From 0cf3e55c3ce1e85cb2ca094ac5b0f628285d5513 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Wed, 4 Apr 2018 14:29:23 -0700 Subject: [PATCH] rgw: mfa documentation Signed-off-by: Yehuda Sadeh --- doc/radosgw/index.rst | 1 + doc/radosgw/mfa.rst | 100 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 doc/radosgw/mfa.rst diff --git a/doc/radosgw/index.rst b/doc/radosgw/index.rst index d4d435e5a832b..fa9915c48191b 100644 --- a/doc/radosgw/index.rst +++ b/doc/radosgw/index.rst @@ -55,6 +55,7 @@ you may write data with one API and retrieve it with the other. Server-Side Encryption Bucket Policy Dynamic bucket index resharding + Multi factor authentication Sync Modules Data Layout in RADOS troubleshooting diff --git a/doc/radosgw/mfa.rst b/doc/radosgw/mfa.rst new file mode 100644 index 0000000000000..6636c3ff214fb --- /dev/null +++ b/doc/radosgw/mfa.rst @@ -0,0 +1,100 @@ +========================================== +RGW Support for Multifactor Authentication +========================================== + +.. versionadded:: Mimic + +The S3 multifactor authenticatioin (MFA) feature allows +users to require the use of one-time password when removing +objects on certain buckets. The buckets need to be configured +with versioning and MFA enabled which can be done through +the S3 api. + +Time-based one time password tokens can be assigned to a user +through radosgw-admin. Each token has a secret seed, and a serial +id that is assigned to it. Tokens are added to the user, can +be listedm removed, and can also be re-synchronized. + +Multisite +========= + +While the MFA IDs are set on the user's metadata, the +actual MFA one time password configuration resides in the local zone's +osds. Therefore, in a multi-site environment it is adviseable to use +different tokens for different zones. + + +Terminology +============= + +-``TOTP``: Time-based One Time Password + +-``token serial``: a string that represents the ID of a TOTP token + +-``token seed``: the secret seed that is used to calculate the TOTP + +-``totp seconds``: the time resolution that is being used for TOTP generation + +-``totp window``: the number of TOTP tokens that are checked before and after the current token when validating token + +-``totp pin``: the valid value of a TOTP token at a certain time + + +Admin commands +============== + +Create a new MFA TOTP token +------------------------------------ + +:: + + # radosgw-admin mfa create --uid= \ + --totp-serial= \ + --totp-seed= \ + [ --totp-seed-type= ] \ + [ --totp-seconds= ] \ + [ --totp-window= ] + +List MFA TOTP tokens +--------------------- + +:: + + # radosgw-admin mfa list --uid= + + +Show MFA TOTP token +------------------------------------ + +:: + + # radosgw-admin mfa get --uid= --totp-serial= + + +Delete MFA TOTP token +------------------------ + +:: + + # radosgw-admin mfa remove --uid= --totp-serial= + + +Check MFA TOTP token +-------------------------------- + +Test a TOTP token pin, needed for validating that TOTP functions correctly. :: + + # radosgw-admin mfa check --uid= --totp-serial= \ + --totp-pin= + + +Re-sync MFA TOTP token +-------------------------------- + +In order to re-sync the TOTP token (in case of time skew). This requires +feeding two consecutive pins: the previous pin, and the current pin. :: + + # radosgw-admin mfa resync --uid= --totp-serial= \ + --totp-pin= --totp=pin= + + -- 2.39.5