@gmail.com"
                target="_blank">noloader@gmail.com</a>></span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All,<br>
              <br>
              I've been through the OpenStack APIs, but I don't believe
              I've seen a<br>
              solution to my problem. I'm looking for a method to
              authenticate both<br>
              the user and his/her workstation or device.<br>
              <br>
              In this scenario (or use case), the user would be given
              access to<br>
              low/medium/high value data if on their workstation; but
              only access to<br>
              low value data if on a mobile device.<br>
            </blockquote>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    FreeIPA provides something along these lines:  Host based access
    control. However, it has to be enforced by the device itself, via
    SSSD.<br>
    <br>
    There is some support for Multifactor Auth in Keystone.   I would
    suggest that the right solution would be to use a combination of
    X509 on the device coupled with a device profile to modify the role
    assigments that are accessable to the token/auth controller.  We've
    talked about mechanisms along these lines, but nothing is in the
    blueprints.<br>
    <br>
    <blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <br>
              Does OpenStack provide a solution to workstation/device
              provisioning<br>
              and authorizations based on the hardware and data
              sensitivity levels?<br>
              <br>
              Thanks in advance,<br>
              Jeffrey Walton<br>
              <br>
              _______________________________________________<br>
              Openstack-security mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:Openstack-security@lists.openstack.org"
                target="_blank">Openstack-security@lists.openstack.org</a><br>
              <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
                target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>