Ask Your Question
1

Implement OTP in Keystone -- How-To

asked 2014-12-06 06:25:03 -0600

New-stack gravatar image

updated 2014-12-06 07:34:30 -0600

hi people, i want implement in my test environment (juno) the 2FA with OTP

How to i add a plugin for keystone to do this?

Can i find a working plugin somewhere?

Thank's all

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2018-04-30 14:08:47 -0600

ouss gravatar image

but how can i INTEGRATE 2 authentication factors, in openstack using RCDevs Security Solutions?

edit flag offensive delete link more

Comments

not by digging up a 4 year old question anyway

rduncan-t gravatar imagerduncan-t ( 2018-05-02 06:33:05 -0600 )edit
add a comment
0

answered 2014-12-07 18:45:49 -0600

Haneef Ali gravatar image

updated 2014-12-10 14:55:19 -0600

You can refer to https://ask.openstack.org/en/question...

Keystone is in the process of finalizing OTP. Most probably it will be available in kilo release ( next release)

https://review.openstack.org/#/c/130376/

Update 1:

None of the services require any change. All the services operate on token and the roles assoicated with token. As long as you pass a valid token to the service, it will work. It doesn't matter how you got the token.

Pluggin is just an implementation of a interface. Look at Pasword auth at https://github.com/openstack/keystone... . Similarly you need to add one more class say OTPAuth and override the authenticate method to validate the OTP.

Next step is to register your class in the configuration file. Check the following line: https://github.com/openstack/keystone...

Similarly you need to register your OTP class there

edit flag offensive delete link more

Comments

Can you tell me more about the implementation process please? I need to verify that the endpoint are v3 and not v2, after i should add a plugin...but this plugin, how can i add in my environment and what it should do? and...

New-stack gravatar imageNew-stack ( 2014-12-08 05:57:34 -0600 )edit

... The request in Horizon to authenticate with name/password and otp value, is it implemented in this plugin?

thanks

New-stack gravatar imageNew-stack ( 2014-12-08 05:58:05 -0600 )edit

The pluggin should be in keystone. We currently have pluggins for password, saml, oath authentication. Similarly you need to add one for OTP. Check this out https://github.com/openstack/keystone...

Haneef Ali gravatar imageHaneef Ali ( 2014-12-08 10:41:52 -0600 )edit

Thanks Haneef Ali,

i not have experience about the plugin writing but this isn't a problem: for me this is a new challenge.

Please,and i underline please: Can you illustrate me how to implement a plugin? Which are knowledge required (except python) to do a simple (t)otp plugin?

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:14 -0600 )edit

I suppose that this implementation is needed to public endpoint but for the other? I think that also all service like glance, neutron need of a otp...but this may be a complication (i want to do this, to my thesis and my knowledge)

What's you think about?

Thanks for your support

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:47 -0600 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-12-06 06:25:03 -0600

Seen: 1,194 times

Last updated: Apr 30 '18

Related questions

How do I send api requests to my guest os from my host?

Keystone: As the demo user, request an authentication token error

Why does keystone not authenticate my neutron server? [closed]

DomainNotFound: Could not find domain: default

keystone problems : An unexpected error prevented the server from fulfilling your request. (HTTP 500)

Ceilometer central agent failing

The request you have made requires authentication. (HTTP 401) [closed]

How to use multiple ldap url in keystone.conf for HA

keystone HTTP 500 error

How to change default database in keystone?