RGW Support for Multifactor Authentication

New in version Mimic.

The S3 multifactor authentication (MFA) feature allowsusers to require the use of one-time password when removingobjects on certain buckets. The buckets need to be configuredwith versioning and MFA enabled which can be done throughthe S3 api.

Time-based one time password tokens can be assigned to a userthrough radosgw-admin. Each token has a secret seed, and a serialid that is assigned to it. Tokens are added to the user, canbe listedm removed, and can also be re-synchronized.

Multisite

While the MFA IDs are set on the user’s metadata, theactual MFA one time password configuration resides in the local zone’sosds. Therefore, in a multi-site environment it is advisable to usedifferent tokens for different zones.

Terminology

-TOTP: Time-based One Time Password

-token serial: a string that represents the ID of a TOTP token

-token seed: the secret seed that is used to calculate the TOTP

-totp seconds: the time resolution that is being used for TOTP generation

-totp window: the number of TOTP tokens that are checked before and after the current token when validating token

-totp pin: the valid value of a TOTP token at a certain time

Admin commands

Create a new MFA TOTP token

  1. # radosgw-admin mfa create --uid=<user-id> \
  2.                            --totp-serial=<serial> \
  3.                            --totp-seed=<seed> \
  4.                            [ --totp-seed-type=<hex|base32> ] \
  5.                            [ --totp-seconds=<num-seconds> ] \
  6.                            [ --totp-window=<twindow> ]

List MFA TOTP tokens

  1. # radosgw-admin mfa list --uid=<user-id>

Show MFA TOTP token

  1. # radosgw-admin mfa get --uid=<user-id> --totp-serial=<serial>

Delete MFA TOTP token

  1. # radosgw-admin mfa remove --uid=<user-id> --totp-serial=<serial>

Check MFA TOTP token

Test a TOTP token pin, needed for validating that TOTP functions correctly.

  1. # radosgw-admin mfa check --uid=<user-id> --totp-serial=<serial> \
  2.                           --totp-pin=<pin>

Re-sync MFA TOTP token

In order to re-sync the TOTP token (in case of time skew). This requiresfeeding two consecutive pins: the previous pin, and the current pin.

  1. # radosgw-admin mfa resync --uid=<user-id> --totp-serial=<serial> \
  2.                            --totp-pin=<prev-pin> --totp=pin=<current-pin>