Horizon added time-based one-time password (TOTP) authentication support, leveraging the already existing two factor authentication from Keystone. Now, if a user activates TOTP on Keystone, it gets activated on Horizon too.
This specific feature request was a demand from Infomaniak’s public cloud customers. They wanted the feature to have TOTP in Horizon, as they were feeling rightly that this would improve security. If a user on an OpenStack cloud gets their password compromised (stolen, laptop hacked, etc), then the TOTP still requires a second device. The TOTP authentication token is usually stored on a phone running Android or IOS (but there is also “numberstation” for example, that can run on any Debian-based OS, including the Mobian platform, so it really runs on any phone).
As an OpenStack operator, it is Infomaniak’s policy to always send patches upstream, and never put in production patches that haven’t been merged. Once a patch is merged, it can usually be backported in the unofficial Debian package backports is maintained on http://osbpo.debian.net. This way, there is always a working upgrade path, which is super important.
This feature is a significant contribution to OpenStack Horizon, because if there were a problem on OpenStack, and TOTP was enabled only in Keystone, the user would not be able to connect to Horizon. This would have removed an operator’s access to the web interface to manage the rest of its OpenStack services.
Benjamin Lasseye, site reliability engineer at Infomaniak, started by trying out different mock-ups on April 24, 2023. Once he was happy with the user experience, he went ahead with the feature.The first patchset was sent June 6, and the patch was merged on August 29. It took a surprising long time, because from early June to end of July, the Horizon CI was broken, so there was no way to check if our patch was breaking anything. Thomas wrote to the mailing list to ask what was going on, and the Horizon team was able to reply nicely with a coherent explanation: there was a mixture of JQuery related dependency hell that they had to tackle. In this type of case, one just need to be patient.
Then it took up to 29 patch iterations to get things right. Benjamin was very patient and addressed all the suggestions from the Horizon core team to get to this result.
All this was only possible because there is a proven way to get patches merged in upstream OpenStack that was carefully followed. One must make sure to include in the patch:
- a correct documentation
- a release notes
- some meaningful unit or functional tests
In terms of feature completion, Benjamin has made it easy to activate the OTP feature, which is OFF by default to allow smoother upgrades. After more feedback, it could be implemented in Horizon’s default configuration. There is also still room for more contribution. There could be a feature in Horizon so an admin could activate TOTP for a user using Horizon. Even though anyone could contribute the feature, Infomaniak is not planning to do it, as the automated task is done in their own web interface, using the Keystone API (via the openstacksdk).
To be enable TOTP, here is some guidance and documentation:
- First, OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED=True should be set in the Horizon local_settings.py, and ‘openstack_auth.plugin.totp.TotpPlugin’ should be added to the AUTHENTICATION_PLUGINS in local_settings.py as well. See https://docs.openstack.org/horizon/latest/configuration/settings.html
- Then follow the documentation for the TOTP part in Keystone: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
We welcome the OpenStack operator and developer community to continue the work we have started here to continue to prioritize security for all OpenStack Horizon users!
Thank you to the OpenStack contributors who helped build, review, and merge this feature for OpenStack 2023.2, Bobcat:
- Vishal Manchanda, technical lead from NEC Corporation, India, was very helpful, and wrote many comments in the patch review.
- Radomir Dopieralskim, software engineer from Red Hat in Poland, also helped with reviewing the patch.
- Benjamin Lasseye, SRE at Infomaniak, is the main author of the patch.
- Thomas Goirand, senior OpenStack administrator at Infomaniak and Debian package maintainer of OpenStack since 2011, advised and helped Bejamin getting the patch in a good enough shape so it could be merged.
About Infomaniak:
Infomaniak has been using OpenStack in production since 2014, first providing a VM service, which they still do. Infomaniak operates now a moderately large public cloud cluster (10k physical core, with more than 1PB NVMe Ceph storage, powering about 4k VMs). Infomaniak also offers the best pricing available on the market, running on recent hardware (AMD Epyc and Gen 4 NVMe). Everything is setup and maintained using free software, including a cluster management tool, a billing add-on to Ceilometer, or some Designate tools. All of this, is uploaded to Debian (as Thomas Goirand has been maintaining OpenStack in Debian since 2011). This public cloud service has been running for two years already, and Infomaniak is currently working toward setting-up a 2nd region in their new data center that is about to open for production (hopefully, that done for early 2024), using even more up-to-date hardware (AMD EPYC Genoa, PCI 5, DDR5, etc.).
Learn more about OpenStack Bobcat, the 28th release of OpenStack, that was released on October 4, 2023.
Leave a Reply