Open Stack

On 08/20/2013 09:49 PM, Adam Young wrote:
> On 08/20/2013 12:11 PM, Bryan D. Payne wrote:
>> Jeffrey,
>>
>> I'm not aware of something like this that is already in place. 
>>  However, I am curious about your requirements as this may be 
>> something one could put together with existing tools.  What type of 
>> device level authentication did you have in mind?  For example, how 
>> would you expect a device to prove it's identity to the cloud? 
>>  Understanding this will guide the discussion and make it easier for 
>> others to chime in.
>>
>> Cheers,
>> -bryan
>>
>>
>>
>> On Tue, Aug 20, 2013 at 7:55 AM, Jeffrey Walton <noloader at gmail.com 
>> <mailto:noloader at gmail.com>> wrote:
>>
>>     Hi All,
>>
>>     I've been through the OpenStack APIs, but I don't believe I've seen a
>>     solution to my problem. I'm looking for a method to authenticate both
>>     the user and his/her workstation or device.
>>
>>     In this scenario (or use case), the user would be given access to
>>     low/medium/high value data if on their workstation; but only
>>     access to
>>     low value data if on a mobile device.
>>
>
> FreeIPA provides something along these lines:  Host based access 
> control. However, it has to be enforced by the device itself, via SSSD.
>
> There is some support for Multifactor Auth in Keystone.   I would 
> suggest that the right solution would be to use a combination of X509 
> on the device coupled with a device profile to modify the role 
> assigments that are accessable to the token/auth controller. We've 
> talked about mechanisms along these lines, but nothing is in the 
> blueprints.

The more I think about it, the more I think this is the right solution.  
One thing I was not clear was whether you were talking about access to 
the CLoud Infrastructure or the VMs themselves.  If it is the VMs, then, 
yes, FreeIPA will server your needs.

>
>>
>>     Does OpenStack provide a solution to workstation/device provisioning
>>     and authorizations based on the hardware and data sensitivity levels?
>>
>>     Thanks in advance,
>>     Jeffrey Walton
>>
>>     _______________________________________________
>>     Openstack-security mailing list
>>     Openstack-security at lists.openstack.org
>>     <mailto:Openstack-security at lists.openstack.org>
>>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130828/974d6923/attachment.html>