Bug 1397212

Summary: RFE: Add support for MFA-Delete
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Kyle Bader <kbader>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: medium Docs Contact: Aron Gunn <agunn>
Priority: high    
Version: 2.0CC: agunn, anharris, cbodley, ceph-eng-bugs, kbader, kdreyer, mbenjamin, mwatts, sweil, taco, tserlin, uboppana, vimishra
Target Milestone: rcKeywords: FutureFeature
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-14.2.0 Doc Type: Enhancement
Doc Text:
.Support for S3 MFA-Delete With this release, the Ceph Object Gateway supports S3 MFA-Delete using Time-Based One-Time Password (TOTP) one-time passwords as an authentication factor. This feature adds security against inappropriate data removal. You can configure buckets to require a TOTP one-time token in addition to standard S3 authentication to delete data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-31 12:44:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1730176    

Description Kyle Bader 2016-11-21 23:05:15 UTC 
When a bucket is configured for object versioning, a developer should be able to optionally configure the bucket to require a multi-factor authentication token for delete requests. The token is passed as a key to the x-amz-mfa header. The tokens are generated with virtual MFA devices like Google Authenticator (TOTP), or a hardware MFA device like those provided by Gemalto.

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
https://aws.amazon.com/iam/details/mfa/

This feature is used by companies like Netflix to prevent accidental, or malicious, removal of data. 

http://www.slideshare.net/jason_chan/aws-security-a-p (slide 129)
Comment 6 Giridhar Ramaraju 2019-08-05 13:06:15 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 7 Giridhar Ramaraju 2019-08-05 13:08:56 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 12 errata-xmlrpc 2020-01-31 12:44:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0312
Comment 13 Red Hat Bugzilla 2023-09-14 03:34:49 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days