mirror of
https://github.com/ceph/ceph
synced 2025-01-04 02:02:36 +00:00
rgw: mfa documentation
Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
This commit is contained in:
parent
9569cc8278
commit
0cf3e55c3c
@ -55,6 +55,7 @@ you may write data with one API and retrieve it with the other.
|
||||
Server-Side Encryption <encryption>
|
||||
Bucket Policy <bucketpolicy>
|
||||
Dynamic bucket index resharding <dynamicresharding>
|
||||
Multi factor authentication <mfa>
|
||||
Sync Modules <sync-modules>
|
||||
Data Layout in RADOS <layout>
|
||||
troubleshooting
|
||||
|
100
doc/radosgw/mfa.rst
Normal file
100
doc/radosgw/mfa.rst
Normal file
@ -0,0 +1,100 @@
|
||||
==========================================
|
||||
RGW Support for Multifactor Authentication
|
||||
==========================================
|
||||
|
||||
.. versionadded:: Mimic
|
||||
|
||||
The S3 multifactor authenticatioin (MFA) feature allows
|
||||
users to require the use of one-time password when removing
|
||||
objects on certain buckets. The buckets need to be configured
|
||||
with versioning and MFA enabled which can be done through
|
||||
the S3 api.
|
||||
|
||||
Time-based one time password tokens can be assigned to a user
|
||||
through radosgw-admin. Each token has a secret seed, and a serial
|
||||
id that is assigned to it. Tokens are added to the user, can
|
||||
be listedm removed, and can also be re-synchronized.
|
||||
|
||||
Multisite
|
||||
=========
|
||||
|
||||
While the MFA IDs are set on the user's metadata, the
|
||||
actual MFA one time password configuration resides in the local zone's
|
||||
osds. Therefore, in a multi-site environment it is adviseable to use
|
||||
different tokens for different zones.
|
||||
|
||||
|
||||
Terminology
|
||||
=============
|
||||
|
||||
-``TOTP``: Time-based One Time Password
|
||||
|
||||
-``token serial``: a string that represents the ID of a TOTP token
|
||||
|
||||
-``token seed``: the secret seed that is used to calculate the TOTP
|
||||
|
||||
-``totp seconds``: the time resolution that is being used for TOTP generation
|
||||
|
||||
-``totp window``: the number of TOTP tokens that are checked before and after the current token when validating token
|
||||
|
||||
-``totp pin``: the valid value of a TOTP token at a certain time
|
||||
|
||||
|
||||
Admin commands
|
||||
==============
|
||||
|
||||
Create a new MFA TOTP token
|
||||
------------------------------------
|
||||
|
||||
::
|
||||
|
||||
# radosgw-admin mfa create --uid=<user-id> \
|
||||
--totp-serial=<serial> \
|
||||
--totp-seed=<seed> \
|
||||
[ --totp-seed-type=<hex|base32> ] \
|
||||
[ --totp-seconds=<num-seconds> ] \
|
||||
[ --totp-window=<twindow> ]
|
||||
|
||||
List MFA TOTP tokens
|
||||
---------------------
|
||||
|
||||
::
|
||||
|
||||
# radosgw-admin mfa list --uid=<user-id>
|
||||
|
||||
|
||||
Show MFA TOTP token
|
||||
------------------------------------
|
||||
|
||||
::
|
||||
|
||||
# radosgw-admin mfa get --uid=<user-id> --totp-serial=<serial>
|
||||
|
||||
|
||||
Delete MFA TOTP token
|
||||
------------------------
|
||||
|
||||
::
|
||||
|
||||
# radosgw-admin mfa remove --uid=<user-id> --totp-serial=<serial>
|
||||
|
||||
|
||||
Check MFA TOTP token
|
||||
--------------------------------
|
||||
|
||||
Test a TOTP token pin, needed for validating that TOTP functions correctly. ::
|
||||
|
||||
# radosgw-admin mfa check --uid=<user-id> --totp-serial=<serial> \
|
||||
--totp-pin=<pin>
|
||||
|
||||
|
||||
Re-sync MFA TOTP token
|
||||
--------------------------------
|
||||
|
||||
In order to re-sync the TOTP token (in case of time skew). This requires
|
||||
feeding two consecutive pins: the previous pin, and the current pin. ::
|
||||
|
||||
# radosgw-admin mfa resync --uid=<user-id> --totp-serial=<serial> \
|
||||
--totp-pin=<prev-pin> --totp=pin=<current-pin>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user