From f006188e706228f9f865e7ad8d2347436f49c16b Mon Sep 17 00:00:00 2001 From: Shilla Saebi Date: Wed, 12 Mar 2014 14:56:14 -0400 Subject: [PATCH] small changes to section_keystone-token-binding file changed such to so changed some wording around sentence added , removed the added mode Change-Id: I175ee91bcb67f03e6068d0df7f0924134b1b2816 --- .../section_keystone-token-binding.xml | 107 +++++++++--------- 1 file changed, 54 insertions(+), 53 deletions(-) diff --git a/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml b/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml index 5681c40935..9b121614ab 100644 --- a/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml +++ b/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml @@ -1,56 +1,57 @@
- Configure the Identity Service for token binding - Token binding refers to the practice of embedding - information from external authentication providers (like a - company's Kerberos server) inside the token such that a client may - enforce that the token only be used in conjunction with that - specified authentication. This is an additional security mechanism - as it means that if a token is stolen it will not be usable - without also providing the external authentication. - To activate token binding you must specify the types of - authentication that token binding should be used for in - keystone.conf: - [token] - bind = kerberos - Currently only kerberos is supported. - - To enforce checking of token binding the enforce_token_bind - parameter should be set to one of the following modes: - - - disabled disable token bind - checking - - - permissive enable bind checking, if - a token is bound to a mechanism that is unknown to the server - then ignore it. This is the default. - - - strict enable bind checking, if a - token is bound to a mechanism that is unknown to the server - then this token should be rejected. - - - required enable bind checking and - require that at least 1 bind mechanism is used for - tokens. - - - named enable bind checking and - require that the specified authentication mechanism is used: -[token] - enforce_token_bind = kerberos - - - - Do not set enforce_token_bind = - named as there is not an authentication mechanism - called named. - - + xmlns:xi="http://www.w3.org/2001/XInclude" + xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" + xml:id="keystone-token-binding"> + Configure Identity service for token binding + Token binding embeds information from an external + authentication mechanism, such as a Kerberos server, inside a + token. By using token binding, a client can enforce the use of a + specified external authentication mechanism with the token. This + additional security mechanism ensures that if a token is stolen, + for example, it is not usable without external + authentication. + You configure the authentication types for a token binding in + the keystone.conf file: + [token] +bind = kerberos + Currently only kerberos is + supported. + To enforce checking of token binding, set the + option to one of these + modes: + + + disabled + Disables token bind checking. + + + permissive + Enables bind checking. If a token is bound to an unknown + authentication mechanism, the server ignores it. The default + is this mode. + + + strict + Enables bind checking. If a token is bound to an unknown + authentication mechanism, the server rejects it. + + + required + Enables bind checking. Requires use of at least + authentication mechanism for tokens. + + + named + Enables bind checking. Requires use of the specified + authentication mechanism for tokens: + [token] +enforce_token_bind = kerberos + + + + Do not set enforce_token_bind = named. + The named authentication mechanism does not + exist. +