[openstack-dev] [Keystone][Horizon] Additional MFA option: per user ip address rules
adriant at catalyst.net.nz
Mon Nov 14 06:34:26 UTC 2016
Hello Keystone Devs,
I've been playing with an interesting idea in regards to the
authentications plugins in Keystone as I was curious if I could achieve
per user IP rules for authentication with the existing setup we have.
In short, yes, and here is an example plugin that seems to work:
The idea, allow a user to set a bunch of IP addresses (as CIDR) from
which they can authenticate. These are user controlled and added as a
'credential' with type 'CIDR'. The keystone plugin will then simply
compare the source ip against the credentials setup for that user. It
does this before actually checking password. It is simple, and it works.
Once you have a token the CIDR rules don't matter as otherwise APIs
checking for valid tokens might be affected, but I don't think that's an
One problem is that it will not work for Horizon, as Horizon pollutes
the source ip with its own, but for service accounts this is fantastic
as they never need to access horizon. It would be nice to fix this, but
I'm not sure if there is a good way to do so, other than updating
which would be a huge effort.
An additional problem is that with the current way keystone auth plugins
work, there is no way to nicely layer and enforce the plugins together.
So if we wanted to have password + TOTP + CIDR, it would need to be a
single plugin that combined all three. This is doable, but messy because
rather than simply defining a combined layering of plugins, you need to
write new ones all the time. I think we need to better address combing
auth plugins, but that is a different topic, although one which may need
to precede any additional auth plugins. I do have some vague ideas
around this problem, but I'll flesh those out as a spec at some stage I
The above problem aside, is there any interest in Keystone for a plugin
such as this?
Provided I find nothing hugely wrong in testing, we will likely use
something like this in our deployment, although contrary to the plugin
layering problem, I will probably write a combined custom plugin for
password+TOTP+CIDR rather than wait for a longer term solution.
I think user authentication limited by per user IP rules is hugely
powerful, and very useful. Although it does limit Horizon access, it is
still useful for service accounts which cannot use TOTP, thus allowing a
MFA-lite option which can be limited to specific ip address ranges. Or
if you are really paranoid and don't use Horizon, you can do CIDR and
TOTP for admin accounts (or even run your own local Horizon so it uses
More information about the OpenStack-dev