Merge "small changes to section_keystone-token-binding file"

doc/admin-guide-cloud/identity/section_keystone-token-binding.xml

@@ -3,54 +3,55 @@
   xmlns:xi="http://www.w3.org/2001/XInclude"
   xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
   xml:id="keystone-token-binding">
-    <title>Configure the Identity Service for token binding</title>
+  <title>Configure Identity service for token binding</title>
-    <para>Token binding refers to the practice of embedding
+  <para>Token binding embeds information from an external
-    information from external authentication providers (like a
+    authentication mechanism, such as a Kerberos server, inside a
-    company's Kerberos server) inside the token such that a client may
+    token. By using token binding, a client can enforce the use of a
-    enforce that the token only be used in conjunction with that
+    specified external authentication mechanism with the token. This
-    specified authentication. This is an additional security mechanism
+    additional security mechanism ensures that if a token is stolen,
-    as it means that if a token is stolen it will not be usable
+    for example, it is not usable without external
-    without also providing the external authentication.</para>
+    authentication.</para>
-  <para>To activate token binding you must specify the types of
+  <para>You configure the authentication types for a token binding in
-    authentication that token binding should be used for in
+    the <filename>keystone.conf</filename> file:</para>
-      <filename>keystone.conf</filename>:
   <programlisting language="ini">[token]
-    bind = kerberos</programlisting>
+bind = kerberos</programlisting>
-    Currently only <literal>kerberos</literal> is supported.</para>
+  <para>Currently only <literal>kerberos</literal> is
-   <para>
+    supported.</para>
-     To enforce checking of token binding the <literal>enforce_token_bind</literal>
+  <para>To enforce checking of token binding, set the
-     parameter should be set to one of the following modes:
+      <option>enforce_token_bind</option> option to one of these
+    modes:</para>
   <itemizedlist>
     <listitem>
-         <para><literal>disabled</literal> disable token bind
+      <para><literal>disabled</literal></para>
-         checking</para>
+      <para>Disables token bind checking.</para>
     </listitem>
     <listitem>
-         <para><literal>permissive</literal> enable bind checking, if
+      <para><literal>permissive</literal></para>
-         a token is bound to a mechanism that is unknown to the server
+      <para>Enables bind checking. If a token is bound to an unknown
-         then ignore it. This is the default.</para>
+        authentication mechanism, the server ignores it. The default
+        is this mode.</para>
     </listitem>
     <listitem>
-         <para><literal>strict</literal> enable bind checking, if a
+      <para><literal>strict</literal></para>
-         token is bound to a mechanism that is unknown to the server
+      <para>Enables bind checking. If a token is bound to an unknown
-         then this token should be rejected.</para>
+        authentication mechanism, the server rejects it.</para>
     </listitem>
     <listitem>
-         <para><literal>required</literal> enable bind checking and
+      <para><literal>required</literal></para>
-         require that at least 1 bind mechanism is used for
+      <para>Enables bind checking. Requires use of at least
-         tokens.</para>
+        authentication mechanism for tokens.</para>
     </listitem>
     <listitem>
-         <para><literal>named</literal> enable bind checking and
+      <para><literal>named</literal></para>
-         require that the specified authentication mechanism is used:
+      <para>Enables bind checking. Requires use of the specified
-<programlisting language="ini">[token]
+        authentication mechanism for tokens:</para>
-    enforce_token_bind = kerberos</programlisting>
+      <programlisting language="ini">[token]
-         </para>
+enforce_token_bind = kerberos</programlisting>
     </listitem>
   </itemizedlist>
-     <note><para>Do not set <literal>enforce_token_bind =
+  <note>
-     named</literal> as there is not an authentication mechanism
+    <para>Do not set <literal>enforce_token_bind = named</literal>.
-     called <literal>named</literal>.</para>
+      The <literal>named</literal> authentication mechanism does not
+      exist.</para>
   </note>
-   </para>
 </section>