Ask Your Question
1

Implement OTP in Keystone -- How-To

asked 2014-12-06 06:25:03 -0500

New-stack gravatar image

updated 2014-12-06 07:34:30 -0500

hi people, i want implement in my test environment (juno) the 2FA with OTP

How to i add a plugin for keystone to do this?

Can i find a working plugin somewhere?

Thank's all

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2018-04-30 14:08:47 -0500

ouss gravatar image

but how can i INTEGRATE 2 authentication factors, in openstack using RCDevs Security Solutions?

edit flag offensive delete link more

Comments

not by digging up a 4 year old question anyway

rduncan-t gravatar imagerduncan-t ( 2018-05-02 06:33:05 -0500 )edit
add a comment
0

answered 2014-12-07 18:45:49 -0500

Haneef Ali gravatar image

updated 2014-12-10 14:55:19 -0500

You can refer to https://ask.openstack.org/en/question...

Keystone is in the process of finalizing OTP. Most probably it will be available in kilo release ( next release)

https://review.openstack.org/#/c/130376/

Update 1:

None of the services require any change. All the services operate on token and the roles assoicated with token. As long as you pass a valid token to the service, it will work. It doesn't matter how you got the token.

Pluggin is just an implementation of a interface. Look at Pasword auth at https://github.com/openstack/keystone... . Similarly you need to add one more class say OTPAuth and override the authenticate method to validate the OTP.

Next step is to register your class in the configuration file. Check the following line: https://github.com/openstack/keystone...

Similarly you need to register your OTP class there

edit flag offensive delete link more

Comments

Can you tell me more about the implementation process please? I need to verify that the endpoint are v3 and not v2, after i should add a plugin...but this plugin, how can i add in my environment and what it should do? and...

New-stack gravatar imageNew-stack ( 2014-12-08 05:57:34 -0500 )edit

... The request in Horizon to authenticate with name/password and otp value, is it implemented in this plugin?

thanks

New-stack gravatar imageNew-stack ( 2014-12-08 05:58:05 -0500 )edit

The pluggin should be in keystone. We currently have pluggins for password, saml, oath authentication. Similarly you need to add one for OTP. Check this out https://github.com/openstack/keystone...

Haneef Ali gravatar imageHaneef Ali ( 2014-12-08 10:41:52 -0500 )edit

Thanks Haneef Ali,

i not have experience about the plugin writing but this isn't a problem: for me this is a new challenge.

Please,and i underline please: Can you illustrate me how to implement a plugin? Which are knowledge required (except python) to do a simple (t)otp plugin?

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:14 -0500 )edit

I suppose that this implementation is needed to public endpoint but for the other? I think that also all service like glance, neutron need of a otp...but this may be a complication (i want to do this, to my thesis and my knowledge)

What's you think about?

Thanks for your support

New-stack gravatar imageNew-stack ( 2014-12-10 05:09:47 -0500 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-12-06 06:25:03 -0500

Seen: 1,152 times

Last updated: Apr 30 '18

Related questions

ERROR: openstack Authorization Failed: Cannot authenticate without an auth_url

admin user can't log in keystone

How should I authenticate against keystone?

Credentials for keystone and other openstack services

Expecting an auth URL via either --os-auth-url or env[OS_AUTH_URL]

FIDO support in OpenStack

The request you have made requires authentication. (HTTP 401)

Invalid OpenStack Identity credentials

Use Redis for Keystone token persistence driver

Rocky keystone: admin role on project is too permissive