openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11791
[keystone]Bug 963098 and related blueprint (meeting continuation)
Hi,
I would like continue discussion started at Keystone meeting from
today (http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
about bug 963098 (Keystone isn't acting on consecutive failed logins)
and related blueprint (Improve keystone security). At meeting there
was serious concerns about using a middleware and the current approach
audit&report mechanism that could be done elsewhere.
So after thinking again about this I've got a new approach: acting on
consecutive failed logins might be managed by identity backends
authenticate method. This approach would make all needed work specific
to the backend and thus a write/read backend will be able to do some
actions that a read only won't e.g.: storing login attempts on user
extra data, temporarily disable user, ... If we look at current SQL
identity backend after an authentication failure Keystone just raises
an exception, this approach will replace/extend it doing the
consecutive failed logins handling there.
I still think adding an optionally rate limiting middleware would help a lot.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L146
https://bugs.launchpad.net/keystone/+bug/963098
https://blueprints.launchpad.net/keystone/+spec/improve-keystone-security
Thanks,
Rafael