search

ovh / public-cloud-roadmap

Agile roadmap for OVHcloud Public Cloud services. Discover the features our product teams are working on, comment and influence our backlog.
https://www.ovhcloud.com/en/public-cloud/
185 stars 5 forks source link

2FA With LemonLDAP-NG or Keycloak #63

Open Francewhoa opened 3 years ago

Francewhoa commented 3 years ago

English

English version below. Version française ci-bas.

Hello all OVH enthusiasts :)

This is a suggestion for the OVH team. About adding Two-Factor Authentification (2FA) on this log-in page at https://horizon.cloud.ovh.net so that both OVH and its clients benefit from stronger security, increase OVH income, reduce OVH operating cost.

To resolve this challenge, for OVH review for interest and decision, I suggest to concider using either https://lemonldap-ng.org or https://www.keycloak.org

Both products above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.

Below is the same suggestion as above. But with details if you're interested in those.

User Story

As a OVH Public Cloud user, I need a Two-Factor Authentification (TFA) on this OVH Public Cloud (OpenStack Horizon) log-in page at https://horizon.cloud.ovh.net so that I benefit from:

Below is the same suggestion as above. But with Details if you're interested in those. Including suggested resolutions.

Assumptions:

Suggested Resolution

Free really free to choose any TFA option to your liking. The Ubertus team suggestion to concider the following options. Which are all secure & safe. For OpenStack Horizon Keystone version 3+.

Option 1 : LemonLDAP-NG

Option 2 : Keycloak

Option 3: TOTP

Option 4: MFA

Contribution

If needed, both me and the Ubertus team would be happy to contribute testing & documentation

Français

Version française ci-bas. English version above.

Bonjour à tous les enthusiasts de OVH :)

Ceci est un suggestion pour l'équipe OVH. À propos d'ajouter la Double Authentification (DA) About adding Two-Factor Authentification (TFA) sur cette page à à https://horizon.cloud.ovh.net Pour que tous deux OVH et ses clients bénéficit d'une Sécurité plus forte, d'augmenter les revenues d'OVH, et réduire les coût d'opération d'OVH.

Pour résoudre ce défi, pour la concidération and la décision de l'équipe OVH, je suggère soit https://lemonldap-ng.org ou https://www.keycloak.org

C'est deux produits on une vie privée forte et une sécurité forte. Parce qu'ils sont des logiciels Libre. Mon préféré est LemonLDAP-NG. Parce que, en term légal, LemonLDAP-NG est la propriété et controllé par tous deux TOI est un communauté gentille à sans-profit. En comparaison, Keycloak est, en terms légal, indirectement la propriété et controllé par la pour-profit IBM.

Ci-dessous est le même message que ci-dessus. Mais avec des détails. Si tu es intéressé dans ceux-ci.

Scénario d'utilisateur

En tant qu'utilisateur d'OVH Public Cloud, j'ai besoin d'une Double Authentification (DA) sur cette page de connexion à OVH Public Cloud (OpenStack Horizon) à https://horizon.cloud.ovh.net pour que je bénéficit de:

Ci-dessous est la même suggestion que ci-dessus. Mais avec des détails si ceci est d'intérêt. Incluant des résolutions suggérées.

Suppositions:

Résolution suggéré

Sentez vous libre de choisi n’importe quel DA de votre choix. L’équipe Ubertus suggère de considérer les options suivantes. Qui sont gratuites et sécuritaire. Pour OpenStack Horizon Keystone version 3+

Option 1 : LemonLDAP-NG

Avantages avec LemonLDAP-NG :

Option 2 : Keycloak

Option 3 : TOTP

Option 4 : MFA

Contribution

Si besoin, tout deux moi et l'équipe Ubertus sont intéréser de contribuer des tests et de la documentation

mhurtrel commented 3 years ago

Thanks for the very detailed feature request ! We need some time to review it and share our position, so for sure we can share that most of this aligns with current midterm projects. My colleagues will complete this answers in the upcoming weeks.

MarcSN311 commented 3 years ago

Are there any updates on this? We are planning to move our entire Infrastructure to the cloud, but not having 2FA on Openstack will rule out OVH.

Brut4lity commented 3 years ago

Answering to this issue for visibility.

Our companies are also waiting for this feature. Critical accounts should always have MFA options.

Francewhoa commented 2 years ago

Hello @mhurtrel & all OVH enthusiats :)

This is a suggested resolution for the Two-Factor Authentification. For OVH review for interest & decision. I suggest using this free & open source LemonLDAP-NG.

Benefits with LemonLDAP-NG :

English version above. Version française ci-bas.

Avantages avec LemonLDAP-NG :

Francewhoa commented 2 years ago

Good morning @Brut4lity and all :) For those interested in adding Two-Factor Authentication to OVH Public Cloud, I suggest checking your inbox for an email message about this survey at https://survey.ovh.com/index.php/594726 Which was sent today by OVH.

This email message is roughly titled:

Now is your opportunity to reply to this email and suggest adding Two-Factor Authentication to OVH Public Cloud or suggest anything else that meet your present needs

Francewhoa commented 2 years ago

Hello @Brut4lity, @MarcSN311, @mhurtrel, and all interested in adding 2FA for OVH :)

Today I updated my original post by adding a new option. About Keycloak. Which is for OVH review for interest and decision.

Benefits with Keycloak:

• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://github.com/keycloak/keycloak

• Cost reduction for OVH. Because no license fees to pay to Keycloak.

• The main challenge with Keycloak is that it is owned by RedHat. In turn, RedHat is owned by IBM. And IBM is a for-profit corporation. Legally speaking, this means that Keycloak is indirectly (proxy) CONTROLLED by IBM.

Both products LemonLDAP-NG & Keycloak have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.

Francewhoa commented 1 year ago

We receive this message from OVH. About their Public Cloud services. They may be in progress of implementing the ingredients they need to add Two-Factor Authentication (TFA).

Message

Upgrade of public cloud authentication Dear public cloud customer,

We'll upgrade public cloud authentication (Openstack Keystone) on the 28th of February between 6 am and 10 am UTC, no data will be altered, but it will be put in read-only for around four hours. Token creation will still work but beware of following the DNS entry auth.cloud.ovh.net without cache to ensure 0 downtimes during the migration.

The following endpoint will be impacted: auth.cloud.ovh.net

Status page of the planned maintenance

No major feature to expect for now except an upgrade to the last stable version of Keystone. It is the biggest requirement to enable identity federation for public cloud in the future.

What is Federated Keystone?

Our understanding and speculation is that this last stable version of Keystone is one of the required ingredients to add Two-Factor Authentication (2FA) to OVH Public Cloud services. In other words, OVH would have one of the essential ingredients to implement 2FA.

This OVH message above does not mean that OVH will add 2FA. It just means that they are maybe in progress of putting together the ingredient to cook 2FA for their Public Cloud services. Anyone from OVH has more information about this? Status on OVH's progress?

For those not familiar with Keystone, it is a component of OpenStack. Within Keystone is Federated Keystone. Which includes various services for 2FA. OpenStack is what powers OVH Public Cloud. OpenStack is a fully Libre Source (Open Source) software.

Contribute

For those interested to contribute to Federated Keystone, its documentation:

Francewhoa commented 1 year ago

Hello @Brut4lity, @MarcSN311, @mhurtrel, and all interested in adding 2FA for OVH :)

It seems that OVH updated their OpenStack Keystone and connected it with OVH's single sign on. As the OVH Horizon log-in page now has three options to choose from:

  1. OpenStack Keystone
  2. OVHcloud EMEA
  3. OVHcloud World

This screenshot show those three options

screenshot---francewhoa---ksnip---2023-07-17---051325

Both OVHcloud EMEA and OVHcloud World options include this free and optional TFA.

For those not familiar with OpenStack Keystone, it is a component of OpenStack. Keystone handles the permissions to access all OpenStack components. OpenStack powers OVH's Public Cloud.

Thanks to the OVH team for updating their Keystone :)

The remaining challenge is that, it seems that, by default, the OpenStack Keystone option does not have TFA activated by default by OVH. Anyone knows how to activate it, or how to remove it from the options to choose from? I tried the help link. But it presently does not include any information about TFA for the OpenStack Keystone option.