cb74c8c08f
This patch adds support for MFA TOTP on openstack dashboard. A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED was added false by default. If enabled, users needing TOTP are prompted with a new form. keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html Demonstration video : https://youtu.be/prDJJdFoMpM Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff Blueprint: #totp-support Closes-Bug: #2030477
183 lines
7.4 KiB
Python
183 lines
7.4 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# NOTE: The following are from Django settings.
|
|
# LOGIN_URL
|
|
# LOGIN_REDIRECT_URL
|
|
# SESSION_ENGINE
|
|
# USE_TZ
|
|
|
|
# WEBROOT is the location relative to Webserver root
|
|
# should end with a slash in openstack_dashboard.settings..
|
|
WEBROOT = '/'
|
|
|
|
# TODO(amotoki): What is the right default value in openstack_auth?
|
|
LOGIN_ERROR = 'error/'
|
|
|
|
OPENSTACK_KEYSTONE_URL = "http://localhost/identity/v3"
|
|
|
|
# TODO(amotoki): The default value in openstack_dashboard is different:
|
|
# publicURL. It should be consistent.
|
|
OPENSTACK_ENDPOINT_TYPE = 'public'
|
|
OPENSTACK_KEYSTONE_ENDPOINT_TYPE = None
|
|
OPENSTACK_SSL_NO_VERIFY = False
|
|
# TODO(amotoki): Is it correct?
|
|
OPENSTACK_SSL_CACERT = True
|
|
OPENSTACK_API_VERSIONS = {
|
|
'identity': 3,
|
|
}
|
|
|
|
AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.password.PasswordPlugin',
|
|
'openstack_auth.plugin.token.TokenPlugin']
|
|
|
|
# This SESSION_TIMEOUT is a method to supercede the token timeout with a
|
|
# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
|
|
# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
|
|
# limit, but will never exceed the token expiry. If your token expires in 60
|
|
# minutes, a value of 1800 will log users out after 30 minutes of inactivity,
|
|
# or 60 minutes with activity. Setting SESSION_REFRESH to False will make
|
|
# SESSION_TIMEOUT act like a hard limit on session times.
|
|
SESSION_TIMEOUT = 3600
|
|
|
|
TOKEN_TIMEOUT_MARGIN = 0
|
|
AVAILABLE_REGIONS = []
|
|
|
|
# For setting the default service region on a per-endpoint basis. Note that the
|
|
# default value for this setting is {}, and below is just an example of how it
|
|
# should be specified.
|
|
# A key of '*' is an optional global default if no other key matches.
|
|
# Example:
|
|
# DEFAULT_SERVICE_REGIONS = {
|
|
# '*': 'RegionOne'
|
|
# OPENSTACK_KEYSTONE_URL: 'RegionTwo'
|
|
# }
|
|
DEFAULT_SERVICE_REGIONS = {}
|
|
|
|
SECURE_PROXY_ADDR_HEADER = False
|
|
|
|
# Password will have an expiration date when using keystone v3 and enabling
|
|
# the feature.
|
|
# This setting allows you to set the number of days that the user will be
|
|
# alerted prior to the password expiration.
|
|
# Once the password expires keystone will deny the access and users must
|
|
# contact an admin to change their password.
|
|
PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1
|
|
|
|
# Horizon can prompt the user to change their password when it is expired
|
|
# or required to be changed on first use. This is enabled by default, but
|
|
# can be disabled if not desired.
|
|
ALLOW_USERS_CHANGE_EXPIRED_PASSWORD = True
|
|
|
|
OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin']
|
|
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
|
|
# Set this to True if you want available domains displayed as a dropdown menu
|
|
# on the login screen. It is strongly advised NOT to enable this for public
|
|
# clouds, as advertising enabled domains to unauthenticated customers
|
|
# irresponsibly exposes private information. This should only be used for
|
|
# private clouds where the dashboard sits behind a corporate firewall.
|
|
OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
|
|
|
|
# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
|
|
# set the available domains to choose from. This is a list of pairs whose first
|
|
# value is the domain name and the second is the display name.
|
|
# Example:
|
|
# OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
|
|
# ('Default', 'Default'),
|
|
# )
|
|
OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ()
|
|
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
|
|
|
|
# Enables keystone web single-sign-on if set to True.
|
|
WEBSSO_ENABLED = False
|
|
|
|
# Authentication mechanism to be selected as default.
|
|
# The value must be a key from WEBSSO_CHOICES.
|
|
WEBSSO_INITIAL_CHOICE = 'credentials'
|
|
|
|
# The list of authentication mechanisms which include keystone
|
|
# federation protocols and identity provider/federation protocol
|
|
# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
|
|
# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID
|
|
# Connect respectively.
|
|
# Do not remove the mandatory credentials mechanism.
|
|
# Note: The last two tuples are sample mapping keys to a identity provider
|
|
# and federation protocol combination (WEBSSO_IDP_MAPPING).
|
|
# Example:
|
|
# WEBSSO_CHOICES = (
|
|
# ("credentials", _("Keystone Credentials")),
|
|
# ("oidc", _("OpenID Connect")),
|
|
# ("saml2", _("Security Assertion Markup Language")),
|
|
# ("acme_oidc", "ACME - OpenID Connect"),
|
|
# ("acme_saml2", "ACME - SAML2"),
|
|
# )
|
|
WEBSSO_CHOICES = ()
|
|
|
|
# A dictionary of specific identity provider and federation protocol
|
|
# combinations. From the selected authentication mechanism, the value
|
|
# will be looked up as keys in the dictionary. If a match is found,
|
|
# it will redirect the user to a identity provider and federation protocol
|
|
# specific WebSSO endpoint in keystone, otherwise it will use the value
|
|
# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
|
|
# NOTE: The value is expected to be a tuple formatted as:
|
|
# (<idp_id>, <protocol_id>).
|
|
# Example:
|
|
# WEBSSO_IDP_MAPPING = {
|
|
# "acme_oidc": ("acme", "oidc"),
|
|
# "acme_saml2": ("acme", "saml2"),
|
|
# }
|
|
WEBSSO_IDP_MAPPING = {}
|
|
|
|
# Enables redirection on login to the identity provider defined on
|
|
# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
|
|
WEBSSO_DEFAULT_REDIRECT = False
|
|
|
|
# Specifies the protocol to use for default redirection on login
|
|
WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
|
|
|
|
# Specifies the region to which the connection will be established on login
|
|
WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
|
|
|
|
# Enables redirection on logout to the method specified on the identity
|
|
# provider. Once logout the client will be redirected to the address specified
|
|
# in this variable.
|
|
WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
|
|
|
|
# If set this URL will be used for web single-sign-on authentication
|
|
# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
|
|
# scenarios where network segmentation is used per security requirement.
|
|
# In this case, the controllers are not reachable from public network.
|
|
# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
|
|
# if it is set to the internal endpoint.
|
|
# Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
|
|
WEBSSO_KEYSTONE_URL = None
|
|
|
|
# In the case of web single-sign-on authentication when the control plane
|
|
# has no outbound connectivity to the external service endpoints set this
|
|
# to False. Otherwise the Keystone external endpoint will be used to make
|
|
# a token authentication request from Horizon to Keystone which will timeout.
|
|
WEBSSO_USE_HTTP_REFERER = True
|
|
|
|
# The Keystone Provider drop down uses Keystone to Keystone federation
|
|
# to switch between Keystone service providers.
|
|
# Set display name for Identity Provider (dropdown display name)
|
|
KEYSTONE_PROVIDER_IDP_NAME = 'Local Keystone'
|
|
# This id is used for only for comparison with the service provider IDs.
|
|
# This ID should not match any service provider IDs.
|
|
KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
|
|
|
|
POLICY_FILES_PATH = ''
|
|
POLICY_FILES = {}
|
|
POLICY_DIRS = {}
|
|
DEFAULT_POLICY_FILES = {}
|
|
|
|
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = False
|