<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/20/2013 09:49 PM, Adam Young
wrote:<br>
</div>
<blockquote cite="mid:52141CA7.6070007@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/20/2013 12:11 PM, Bryan D.
Payne wrote:<br>
</div>
<blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
type="cite">
<div dir="ltr">Jeffrey,
<div><br>
</div>
<div>I'm not aware of something like this that is already in
place. However, I am curious about your requirements as
this may be something one could put together with existing
tools. What type of device level authentication did you
have in mind? For example, how would you expect a device to
prove it's identity to the cloud? Understanding this will
guide the discussion and make it easier for others to chime
in.</div>
<div><br>
</div>
<div>Cheers,</div>
<div>-bryan</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Aug 20, 2013 at 7:55 AM,
Jeffrey Walton <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:noloader@gmail.com" target="_blank">noloader@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
All,<br>
<br>
I've been through the OpenStack APIs, but I don't
believe I've seen a<br>
solution to my problem. I'm looking for a method to
authenticate both<br>
the user and his/her workstation or device.<br>
<br>
In this scenario (or use case), the user would be given
access to<br>
low/medium/high value data if on their workstation; but
only access to<br>
low value data if on a mobile device.<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
FreeIPA provides something along these lines: Host based access
control. However, it has to be enforced by the device itself, via
SSSD.<br>
<br>
There is some support for Multifactor Auth in Keystone. I would
suggest that the right solution would be to use a combination of
X509 on the device coupled with a device profile to modify the
role assigments that are accessable to the token/auth controller.
We've talked about mechanisms along these lines, but nothing is in
the blueprints.<br>
</blockquote>
<br>
The more I think about it, the more I think this is the right
solution. One thing I was not clear was whether you were talking
about access to the CLoud Infrastructure or the VMs themselves. If
it is the VMs, then, yes, FreeIPA will server your needs.<br>
<br>
<blockquote cite="mid:52141CA7.6070007@redhat.com" type="cite"> <br>
<blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
Does OpenStack provide a solution to workstation/device
provisioning<br>
and authorizations based on the hardware and data
sensitivity levels?<br>
<br>
Thanks in advance,<br>
Jeffrey Walton<br>
<br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org"
target="_blank">Openstack-security@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openstack-security mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</body>
</html>