We are trying to integrate OpenStack (Horizon or Keystone) with GuardianKey. However, we have doubts related to the best way to do
this
and the best point in the code for this integration.
GuardianKey is a solution to protect systems against authentication attacks. It uses Machine Learning and analyses the user's behavior, threat intelligence and psychometrics (or behavioral biometrics). The protected system (in the concrete case, OpenStack admin interface)
must
send an event via REST for the GuardianKey on each login attempt. More info at https://guardiankey.io https://guardiankey.io.
The best way to integrate would be on having a hook in the procedure that process the user credentials submission in OpenStack (the script that receives the POST), something such as:
if(<POST IN AUTH FORM>) { boolean loginFailed = checkLogin(); GuardianKeyEvent event =
createEventForGuardianKey(username,loginFailed);
boolean GuardianKeyValidation = checkGuardianKeyViaREST(event); if(GuardianKeyValidation){ // Allow access } else { // Deny access } }
Where is the best place to create this integration? Horizon or
Keystone?
Is there a way to create a hook for this purpose? Should we create an extension?
Keystone would be the best place for this. Horizon is only one way a user can log in to OpenStack, so hooking into Horizon would not cover your attack vector. Keystone has a built-in auditing system specifically for this, using CADF notifications to emit events when a user logs in:
https://docs.openstack.org/keystone/latest/admin/event_notifications.html
All you need to do is create a consumer for those notifications.
Colleen
Thank you, Colleen, for your message.
These days, I spent some time on it to understand better about the OpenStack events. As I could see, the authentication event does not have the user login name and other useful user information, such as e-mail. Is there a way to retrieve this information using the OpenStack resources? Or the best way is to access directly the database?
Another question: We will need to deny the access if GuardianKey identifies a high attack risk. In this case, is there an easy way to drop a user session using the Keystone API or resources (and the information in the event)?
Finally, you mentioned about the consumer. Is this a consumer for a RabbitMQ queue or an OpenStack API consumer? In the last case, is there example code for this?
Thank you in advance.
Regards,
Paulo Angelo