[openstack-dev] [Keystone][Horizon] Additional MFA option: per user ip address rules

Adrian Turjak adriant at catalyst.net.nz
Mon Nov 14 06:34:26 UTC 2016

Hello Keystone Devs,

I've been playing with an interesting idea in regards to the 
authentications plugins in Keystone as I was curious if I could achieve 
per user IP rules for authentication with the existing setup we have.

In short, yes, and here is an example plugin that seems to work:

The idea, allow a user to set a bunch of IP addresses (as CIDR) from 
which they can authenticate. These are user controlled and added as a 
'credential' with type 'CIDR'. The keystone plugin will then simply 
compare the source ip against the credentials setup for that user. It 
does this before actually checking password. It is simple, and it works.

Once you have a token the CIDR rules don't matter as otherwise APIs 
checking for valid tokens might be affected, but I don't think that's an 

One problem is that it will not work for Horizon, as Horizon pollutes 
the source ip with its own, but for service accounts this is fantastic 
as they never need to access horizon. It would be nice to fix this, but 
I'm not sure if there is a good way to do so, other than updating 
Horizon to authenticate entirely in javascript directly to Keystone, 
which would be a huge effort.

An additional problem is that with the current way keystone auth plugins 
work, there is no way to nicely layer and enforce the plugins together. 
So if we wanted to have password + TOTP + CIDR, it would need to be a 
single plugin that combined all three. This is doable, but messy because 
rather than simply defining a combined layering of plugins, you need to 
write new ones all the time. I think we need to better address combing 
auth plugins, but that is a different topic, although one which may need 
to precede any additional auth plugins. I do have some vague ideas 
around this problem, but I'll flesh those out as a spec at some stage I 

The above problem aside, is there any interest in Keystone for a plugin 
such as this?

Provided I find nothing hugely wrong in testing, we will likely use 
something like this in our deployment, although contrary to the plugin 
layering problem, I will probably write a combined custom plugin for 
password+TOTP+CIDR rather than wait for a longer term solution.

I think user authentication limited by per user IP rules is hugely 
powerful, and very useful. Although it does limit Horizon access, it is 
still useful for service accounts which cannot use TOTP, thus allowing a 
MFA-lite option which can be limited to specific ip address ranges. Or 
if you are really paranoid and don't use Horizon, you can do CIDR and 
TOTP for admin accounts (or even run your own local Horizon so it uses 
your ip).

Any thoughts?

Adrian Turjak

More information about the OpenStack-dev mailing list