[keystone][horizon] Integration with GuardianKey
Paulo Angelo
pa at pauloangelo.com
Mon Aug 19 21:25:30 UTC 2019
>
> > > We are trying to integrate OpenStack (Horizon or Keystone) with
> > > GuardianKey. However, we have doubts related to the best way to do
> this
> > > and the best point in the code for this integration.
> > >
> > >
> > > GuardianKey is a solution to protect systems against authentication
> > > attacks. It uses Machine Learning and analyses the user's behavior,
> > > threat intelligence and psychometrics (or behavioral biometrics). The
> > > protected system (in the concrete case, OpenStack admin interface)
> must
> > > send an event via REST for the GuardianKey on each login attempt. More
> > > info at https://guardiankey.io <https://guardiankey.io>.
> > >
> > > The best way to integrate would be on having a hook in the procedure
> > > that process the user credentials submission in OpenStack (the script
> > > that receives the POST), something such as:
> > >
> > >
> > > if(<POST IN AUTH FORM>) {
> > > boolean loginFailed = checkLogin();
> > > GuardianKeyEvent event =
> createEventForGuardianKey(username,loginFailed);
> > > boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
> > > if(GuardianKeyValidation){
> > > // Allow access
> > > } else {
> > > // Deny access
> > > }
> > > }
> > >
> > > Where is the best place to create this integration? Horizon or
> Keystone?
> > > Is there a way to create a hook for this purpose? Should we create an
> > > extension?
>
> Keystone would be the best place for this. Horizon is only one way a user
> can log in to OpenStack, so hooking into Horizon would not cover your
> attack vector. Keystone has a built-in auditing system specifically for
> this, using CADF notifications to emit events when a user logs in:
>
> https://docs.openstack.org/keystone/latest/admin/event_notifications.html
>
> All you need to do is create a consumer for those notifications.
>
> Colleen
>
Thank you, Colleen, for your message.
These days, I spent some time on it to understand better about the
OpenStack events. As I could see, the authentication event does not have
the user login name and other useful user information, such as e-mail. Is
there a way to retrieve this information using the OpenStack resources? Or
the best way is to access directly the database?
Another question: We will need to deny the access if GuardianKey identifies
a high attack risk. In this case, is there an easy way to drop a user
session using the Keystone API or resources (and the information in the
event)?
Finally, you mentioned about the consumer. Is this a consumer for a
RabbitMQ queue or an OpenStack API consumer? In the last case, is there
example code for this?
Thank you in advance.
Regards,
Paulo Angelo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190819/ca60f507/attachment-0001.html>
More information about the openstack-discuss
mailing list