<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/20/2013 12:11 PM, Bryan D. Payne
wrote:<br>
</div>
<blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
type="cite">
<div dir="ltr">Jeffrey,
<div><br>
</div>
<div>I'm not aware of something like this that is already in
place. However, I am curious about your requirements as this
may be something one could put together with existing tools.
What type of device level authentication did you have in
mind? For example, how would you expect a device to prove
it's identity to the cloud? Understanding this will guide the
discussion and make it easier for others to chime in.</div>
<div><br>
</div>
<div>Cheers,</div>
<div>-bryan</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Aug 20, 2013 at 7:55 AM,
Jeffrey Walton <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:noloader@gmail.com"
target="_blank">noloader@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All,<br>
<br>
I've been through the OpenStack APIs, but I don't believe
I've seen a<br>
solution to my problem. I'm looking for a method to
authenticate both<br>
the user and his/her workstation or device.<br>
<br>
In this scenario (or use case), the user would be given
access to<br>
low/medium/high value data if on their workstation; but
only access to<br>
low value data if on a mobile device.<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
FreeIPA provides something along these lines: Host based access
control. However, it has to be enforced by the device itself, via
SSSD.<br>
<br>
There is some support for Multifactor Auth in Keystone. I would
suggest that the right solution would be to use a combination of
X509 on the device coupled with a device profile to modify the role
assigments that are accessable to the token/auth controller. We've
talked about mechanisms along these lines, but nothing is in the
blueprints.<br>
<br>
<blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Does OpenStack provide a solution to workstation/device
provisioning<br>
and authorizations based on the hardware and data
sensitivity levels?<br>
<br>
Thanks in advance,<br>
Jeffrey Walton<br>
<br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org"
target="_blank">Openstack-security@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</body>
</html>