<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 08/20/2013 09:49 PM, Adam Young
      wrote:<br>
    </div>
    <blockquote cite="mid:52141CA7.6070007@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      <div class="moz-cite-prefix">On 08/20/2013 12:11 PM, Bryan D.
        Payne wrote:<br>
      </div>
      <blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
        type="cite">
        <div dir="ltr">Jeffrey,
          <div><br>
          </div>
          <div>I'm not aware of something like this that is already in
            place.  However, I am curious about your requirements as
            this may be something one could put together with existing
            tools.  What type of device level authentication did you
            have in mind?  For example, how would you expect a device to
            prove it's identity to the cloud?  Understanding this will
            guide the discussion and make it easier for others to chime
            in.</div>
          <div><br>
          </div>
          <div>Cheers,</div>
          <div>-bryan</div>
          <div><br>
          </div>
          <div class="gmail_extra"><br>
            <br>
            <div class="gmail_quote">On Tue, Aug 20, 2013 at 7:55 AM,
              Jeffrey Walton <span dir="ltr"><<a
                  moz-do-not-send="true"
                  href="mailto:noloader@gmail.com" target="_blank">noloader@gmail.com</a>></span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
                All,<br>
                <br>
                I've been through the OpenStack APIs, but I don't
                believe I've seen a<br>
                solution to my problem. I'm looking for a method to
                authenticate both<br>
                the user and his/her workstation or device.<br>
                <br>
                In this scenario (or use case), the user would be given
                access to<br>
                low/medium/high value data if on their workstation; but
                only access to<br>
                low value data if on a mobile device.<br>
              </blockquote>
            </div>
          </div>
        </div>
      </blockquote>
      <br>
      FreeIPA provides something along these lines:  Host based access
      control. However, it has to be enforced by the device itself, via
      SSSD.<br>
      <br>
      There is some support for Multifactor Auth in Keystone.   I would
      suggest that the right solution would be to use a combination of
      X509 on the device coupled with a device profile to modify the
      role assigments that are accessable to the token/auth controller. 
      We've talked about mechanisms along these lines, but nothing is in
      the blueprints.<br>
    </blockquote>
    <br>
    The more I think about it, the more I think this is the right
    solution.  One thing I was not clear was whether you were talking
    about access to the CLoud Infrastructure or the VMs themselves.  If
    it is the VMs, then, yes, FreeIPA will server your needs.<br>
    <br>
    <blockquote cite="mid:52141CA7.6070007@redhat.com" type="cite"> <br>
      <blockquote
cite="mid:CAFpPvXB+e8A9NWLDbRp5w0bwgEBiLEdyb8MaTD6mp5dyT4TLEA@mail.gmail.com"
        type="cite">
        <div dir="ltr">
          <div class="gmail_extra">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
                Does OpenStack provide a solution to workstation/device
                provisioning<br>
                and authorizations based on the hardware and data
                sensitivity levels?<br>
                <br>
                Thanks in advance,<br>
                Jeffrey Walton<br>
                <br>
                _______________________________________________<br>
                Openstack-security mailing list<br>
                <a moz-do-not-send="true"
                  href="mailto:Openstack-security@lists.openstack.org"
                  target="_blank">Openstack-security@lists.openstack.org</a><br>
                <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
                  target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
              </blockquote>
            </div>
            <br>
          </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Openstack-security mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>