This talk is about authentication and authorization – Two-Factor Authentication (2FA) and OAuth2 explaining their critical roles in enhancing security and user experience within the realm of Apache CloudStack.
With Two-Factor Authentication (2FA), we strengthen the authentication process, mitigate password-related or usual login vulnerabilities, and ensure compliance with security standards. On the other side of the authentication spectrum, OAuth2, the industry-standard authorization framework, simplifies the process of granting access to resources. Andrija discusses how this can be used and how it fits in CloudStack.
-----------------------------------------
The CloudStack Collaboration Conference 2023 took place on 23-24th November. The conference, arranged by a group of volunteers from the Apache CloudStack Community, took place in the voco hotel, in Porte de Clichy, Paris. It hosted over 350 attendees, with 47 speakers holding technical talks, user stories, new features and integrations presentations and more.
2. About me,
myself and I
• Cloud Architect @ ShapeBlue
• With “my teeth into” IT, Cloud and
virtualization for last 15+ years
• Involved with CloudStack since version
4.0.0-incubating
• Apache CloudStack project committer
and PMC member
• Petrol head (dislike Tesla)
• Wannabe drummer
5. Local Authentication
User’s password stored in DB
Encrypted
Can be hack-replaced with another user’s password (reset to a known value)
Comes as default
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
6. LDAP Authentication
Global LDAP config, or
Per-domain LDAP config
3 different ways of configuration
Manual import
Auto import
Auto sync
Takes some effort to configure
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
7. SAML/SSO Authentication
Require enabling the SAML 2.0 service provider plugin in CloudStack
Requires that admin enables each user for the SAML SSO login
SAML authentication plugin finds user accounts whose username match the
username attribute value returned by the SAML authentication response
Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide
OpenIDP
, PingIdentity
Takes some effort to configure
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
8. OAuth2 Authentication
Require enabling the OAuth2 plugin in CloudStack
Currently supports Google and GitHub
OAuth2 plugin finds user accounts whose email match the email attribute
value returned by the OAuth2 service provider
Pretty easy to configure
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
11. Why 2FA?
Make end-user’s life more miserable!
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
12. Why 2FA?
Additional layer of security:
Prevents man-in-the-middle attack
Prevents attacker access if they have
your password
Prevents hijacking an account
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
13. 2FA
configuration
Introduced in ACS 4.18.0.0
Disabled by default, needs to be
enabled
Optional (i.e. not mandatory), by
default
Can be set to mandatory, optionally
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
14. 2FA
configuration
TOTP or static pin
TOTP: Google/other Authenticator
Static PIN – nor a real 2FA ?
(stored in ACS database)
Can be disabled/enabled per domain
“Issuer” (visible inside the TOTP app)
can be configured per domain
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
15. 2FA DB-hacks
Disable 2FA for a user
UPDATE cloud.user SET
is_user_2fa_enabled=0,
key_for_2fa=NULL,
user_2fa_provider=NULL
WHERE id=xxxxx;
Set static PIN for a user
UPDATE cloud.user SET
is_user_2fa_enabled=1,
key_for_2fa=123456,
user_2fa_provider='staticpin’
WHERE id=xxxxx;
Disabling 2FA globally, does not remove
2FA that is already set for a user
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
16. 2FA demo
Let’s do it later together with OAuth2
demo!
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
18. Why OAuth2?
Available from CloudStack 4.19.0.0
Enables users to authenticate against
their own organizations
GitHub and Google currently supported
Others can be added easily
Modern, widely used, secure
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
19. OAuth2
configuration
Disabled by default
Once enabled, new "OAuth
configuration" available under the
"Configuration" menu
Google and GitHub currently supported
Needs configuration on the provider's
side (Google or GitHub) – usually only
“Name” and "Authorised redirect URIs"
(redirect URL of ACS) need to be
specified.
Provider generates ID, secret – and this
is added to CloudStack, under “Oauth
configuration” menu
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
20. OAuth2
configuration
Needs a user with matching email
created previously inside ACS
User can still use local authentication
(with his password)
Redirect ULR in form of
“http://mycloud.com:8080/?verifyOau
th”
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France
21. DEMO
Let’s configure GitHub-based OAuth2
and enable 2FA for that user!
CloudStack Collaboration Conference 2023 / #CSCollab2023 / 23-24 Nov 2023 / Paris, France