Awesome reading Adrian!

This is really important stuff for the public cloud side if things, and much appreciated! Are you planning to come to the PTG in Dublin!


On 2018-02-08 22:36, Adrian Turjak wrote:
Hello fellow Public Cloud operators!

I'm quite sorry I haven't been able to attend the last few public cloud 
meetings, have been deep in various bits of work, and been very asleep when the 
meetings normally were.

That said, I have some interesting things some of you might like to play with:

The above is a collection of plugins for Keystone, Horizon, and Adjutant that 
help facilitate MFA on an OpenStack cloud. Note, that while this is a working 
solution, it isn't merged or part of anything official upstream, just using the 
various plugin mechanisms. It uses existing pieces of working logic, and does 
nothing that isn't able to be migrated from.

My plan for the Rocky cycle is to work in Keystone and address the missing 
pieces I need to get MFA working properly throughout OpenStack in an actually 
useful way, and I'll provide updates for that once I have the specs ready to 
submit (am waiting until start of Rocky for that). The good thing, is that this 
current solution for MFA works, and it can be migrated from to the methods I 
intend to work on for Rocky. The same credential models will be used in 
Keystone, and I will write tools to take users with TOTP credentials and 
configure auth rules for them for more official MFA support in Keystone once it 
is useful.

We will be deploying the above MFA solution in our cloud in the next Month, and 
I'll provide you some updates as to how that goes, but do play with it 
yourselves, and tell me what you think. The solution does require technical 
domain knowledge to setup, but the docs in the above repo should hopefully be 
straightforward, if not, get in touch and I can help.

I hope to have some other useful bits of 'missing public cloud features' 
updates for you soon too.


Adrian Turjak

openstack-sigs mailing list

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

OpenStack-operators mailing list

Reply via email to