horizon/openstack_auth/defaults.py
Benjamin Lasseye cb74c8c08f Add TOTP support
This patch adds support for MFA TOTP on openstack dashboard.
A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
was added false by default.
If enabled, users needing TOTP are prompted with a new form.
keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
Demonstration video : https://youtu.be/prDJJdFoMpM

Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff
Blueprint: #totp-support
Closes-Bug: #2030477
2023-08-18 12:02:25 +00:00

183 lines
7.4 KiB
Python

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# NOTE: The following are from Django settings.
# LOGIN_URL
# LOGIN_REDIRECT_URL
# SESSION_ENGINE
# USE_TZ
# WEBROOT is the location relative to Webserver root
# should end with a slash in openstack_dashboard.settings..
WEBROOT = '/'
# TODO(amotoki): What is the right default value in openstack_auth?
LOGIN_ERROR = 'error/'
OPENSTACK_KEYSTONE_URL = "http://localhost/identity/v3"
# TODO(amotoki): The default value in openstack_dashboard is different:
# publicURL. It should be consistent.
OPENSTACK_ENDPOINT_TYPE = 'public'
OPENSTACK_KEYSTONE_ENDPOINT_TYPE = None
OPENSTACK_SSL_NO_VERIFY = False
# TODO(amotoki): Is it correct?
OPENSTACK_SSL_CACERT = True
OPENSTACK_API_VERSIONS = {
'identity': 3,
}
AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.password.PasswordPlugin',
'openstack_auth.plugin.token.TokenPlugin']
# This SESSION_TIMEOUT is a method to supercede the token timeout with a
# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
# limit, but will never exceed the token expiry. If your token expires in 60
# minutes, a value of 1800 will log users out after 30 minutes of inactivity,
# or 60 minutes with activity. Setting SESSION_REFRESH to False will make
# SESSION_TIMEOUT act like a hard limit on session times.
SESSION_TIMEOUT = 3600
TOKEN_TIMEOUT_MARGIN = 0
AVAILABLE_REGIONS = []
# For setting the default service region on a per-endpoint basis. Note that the
# default value for this setting is {}, and below is just an example of how it
# should be specified.
# A key of '*' is an optional global default if no other key matches.
# Example:
# DEFAULT_SERVICE_REGIONS = {
# '*': 'RegionOne'
# OPENSTACK_KEYSTONE_URL: 'RegionTwo'
# }
DEFAULT_SERVICE_REGIONS = {}
SECURE_PROXY_ADDR_HEADER = False
# Password will have an expiration date when using keystone v3 and enabling
# the feature.
# This setting allows you to set the number of days that the user will be
# alerted prior to the password expiration.
# Once the password expires keystone will deny the access and users must
# contact an admin to change their password.
PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1
# Horizon can prompt the user to change their password when it is expired
# or required to be changed on first use. This is enabled by default, but
# can be disabled if not desired.
ALLOW_USERS_CHANGE_EXPIRED_PASSWORD = True
OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin']
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
# Set this to True if you want available domains displayed as a dropdown menu
# on the login screen. It is strongly advised NOT to enable this for public
# clouds, as advertising enabled domains to unauthenticated customers
# irresponsibly exposes private information. This should only be used for
# private clouds where the dashboard sits behind a corporate firewall.
OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
# set the available domains to choose from. This is a list of pairs whose first
# value is the domain name and the second is the display name.
# Example:
# OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
# ('Default', 'Default'),
# )
OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ()
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
# Enables keystone web single-sign-on if set to True.
WEBSSO_ENABLED = False
# Authentication mechanism to be selected as default.
# The value must be a key from WEBSSO_CHOICES.
WEBSSO_INITIAL_CHOICE = 'credentials'
# The list of authentication mechanisms which include keystone
# federation protocols and identity provider/federation protocol
# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID
# Connect respectively.
# Do not remove the mandatory credentials mechanism.
# Note: The last two tuples are sample mapping keys to a identity provider
# and federation protocol combination (WEBSSO_IDP_MAPPING).
# Example:
# WEBSSO_CHOICES = (
# ("credentials", _("Keystone Credentials")),
# ("oidc", _("OpenID Connect")),
# ("saml2", _("Security Assertion Markup Language")),
# ("acme_oidc", "ACME - OpenID Connect"),
# ("acme_saml2", "ACME - SAML2"),
# )
WEBSSO_CHOICES = ()
# A dictionary of specific identity provider and federation protocol
# combinations. From the selected authentication mechanism, the value
# will be looked up as keys in the dictionary. If a match is found,
# it will redirect the user to a identity provider and federation protocol
# specific WebSSO endpoint in keystone, otherwise it will use the value
# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
# NOTE: The value is expected to be a tuple formatted as:
# (<idp_id>, <protocol_id>).
# Example:
# WEBSSO_IDP_MAPPING = {
# "acme_oidc": ("acme", "oidc"),
# "acme_saml2": ("acme", "saml2"),
# }
WEBSSO_IDP_MAPPING = {}
# Enables redirection on login to the identity provider defined on
# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
WEBSSO_DEFAULT_REDIRECT = False
# Specifies the protocol to use for default redirection on login
WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
# Specifies the region to which the connection will be established on login
WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
# Enables redirection on logout to the method specified on the identity
# provider. Once logout the client will be redirected to the address specified
# in this variable.
WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
# If set this URL will be used for web single-sign-on authentication
# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
# scenarios where network segmentation is used per security requirement.
# In this case, the controllers are not reachable from public network.
# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
# if it is set to the internal endpoint.
# Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
WEBSSO_KEYSTONE_URL = None
# In the case of web single-sign-on authentication when the control plane
# has no outbound connectivity to the external service endpoints set this
# to False. Otherwise the Keystone external endpoint will be used to make
# a token authentication request from Horizon to Keystone which will timeout.
WEBSSO_USE_HTTP_REFERER = True
# The Keystone Provider drop down uses Keystone to Keystone federation
# to switch between Keystone service providers.
# Set display name for Identity Provider (dropdown display name)
KEYSTONE_PROVIDER_IDP_NAME = 'Local Keystone'
# This id is used for only for comparison with the service provider IDs.
# This ID should not match any service provider IDs.
KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
POLICY_FILES_PATH = ''
POLICY_FILES = {}
POLICY_DIRS = {}
DEFAULT_POLICY_FILES = {}
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = False