cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Lewis <adr...@alsiconsulting.co.uk>
Subject RE: [SHOW] Authentication refactoring
Date Tue, 12 Aug 2014 12:12:02 GMT
Hi Rohit,

Not a very constructive email I'm afraid but I too would be very
interested in one-time password authentication for CS. Is anyone that you
know of working on RADIUS auth as this would be a relatively easy way to
integrate a wide number of OTP systems that rely on a secondary auth
challenge for the OTP. This secondary auth mechanism is part of the RADIUS
standard and would cover RSA as well as the system that I'm interested in
implementing (Fortinet's FortiAuthenticator) and many other
enterprise-focussed OTP systems.

Not sure if OTP/2FA would be suitable for API access so a second question
is: Would it be feasible to use different auth backends for the GUI vs the
API? As I understand it, the GUI is simply a 'wrapper' for the API so
perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps
even at the expense of API access. Contrary to popular belief within the
CS community, not everyone uses the API (shock horror!). Maybe OTP/2FA is
not an issue for API access but I assume it would be a problem for the use
of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only specified
IPs can use a standard auth method but all other access mandates OTP/2FA?
Not sure how AWS works with their MFA feature - anyone?

I'm afraid I'm just a (ab)user and couldn't program anything myself - just
curious to see if anyone has any thoughts or existing efforts in this
area?

Cheers,

Adrian

-----Original Message-----
From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
Sent: 12 August 2014 11:41
To: dev@cloudstack.apache.org
Subject: Re: [SHOW] Authentication refactoring

>From the user end there is no change, not in UI or any change expected in
clients except one:
Since login and logout are now implemented like your regular api, we don't
allow uses to call login and logout and other such AuthenticatorAPIs
directly like via integration port

Stephen, I'm not sure if we natively support RSA and other things at
present we only have our custom login auth mechanism, signature/key based
auth and a simple SSO (pre-shared key) methods. This refactoring will open
doors for saml, oauth and possibly others.

This is merged on master now, even though I did testing at my end please
let me know if something got broke? From the outside world nothing should
break, i.e. refactoring.

Cheers.

On 12-Aug-2014, at 12:32 pm, Stephen Turner <Stephen.Turner@citrix.com>
wrote:

> Are there any UI changes? Some auth mechanisms might need more than just
username and password (RSA token, for example, or even just "give the 1st,
4th and 5th characters").
>
> --
> Stephen Turner
>
>
> -----Original Message-----
> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> Sent: 12 August 2014 04:51
> To: dev
> Subject: [SHOW] Authentication refactoring
>
> Hi,
>
> The way we handle login and logout is hardcoded and since there is no
APICommand/BaseCmd implementation the apidoc, apidiscovery and other don't
discover these apis. For supporting SAML as an authentication mechanism,
I've refactored the Auth mechanism as a pluggable service that loads with
api-server artifact and both login and logout are now implemented as a
pseduo BaseCmd classes.
>
> I call them pseudo because their execute() is never called, the
authentication guards in ApiServlet class make sure we call an
authenticate method of such classes. Since, they are tightly coupled with
cloud-server's ApiServlet it only made sense to have the interface
definition and implementation within the same package/artifact as well.
This also solves the apidoc issue for login/logout and saml related auth
apis.
>
> I'll merge them after sometime and continue working on saml stuff. Will
push the code in the branch "auth-refactor" in an hour for review/testing
now. This does not break anything and should not cause any auth related
issues for all existing clients.
>
> Any suggestions, feedback welcome! Refactoring was pretty straight
forward but I'll make sure to write a wiki page on this before merging to
master.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related
services
>
> IaaS Cloud Design &
Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed. Any
views or opinions expressed are solely those of the author and do not
necessarily represent those of Shape Blue Ltd or related companies. If you
are not the intended recipient of this email, you must neither take any
action based upon its contents, nor copy or show it to anyone. Please
contact the sender if you believe you have received this email in error.
Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
company incorporated in Brasil and is operated under license from Shape
Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
a registered trademark.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design &
Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training
Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the
sender if you believe you have received this email in error. Shape Blue
Ltd is a company incorporated in England & Wales. ShapeBlue Services India
LLP is a company incorporated in India and is operated under license from
Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
incorporated in Brasil and is operated under license from Shape Blue Ltd.
ShapeBlue SA Pty Ltd is a company registered by The Republic of South
Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.

Mime
View raw message