Bug 1397212 - RFE: Add support for MFA-Delete [NEEDINFO]
Summary: RFE: Add support for MFA-Delete
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 4.0
Assignee: Matt Benjamin (redhat)
QA Contact: Tejas
Aron Gunn
Depends On:
Blocks: 1730176
TreeView+ depends on / blocked
Reported: 2016-11-21 23:05 UTC by Kyle Bader
Modified: 2020-01-31 12:45 UTC (History)
13 users (show)

Fixed In Version: ceph-14.2.0
Doc Type: Enhancement
Doc Text:
.Support for S3 MFA-Delete With this release, the Ceph Object Gateway supports S3 MFA-Delete using Time-Based One-Time Password (TOTP) one-time passwords as an authentication factor. This feature adds security against inappropriate data removal. You can configure buckets to require a TOTP one-time token in addition to standard S3 authentication to delete data.
Clone Of:
Last Closed: 2020-01-31 12:44:52 UTC
Target Upstream Version:
tserlin: needinfo? (mbenjamin)
bancinco: needinfo? (mbenjamin)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0312 0 None None None 2020-01-31 12:45:25 UTC

Description Kyle Bader 2016-11-21 23:05:15 UTC
When a bucket is configured for object versioning, a developer should be able to optionally configure the bucket to require a multi-factor authentication token for delete requests. The token is passed as a key to the x-amz-mfa header. The tokens are generated with virtual MFA devices like Google Authenticator (TOTP), or a hardware MFA device like those provided by Gemalto.


This feature is used by companies like Netflix to prevent accidental, or malicious, removal of data. 

http://www.slideshare.net/jason_chan/aws-security-a-p (slide 129)

Comment 6 Giridhar Ramaraju 2019-08-05 13:06:15 UTC
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 


Comment 7 Giridhar Ramaraju 2019-08-05 13:08:56 UTC
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 


Comment 12 errata-xmlrpc 2020-01-31 12:44:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.