Add documentation for keystone tokens

This serves as a very general introduction for keystone's token providers. We can use this to link to other, more specific token documents. Change-Id: I51a39c1830b9d9db5e4a7012a79fcc482537ebde
2015-11-12 21:12:50 +00:00 · 2015-11-12 21:12:50 +00:00 · da89b3b1cf
commit da89b3b1cf
parent 6e5f56471f
2 changed files with 41 additions and 0 deletions
--- a/doc/admin-guide-cloud/source/identity_management.rst
+++ b/doc/admin-guide-cloud/source/identity_management.rst
@ -19,6 +19,7 @@ command-line client.
   keystone_configure_with_SSL.rst
   keystone_external_authentication.rst
   keystone_integrate_with_ldap.rst
+   keystone_tokens.rst
   keystone_token-binding.rst
   keystone_use_trusts.rst
   keystone_caching_layer.rst
--- a/doc/admin-guide-cloud/source/keystone_tokens.rst
+++ b/doc/admin-guide-cloud/source/keystone_tokens.rst
@ -0,0 +1,40 @@
+========================
+Keystone token providers
+========================
+
+Tokens are used to interact with the various OpenStack APIs. The token type
+issued by keystone is configurable through the :file:`etc/keystone.conf` file.
+Currently, there are four supported token types and they include UUID, Fernet,
+PKI, and PKIZ.
+
+UUID tokens
+~~~~~~~~~~~
+
+UUID was the first token type supported and is currently the default token
+provider. UUID tokens are 32 bytes in length and must be persisted in a back
+end. Clients must pass their UUID token to the Identity service in order to
+validate it.
+
+Fernet tokens
+~~~~~~~~~~~~~
+
+Fernet tokens were introduced in the OpenStack Kilo release. Unlike the other
+token types mentioned in this document, Fernet tokens do not need to be
+persisted in a back end. ``AES256`` encryption is used to protect the
+information stored in the token and integrity is verified with a ``SHA256
+HMAC`` signature. Only the Identity service should have access to the keys used
+to encrypt and decrypt Fernet tokens. Like UUID tokens, Fernet tokens must be
+passed back to the Identity service in order to validate them.
+
+PKI and PKIZ tokens
+~~~~~~~~~~~~~~~~~~~
+
+PKI tokens are signed documents that contain the authentication context, as
+well as the service catalog. Depending on the size of the OpenStack deployment,
+these tokens can be very long. The Identity service uses public/private key
+pairs and certificates in order to create and validate PKI tokens.
+
+The same concepts from PKI tokens apply to PKIZ tokens. The only difference
+between the two is PKIZ tokens are compressed to help mitigate the size issues
+of PKI. For more information on the certificate setup for PKI and PKIZ tokens,
+see the :ref:`keystone_certificates_for_pki`.