[Ceph] Unable to create RGW MFA token for bucket

Solution Verified - Updated

Environment

  • Red Hat Ceph Storage

Issue

We are attemtpting to create and list MFA tokens and are unsuccessful:

[root@rgw-2 ~]# radosgw-admin mfa create --uid=o1$o1-user --totp-serial=o1token --totp-seed=12345 --totp-seed-type=base32
MFA creation failed, error: (22) Invalid argument

Resolution

For a valid token the seed needs to be generated, and the matching key needs to be added to a TOTP client.

  • install oathtool and optionally qrencode

  • generate the hexadecimal seed:

# SEED=$(head -10 /dev/urandom | sha512sum | cut -b 1-30)
# echo $SEED
4fe2d015680b1b88f787d83339925c
  • feed this seed into oathtool:
# oathtool -v -d6 $SEED
Hex secret: 4fe2d015680b1b88f787d83339925c
Base32 secret: J7RNAFLIBMNYR54H3AZTTES4
Digits: 6
Window size: 0
Start counter: 0x0 (0)

315849

  • note the base32 secret, this is needed to add a token to e.g. google authenticator (which is being used in this example)

  • a QR code will make it easy to import the token in the google authenticator (you could also enter the base32 secret manually), we call the ID "MFAtest":

# qrencode -o /tmp/user.png 'otpauth://totp/MFAtest?secret=J7RNAFLIBMNYR54H3AZTTES4'

  • use the QR code in the generated image file to add the token to the google authenticator

  • then create the mfa token in RGW for a specific user, with the seed created earlier:

# radosgw-admin mfa create --uid=hari --totp-serial=MFAtest --totp-seed=4fe2d015680b1b88f787d83339925c
# radosgw-admin mfa list --uid=hari
{
    "entries": [
        {
            "type": 2,
            "id": "MFAtest",
            "seed": "4fe2d015680b1b88f787d83339925c",
            "seed_type": "hex",
            "time_ofs": 0,
            "step_size": 30,
            "window": 2
        }
    ]
}
  • resync the token by specifying previous and current token value from google authenticator:
# radosgw-admin mfa resync --uid=hari --totp-serial=MFAtest --debug_ms=0 --totp-pin=440024 --totp-pin=245763
  • verify the current pin from the google authenticator:
# radosgw-admin mfa check --uid=hari --totp-serial=MFAtest --debug_ms=0 --totp-pin=937498
ok
  • it should error when using some random code as pin:
[root@dell-r330-17 /]# radosgw-admin mfa check --uid=hari --totp-serial=MFAtest --debug_ms=0 --totp-pin=123456
MFA check failed, error: (13) Permission denied
SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.