From: Yehuda Sadeh Date: Wed, 4 Apr 2018 21:29:23 +0000 (-0700) Subject: rgw: mfa documentation X-Git-Tag: v13.1.0~343^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0cf3e55c3ce1e85cb2ca094ac5b0f628285d5513;p=ceph.git rgw: mfa documentation Signed-off-by: Yehuda Sadeh --- diff --git a/doc/radosgw/index.rst b/doc/radosgw/index.rst index d4d435e5a832..fa9915c48191 100644 --- a/doc/radosgw/index.rst +++ b/doc/radosgw/index.rst @@ -55,6 +55,7 @@ you may write data with one API and retrieve it with the other. Server-Side Encryption Bucket Policy Dynamic bucket index resharding + Multi factor authentication Sync Modules Data Layout in RADOS troubleshooting diff --git a/doc/radosgw/mfa.rst b/doc/radosgw/mfa.rst new file mode 100644 index 000000000000..6636c3ff214f --- /dev/null +++ b/doc/radosgw/mfa.rst @@ -0,0 +1,100 @@ +========================================== +RGW Support for Multifactor Authentication +========================================== + +.. versionadded:: Mimic + +The S3 multifactor authenticatioin (MFA) feature allows +users to require the use of one-time password when removing +objects on certain buckets. The buckets need to be configured +with versioning and MFA enabled which can be done through +the S3 api. + +Time-based one time password tokens can be assigned to a user +through radosgw-admin. Each token has a secret seed, and a serial +id that is assigned to it. Tokens are added to the user, can +be listedm removed, and can also be re-synchronized. + +Multisite +========= + +While the MFA IDs are set on the user's metadata, the +actual MFA one time password configuration resides in the local zone's +osds. Therefore, in a multi-site environment it is adviseable to use +different tokens for different zones. + + +Terminology +============= + +-``TOTP``: Time-based One Time Password + +-``token serial``: a string that represents the ID of a TOTP token + +-``token seed``: the secret seed that is used to calculate the TOTP + +-``totp seconds``: the time resolution that is being used for TOTP generation + +-``totp window``: the number of TOTP tokens that are checked before and after the current token when validating token + +-``totp pin``: the valid value of a TOTP token at a certain time + + +Admin commands +============== + +Create a new MFA TOTP token +------------------------------------ + +:: + + # radosgw-admin mfa create --uid= \ + --totp-serial= \ + --totp-seed= \ + [ --totp-seed-type= ] \ + [ --totp-seconds= ] \ + [ --totp-window= ] + +List MFA TOTP tokens +--------------------- + +:: + + # radosgw-admin mfa list --uid= + + +Show MFA TOTP token +------------------------------------ + +:: + + # radosgw-admin mfa get --uid= --totp-serial= + + +Delete MFA TOTP token +------------------------ + +:: + + # radosgw-admin mfa remove --uid= --totp-serial= + + +Check MFA TOTP token +-------------------------------- + +Test a TOTP token pin, needed for validating that TOTP functions correctly. :: + + # radosgw-admin mfa check --uid= --totp-serial= \ + --totp-pin= + + +Re-sync MFA TOTP token +-------------------------------- + +In order to re-sync the TOTP token (in case of time skew). This requires +feeding two consecutive pins: the previous pin, and the current pin. :: + + # radosgw-admin mfa resync --uid= --totp-serial= \ + --totp-pin= --totp=pin= + +