Open Stack

Hi Adam,

On 2014-05-22, 12:07 AM, Adam Young wrote:
> On 05/21/2014 01:49 PM, Mathieu Gagné wrote:
>>
>> - Force ALL users to provide a client certificate if this config is in
>> keystone.conf:
> No.  I think that there is no way to say "user cannot authenticate with
> Password"  but you could do  X509 Client cert authentication via mod_nss
> or mod_ssl, and map that users ID to REMOTE_USER, and use the external
> login. They would have a separate Auth URL,

I'm not looking for a password-less authentication using X.509 client 
certificate. I more looking for a way to enforce the use of 2-factor 
authentication for specific users. (especially administrative users)

On a side note, I already disabled the AdminTokenAuthMiddleware 
middleware. Although mentioned in the keystone.conf.sample, it is 
curiously not mentioned in the OpenStack Security Guide:

# To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines

Maybe we should mention it somewhere.


> Note that this kindof implies HTTPD.  It might be possible to do this in
> Eventlet, but Python is really poor at doing cryptography, and adding a
> single threaded web server to the mix is probably going to perform poorly.

I'm open to all suggestions to make it work.


> I'd love it if Admin users could use X509 and/orKerberos across the
> board, but there is not yet support for Kerberos in the clients. That is
> changing soon, though.

2-factor authentication is therefore no possible with the current state 
of the keystoneclient. Am I understanding it right?


How can someone apply the OpenStack Security guideline previously 
mentioned as of today? Is it even possible? Any alternative?

-- 
Mathieu