> > We are trying to integrate OpenStack (Horizon or Keystone) with
> > GuardianKey. However, we have doubts related to the best way to do this
> > and the best point in the code for this integration.
> >
> >
> > GuardianKey is a solution to protect systems against authentication
> > attacks. It uses Machine Learning and analyses the user's behavior,
> > threat intelligence and psychometrics (or behavioral biometrics). The
> > protected system (in the concrete case, OpenStack admin interface) must
> > send an event via REST for the GuardianKey on each login attempt. More
> > info at https://guardiankey.io <https://guardiankey.io>.
> >
> > The best way to integrate would be on having a hook in the procedure
> > that process the user credentials submission in OpenStack (the script
> > that receives the POST), something such as:
> >
> >
> > if(<POST IN AUTH FORM>) {
> >   boolean loginFailed =  checkLogin();
> >   GuardianKeyEvent event = createEventForGuardianKey(username,loginFailed);
> >   boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
> >   if(GuardianKeyValidation){
> >      // Allow access
> >   } else {
> >      // Deny access
> >   }
> > }
> >
> > Where is the best place to create this integration? Horizon or Keystone?
> > Is there a way to create a hook for this purpose? Should we create an
> > extension?

Keystone would be the best place for this. Horizon is only one way a user can log in to OpenStack, so hooking into Horizon would not cover your attack vector. Keystone has a built-in auditing system specifically for this, using CADF notifications to emit events when a user logs in:

https://docs.openstack.org/keystone/latest/admin/event_notifications.html

All you need to do is create a consumer for those notifications.

Colleen

Thank you, Colleen, for your message.

These days, I spent some time on it to understand better about the OpenStack events. As I could see, the authentication event does not have the user login name and other useful user information, such as e-mail. Is there a way to retrieve this information using the OpenStack resources? Or the best way is to access directly the database?

Another question: We will need to deny the access if GuardianKey identifies a high attack risk. In this case, is there an easy way to drop a user session using the Keystone API or resources (and the information in the event)?

Finally, you mentioned about the consumer. Is this a consumer for a RabbitMQ queue or an OpenStack API consumer? In the last case, is there example code for this?

Thank you in advance.

Regards,

Paulo Angelo