doc/radosgw/mfa.rst
.. _rgw_mfa:
.. versionadded:: Mimic
The S3 multifactor authentication (MFA) feature allows users to require the use of one-time password when removing objects on certain buckets. The buckets need to be configured with versioning and MFA enabled which can be done through the S3 API.
Time-based one time password tokens can be assigned to a user through radosgw-admin. Each token has a secret seed, and a serial id that is assigned to it. Tokens are added to the user, can be listed, removed, and can also be re-synchronized.
While the MFA IDs are set on the user's metadata, the actual MFA one time password configuration resides in the local zone's OSDs. Therefore, in a multi-site environment it is advisable to use different tokens for different zones.
-TOTP: Time-based One Time Password
-token serial: a string that represents the ID of a TOTP token
-token seed: the secret seed that is used to calculate the TOTP
-totp seconds: the time resolution that is being used for TOTP generation
-totp window: the number of TOTP tokens that are checked before and after the current token when validating token
-totp pin: the valid value of a TOTP token at a certain time
::
--totp-serial=<serial> \
--totp-seed=<seed> \
[ --totp-seed-type=<hex|base32> ] \
[ --totp-seconds=<num-seconds> ] \
[ --totp-window=<twindow> ]
::
::
::
Test a TOTP token pin, needed for validating that TOTP functions correctly. ::
--totp-pin=<pin>
In order to re-sync the TOTP token (in case of time skew). This requires feeding two consecutive pins: the previous pin, and the current pin. ::
--totp-pin=<prev-pin> --totp-pin=<current-pin>