From da89b3b1cfb765f159646fc14f8b215c07a85e22 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 12 Nov 2015 21:12:50 +0000 Subject: [PATCH] Add documentation for keystone tokens This serves as a very general introduction for keystone's token providers. We can use this to link to other, more specific token documents. Change-Id: I51a39c1830b9d9db5e4a7012a79fcc482537ebde --- .../source/identity_management.rst | 1 + .../source/keystone_tokens.rst | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 doc/admin-guide-cloud/source/keystone_tokens.rst diff --git a/doc/admin-guide-cloud/source/identity_management.rst b/doc/admin-guide-cloud/source/identity_management.rst index 378535f1ba..0e21f754dd 100644 --- a/doc/admin-guide-cloud/source/identity_management.rst +++ b/doc/admin-guide-cloud/source/identity_management.rst @@ -19,6 +19,7 @@ command-line client. keystone_configure_with_SSL.rst keystone_external_authentication.rst keystone_integrate_with_ldap.rst + keystone_tokens.rst keystone_token-binding.rst keystone_use_trusts.rst keystone_caching_layer.rst diff --git a/doc/admin-guide-cloud/source/keystone_tokens.rst b/doc/admin-guide-cloud/source/keystone_tokens.rst new file mode 100644 index 0000000000..801db7ce6f --- /dev/null +++ b/doc/admin-guide-cloud/source/keystone_tokens.rst @@ -0,0 +1,40 @@ +======================== +Keystone token providers +======================== + +Tokens are used to interact with the various OpenStack APIs. The token type +issued by keystone is configurable through the :file:`etc/keystone.conf` file. +Currently, there are four supported token types and they include UUID, Fernet, +PKI, and PKIZ. + +UUID tokens +~~~~~~~~~~~ + +UUID was the first token type supported and is currently the default token +provider. UUID tokens are 32 bytes in length and must be persisted in a back +end. Clients must pass their UUID token to the Identity service in order to +validate it. + +Fernet tokens +~~~~~~~~~~~~~ + +Fernet tokens were introduced in the OpenStack Kilo release. Unlike the other +token types mentioned in this document, Fernet tokens do not need to be +persisted in a back end. ``AES256`` encryption is used to protect the +information stored in the token and integrity is verified with a ``SHA256 +HMAC`` signature. Only the Identity service should have access to the keys used +to encrypt and decrypt Fernet tokens. Like UUID tokens, Fernet tokens must be +passed back to the Identity service in order to validate them. + +PKI and PKIZ tokens +~~~~~~~~~~~~~~~~~~~ + +PKI tokens are signed documents that contain the authentication context, as +well as the service catalog. Depending on the size of the OpenStack deployment, +these tokens can be very long. The Identity service uses public/private key +pairs and certificates in order to create and validate PKI tokens. + +The same concepts from PKI tokens apply to PKIZ tokens. The only difference +between the two is PKIZ tokens are compressed to help mitigate the size issues +of PKI. For more information on the certificate setup for PKI and PKIZ tokens, +see the :ref:`keystone_certificates_for_pki`.