CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
- 2. About me
– Harikrishna Patnala from Hyderabad, India
– Software Development Engineer at ShapeBlue
– Apache CloudStack committer and PMC member
– Born and brought up in CloudStack
– Previously worked at Accelerite and Citrix
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
- 5. LocalAuthentication
– User’s password stored in DB
– Encrypted
– Can be hack-replaced with another user’s password (reset to a known value)
– Comes as default
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
- 7. LDAPAuthentication
– Global LDAP config
– Per-domain LDAP config
– 3 different ways of configuration
– Manual import
– Auto import
– Auto sync
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
- 8. SAML/SSOAuthentication
– Requires enabling of the SAML 2.0 service provider plugin in CloudStack
– Requires that admin enables each user for the SAML SSO login
– SAML authentication plugin finds user accounts whose username match the
username attribute value returned by the SAML authentication response
– Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP,
PingIdentity
– Takes some effort to configure
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
- 10. OAuth2Authentication
– Require enabling the OAuth2 plugin in CloudStack
– Currently supports Google and GitHub
– OAuth2 plugin finds user accounts whose email match the email attribute value
returned by the OAuth2 service provider
– Available from CloudStack 4.19.0.0
– Pretty easy to configure
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
- 12. OAuth2 configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– Disabled by default
– Once enabled, new "OAuth configuration" available under the
"Configuration" menu
– Needs configuration on the provider's side (Google or GitHub)
– Provider generates ID, secret – and this is added to CloudStack, under
“Oauth configuration” menu
- 13. OAuth2 configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– Needs a user with matching email created previously inside ACS
– User can still use local authentication
(with password)
– Redirect URL in the form of “http://mycloud.com:8080/?verifyOauth”
- 15. Why 2FA ?
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Ø Additional layer of security
Ø Prevents man-in-the-middle attack
Ø
Ø Prevents attacker access if they have your password
Ø Prevents hijacking an account
- 16. 2FA configuration
– Introduced in ACS 4.18.0.0
– Disabled by default, needs to be enabled
– Optional (i.e. not mandatory), by default
– Can be set to mandatory, optionally
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
- 17. 2FA configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– TOTP or static pin
– TOTP: Google/other Authenticator
– Static PIN – not a real 2FA !
– (stored in ACS database)
– Can be disabled/enabled per domain
– “Issuer” (visible inside theTOTP app) can
be configured per domain
- 18. Q &A
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad