[Openstack-operators] [publiccloud-wg][keystone][Horizon] Multi-Factor Auth in OpenStack

Lance Bragstad lbragstad at gmail.com
Fri Feb 9 02:50:16 UTC 2018



On 02/08/2018 03:36 PM, Adrian Turjak wrote:
> Hello fellow Public Cloud operators!
>
> I'm quite sorry I haven't been able to attend the last few public cloud meetings, have been deep in various bits of work, and been very asleep when the meetings normally were.
>
> That said, I have some interesting things some of you might like to play with:
> https://github.com/catalyst-cloud/adjutant-mfa
>
> The above is a collection of plugins for Keystone, Horizon, and Adjutant that help facilitate MFA on an OpenStack cloud. Note, that while this is a working solution, it isn't merged or part of anything official upstream, just using the various plugin mechanisms. It uses existing pieces of working logic, and does nothing that isn't able to be migrated from.
Thanks for sharing!
> My plan for the Rocky cycle is to work in Keystone and address the missing pieces I need to get MFA working properly throughout OpenStack in an actually useful way, and I'll provide updates for that once I have the specs ready to submit (am waiting until start of Rocky for that). The good thing, is that this current solution for MFA works, and it can be migrated from to the methods I intend to work on for Rocky. The same credential models will be used in Keystone, and I will write tools to take users with TOTP credentials and configure auth rules for them for more official MFA support in Keystone once it is useful.
Are you planning to revive the previous proposal [0]? We should have
stable/queens branch by EOW, so Rocky development will be here soon. Are
you planning on attending the PTG? It might be valuable to discuss what
you have and how we can integrate it upstream. I thought I remember the
issue being policy related (where admins were required to update user
secrets and it wasn't necessarily a self-serving API). Now that we're in
a better place with system-scope, we might be able to move the ball
forward a bit regarding your use case.

[0] https://review.openstack.org/#/c/345705/
>
> We will be deploying the above MFA solution in our cloud in the next Month, and I'll provide you some updates as to how that goes, but do play with it yourselves, and tell me what you think. The solution does require technical domain knowledge to setup, but the docs in the above repo should hopefully be straightforward, if not, get in touch and I can help.
>
> I hope to have some other useful bits of 'missing public cloud features' updates for you soon too. 
>
> Cheers,
>
> Adrian Turjak
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20180208/341dd124/attachment.sig>


More information about the OpenStack-operators mailing list