Right now we limit password auth to a limited set of account:IP pairs. That allows us to set up certain service users that can bypass the second OTP auth factor.
We can leave this in place, in which case the workflow would always involve getting an app token using 2FA and only using that token for actual direct API access.
Or we could just remove the safelist extension and allow normal password auth from wherever.
OR we could do some to-be-determined in between thing.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| keystone: remove password safelist check from wmtotp auth module | operations/puppet | production | +0 -9 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | taavi | T316436 Cloud VPS Terraform support | |||
| Resolved | Andrew | T319312 Open Openstack APIs to the public internet | |||
| Declined | Andrew | T320541 Remove or modify the keystone 'safelist' password extension? |
Change 841581 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone: remove password safelist check from wmtotp auth module
Change 841581 abandoned by Andrew Bogott:
[operations/puppet@production] keystone: remove password safelist check from wmtotp auth module
Reason:
I've thought about this more and don't think it's worth the change.