3 ==========================================
4 RGW Support for Multifactor Authentication
5 ==========================================
7 .. versionadded:: Mimic
9 The S3 multifactor authentication (MFA) feature allows
10 users to require the use of one-time password when removing
11 objects on certain buckets. The buckets need to be configured
12 with versioning and MFA enabled which can be done through
15 Time-based one time password tokens can be assigned to a user
16 through radosgw-admin. Each token has a secret seed, and a serial
17 id that is assigned to it. Tokens are added to the user, can
18 be listedm removed, and can also be re-synchronized.
23 While the MFA IDs are set on the user's metadata, the
24 actual MFA one time password configuration resides in the local zone's
25 osds. Therefore, in a multi-site environment it is advisable to use
26 different tokens for different zones.
32 -``TOTP``: Time-based One Time Password
34 -``token serial``: a string that represents the ID of a TOTP token
36 -``token seed``: the secret seed that is used to calculate the TOTP
38 -``totp seconds``: the time resolution that is being used for TOTP generation
40 -``totp window``: the number of TOTP tokens that are checked before and after the current token when validating token
42 -``totp pin``: the valid value of a TOTP token at a certain time
48 Create a new MFA TOTP token
49 ------------------------------------
53 # radosgw-admin mfa create --uid=<user-id> \
54 --totp-serial=<serial> \
56 [ --totp-seed-type=<hex|base32> ] \
57 [ --totp-seconds=<num-seconds> ] \
58 [ --totp-window=<twindow> ]
65 # radosgw-admin mfa list --uid=<user-id>
69 ------------------------------------
73 # radosgw-admin mfa get --uid=<user-id> --totp-serial=<serial>
77 ------------------------
81 # radosgw-admin mfa remove --uid=<user-id> --totp-serial=<serial>
85 --------------------------------
87 Test a TOTP token pin, needed for validating that TOTP functions correctly. ::
89 # radosgw-admin mfa check --uid=<user-id> --totp-serial=<serial> \
93 Re-sync MFA TOTP token
94 --------------------------------
96 In order to re-sync the TOTP token (in case of time skew). This requires
97 feeding two consecutive pins: the previous pin, and the current pin. ::
99 # radosgw-admin mfa resync --uid=<user-id> --totp-serial=<serial> \
100 --totp-pin=<prev-pin> --totp=pin=<current-pin>