Ask Your Question
1

Implement OTP in Keystone -- How-To

asked 2014-12-06 06:25:03 -0600

New-stack gravatar image

updated 2014-12-06 07:34:30 -0600

hi people, i want implement in my test environment (juno) the 2FA with OTP

How to i add a plugin for keystone to do this?

Can i find a working plugin somewhere?

Thank's all

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2018-04-30 14:08:47 -0600

ouss gravatar image

but how can i INTEGRATE 2 authentication factors, in openstack using RCDevs Security Solutions?

edit flag offensive delete link more

Comments

not by digging up a 4 year old question anyway

rduncan-t gravatar imagerduncan-t ( 2018-05-02 06:33:05 -0600 )edit
add a comment
0

answered 2014-12-07 18:45:49 -0600

Haneef Ali gravatar image

updated 2014-12-10 14:55:19 -0600

You can refer to https://ask.openstack.org/en/question...

Keystone is in the process of finalizing OTP. Most probably it will be available in kilo release ( next release)

https://review.openstack.org/#/c/130376/

Update 1:

None of the services require any change. All the services operate on token and the roles assoicated with token. As long as you pass a valid token to the service, it will work. It doesn't matter how you got the token.

Pluggin is just an implementation of a interface. Look at Pasword auth at https://github.com/openstack/keystone... . Similarly you need to add one more class say OTPAuth and override the authenticate method to validate the OTP.

Next step is to register your class in the configuration file. Check the following line: https://github.com/openstack/keystone...

Similarly you need to register your OTP class there

edit flag offensive delete link more

Comments

Can you tell me more about the implementation process please? I need to verify that the endpoint are v3 and not v2, after i should add a plugin...but this plugin, how can i add in my environment and what it should do? and...

New-stack gravatar imageNew-stack ( 2014-12-08 05:57:34 -0600 )edit

... The request in Horizon to authenticate with name/password and otp value, is it implemented in this plugin?

thanks

New-stack gravatar imageNew-stack ( 2014-12-08 05:58:05 -0600 )edit

The pluggin should be in keystone. We currently have pluggins for password, saml, oath authentication. Similarly you need to add one for OTP. Check this out https://github.com/openstack/keystone...

Haneef Ali gravatar imageHaneef Ali ( 2014-12-08 10:41:52 -0600 )edit

Thanks Haneef Ali,

i not have experience about the plugin writing but this isn't a problem: for me this is a new challenge.

Please,and i underline please: Can you illustrate me how to implement a plugin? Which are knowledge required (except python) to do a simple (t)otp plugin?

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:14 -0600 )edit

I suppose that this implementation is needed to public endpoint but for the other? I think that also all service like glance, neutron need of a otp...but this may be a complication (i want to do this, to my thesis and my knowledge)

What's you think about?

Thanks for your support

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:47 -0600 )edit
see more comments

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-12-06 06:25:03 -0600

Seen: 1,301 times

Last updated: Apr 30 '18

Related questions

Authorization Failed: Unable to establish connection to h ttp://controller/v2.0/tokens from other computers

FIDO support in OpenStack

In which module does authentication takes place between Keystone and Horizon ?

Keystone stopped working

How to retrieve a list of tenants/projects for user from keystone API

admin_token not working with Identity API v3

Openstack cli authentication saml

Keystone-manage command not found.

Devstack installation failure

Keystone and Nova Users