{"id":20572158,"url":"https://github.com/mcaimi/openstack-horizon-2factor-auth","last_synced_at":"2025-04-14T17:10:21.510Z","repository":{"id":69446940,"uuid":"134572328","full_name":"mcaimi/openstack-horizon-2factor-auth","owner":"mcaimi","description":"Two Factor Authentication Plugin for Openstack Horizon","archived":false,"fork":false,"pushed_at":"2020-10-16T13:52:29.000Z","size":46,"stargazers_count":7,"open_issues_count":0,"forks_count":10,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-28T05:41:29.007Z","etag":null,"topics":["authentication","openstack-horizon","totp"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mcaimi.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-23T13:17:26.000Z","updated_at":"2024-12-04T02:49:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"67741176-b86f-4c27-8c84-ff87f4061b25","html_url":"https://github.com/mcaimi/openstack-horizon-2factor-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcaimi%2Fopenstack-horizon-2factor-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcaimi%2Fopenstack-horizon-2factor-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcaimi%2Fopenstack-horizon-2factor-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcaimi%2Fopenstack-horizon-2factor-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mcaimi","download_url":"https://codeload.github.com/mcaimi/openstack-horizon-2factor-auth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248923764,"owners_count":21183954,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","openstack-horizon","totp"],"created_at":"2024-11-16T05:18:37.051Z","updated_at":"2025-04-14T17:10:21.504Z","avatar_url":"https://github.com/mcaimi.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"===========================================\nOpenstack Horizon Two Factor Authentication\n===========================================\n\nThis plugin adds a second factor to the Horizon Authentication facility using the \nTOTP protocol.\n\nThis plugin was written for our Openstack Cloud back in 2015 (on Openstack Juno) and then \nmore or less abandoned.\n\nThe codebase was cleaned up and reworked in 2017 as we updated our Openstack installation \nto the Mitaka Release and Newton afterwards.\n\nThe master branch is developed on top of RDO latest release (currently this is \"Ussuri\").\nThe latest environment makes use of:\n\n- RHEL/CentOS 8.x Branch\n- Python 3.6+\n\nThis version does not depend on external totp libraries and is implemented in pure python: \nit was developed on RedHat's own Openstack distribution but it shoud work on any openstack\nhorizon dashboard flavor.\n\nThe plugin is composed of these modules:\n\n- The Authentication Backend (2fa_auth_plugin folder)\n- The Horizon Dashboard (2fa_dashboard_plugin folder)\n\nA management script and library RPM spec is also provided.\n\nHow to install and configure\n============================\n\nThese are the basic installation steps for Openstack Horizon:\n\nFirst you have to build an RPM package from the totp-lib submodule in the git project.\n\nOn CentOS 8, set the default interpreter to the local python3 version:\n\n.. code:: bash\n\n # alternatives --set python /usr/bin/python3\n\nAnd then build the otp-lib package:\n\n.. code:: bash\n\n # dnf install -y rpm-build git python-setuptools-wheel python3-setuptools-wheel\n # mkdir -p ~/rpmbuild/{SRPMS,RPMS,SOURCES,SPECS} \u0026\u0026 cd ~/rpmbuild\n # git clone https://github.com/mcaimi/python-otp-lib.git python-otp-lib-ussuri\n # tar cjvf SOURCES/python-otp-lib-ussuri-1.tar.gz python-otp-lib-ussuri\n\nNow, copy the SPEC file from this repo in `~/rpmbuild/SPECS` and build the RPM package:\n\n.. code:: bash\n\n # rpmbuild -bb SPECS/python-otp-lib-ussuri.spec\n\nInstall prerequisites (totp-lib, python-qrcode)\n-----------------------------------------------\n\nIf you are on a RedHat/CentOS distro, first install the python-qrcode RPM package, then \ninstall the RPM package just built before:\n\n.. code:: bash\n\n # dnf install -y python3-qrcode python3-qrcode-core\n # rpm -ivH python-otp-lib-ussuri-1.x86_64.rpm \n\nInstall the TOTP Authentication Backend and Dashboard\n-----------------------------------------------------\n\nOn every Horizon node you happen to have deployed in your environment, install the new django\ndashboard. It will show up under the 'Identity' tab:\n\n.. code:: bash \n\n # cp -rv 2fa_dashboard_plugin/totp /usr/share/openstack-dashboard/openstack_dashboard/dashboards/identity/\n\nNext the actual auth backend must be put in place:\n\n.. code:: bash \n \n # mkdir -p /usr/share/openstack-dashboard/openstack_dashboard/auth\n # cp -v 2fa_auth_plugin/* /usr/share/openstack-dashboard/openstack_dashboard/auth/\n\nConfigure Django Settings\n-------------------------\n\nOn all horizon nodes, edit `/usr/share/openstack-dashboard/openstack_dashboard/settings.py` and\nset this parameters to change the authentication python class used by django:\n\n.. code:: python\n\n AUTHENTICATION_BACKENDS = ('openstack_auth.backend.KeystoneBackend',)\n\n\nwith\n\n.. code:: python\n\n AUTHENTICATION_BACKENDS =('openstack_dashboard.auth.backend.TwoFactorAuthBackend',)\n\nalso, make sure that these parameters are set:\n\n.. code:: python\n\n TOTP_DEBUG = False\n TOTP_VALIDITY_PERIOD = 30\n\nLastly setup these parameters in /etc/openstack-dashboard/local_settings:\n\n.. code:: python\n\n # Send email to the console by default\n EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'\n # Configure these for your outgoing email host\n EMAIL_HOST = '\u003cyour mail server\u003e'\n EMAIL_PORT = \u003cyour mail server port\u003e\n # Activation email\n ACTIVATION_EMAIL_ADDRESS = \"noreply@cloud-provider.tld\"\n ACTIVATION_EMAIL_SUBJECT = \"TOTP Activation Message\"\n\nOpenstack Queens and Later:\n---------------------------\n\nSet up keystone policies directory if not already done:\n\n.. code:: bash\n\n # under /etc/keystone/keystone.conf\n policy_dirs = /etc/keystone/policy.d\n\n # create directory\n $ mkdir -p /etc/keystone/policy.d\n\nFix Keystone policies to allow the token owner to update the user on keystone:\n\n.. code:: bash\n\n # in /etc/openstack-dashboard/keystone_policy.json update the 'identity:update_user' policy to match this:\n\n \"identity:update_user\": \"rule:admin_required or rule:admin_and_matching_target_user_domain_id or rule:owner\",\n\n # create a file under /etc/keystone/policy.d called update_user.json and insert these lines inside:\n\n {\n \"identity:update_user\": \"rule:admin_required or rule:admin_and_matching_target_user_domain_id or rule:owner\"\n }\n\nthe previous line uses policy.v3cloudsample.json as a base template (see the official keystone GitHub repo for that).\n\nEnable the newly installed dashboard\n------------------------------------\n\nLastly, enable the dashboard:\n\n.. code:: bash\n\n # cp -v 2fa_dashboard_plugin/enabled/_3032_identity_totp_panel.py /usr/share/openstack-dashboard/openstack_dashboard/dashboards/enabled/\n # restorecon -Rv /usr/share/openstack-dashboard\n # systemctl restart httpd\n\nDisabling a TOTP key for a single user\n--------------------------------------\n\nAs of now there is no easy way for an user to recover a lost token. Admins can, as a workaround, disable a provisioned token on demand.\nThe totp_disable command is provided for the Django management shell:\n\n.. code:: bash\n\n $ cp totp_disable.py /usr/share/openstack-dashboard/openstack_dashboard/management/commands/\n $ restorecon -Rv /usr/share/openstack-dashboard\n\nThis allows for and Admin to disable totp provisioned tokens for single users:\n\n.. code:: bash\n\n $ cd /usr/share/openstack-dashboard\n \n # source the keystonerc file for the Openstack Admin user\n $ source ~/keystonerc-admin\n\n # get the user ID for a particular user\n $ openstack user list\n +----------------------------------+------------+\n | ID | Name |\n +----------------------------------+------------+\n | d0bd9f7c1f104ed3924b283d63d734d7 | admin |\n | 21b26a2d0daa49609510d032e22a5202 | glance |\n | a38cbd05a4a04a908b62158c6bb0dc1c | cinder |\n | 19e1cfbdf4674a7e9f5796a8135f4da4 | nova |\n | 3537c768427d46279c265b87bf1c0413 | placement |\n | 77c7fd3cef744d719812d285673c26cd | neutron |\n | 6b44bed7a49f40adb10e369f75244f5a | swift |\n | 03a010c254e54b43b370c7a200d517df | gnocchi |\n | 73d010772e694b159d00935255205f25 | ceilometer |\n | 5e576ec671e541939e8b211f4269fb9c | aodh |\n | 96e0e23ca7b7499e982f1773ff0330e1 | demouser |\n +----------------------------------+------------+\n\n # disable the totp feature for user demouser\n $ ./manage.py totp_disable --user-id 96e0e23ca7b7499e982f1773ff0330e1\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcaimi%2Fopenstack-horizon-2factor-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmcaimi%2Fopenstack-horizon-2factor-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcaimi%2Fopenstack-horizon-2factor-auth/lists"}