Merge "small changes to section_keystone-token-binding file"

This commit is contained in:
Jenkins 2014-03-18 00:05:05 +00:00 committed by Gerrit Code Review
commit fe369cf02f

View File

@ -1,56 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook" <section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="keystone-token-binding"> xml:id="keystone-token-binding">
<title>Configure the Identity Service for token binding</title> <title>Configure Identity service for token binding</title>
<para>Token binding refers to the practice of embedding <para>Token binding embeds information from an external
information from external authentication providers (like a authentication mechanism, such as a Kerberos server, inside a
company's Kerberos server) inside the token such that a client may token. By using token binding, a client can enforce the use of a
enforce that the token only be used in conjunction with that specified external authentication mechanism with the token. This
specified authentication. This is an additional security mechanism additional security mechanism ensures that if a token is stolen,
as it means that if a token is stolen it will not be usable for example, it is not usable without external
without also providing the external authentication.</para> authentication.</para>
<para>To activate token binding you must specify the types of <para>You configure the authentication types for a token binding in
authentication that token binding should be used for in the <filename>keystone.conf</filename> file:</para>
<filename>keystone.conf</filename>: <programlisting language="ini">[token]
<programlisting language="ini">[token] bind = kerberos</programlisting>
bind = kerberos</programlisting> <para>Currently only <literal>kerberos</literal> is
Currently only <literal>kerberos</literal> is supported.</para> supported.</para>
<para> <para>To enforce checking of token binding, set the
To enforce checking of token binding the <literal>enforce_token_bind</literal> <option>enforce_token_bind</option> option to one of these
parameter should be set to one of the following modes: modes:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><literal>disabled</literal> disable token bind <para><literal>disabled</literal></para>
checking</para> <para>Disables token bind checking.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><literal>permissive</literal> enable bind checking, if <para><literal>permissive</literal></para>
a token is bound to a mechanism that is unknown to the server <para>Enables bind checking. If a token is bound to an unknown
then ignore it. This is the default.</para> authentication mechanism, the server ignores it. The default
</listitem> is this mode.</para>
<listitem> </listitem>
<para><literal>strict</literal> enable bind checking, if a <listitem>
token is bound to a mechanism that is unknown to the server <para><literal>strict</literal></para>
then this token should be rejected.</para> <para>Enables bind checking. If a token is bound to an unknown
</listitem> authentication mechanism, the server rejects it.</para>
<listitem> </listitem>
<para><literal>required</literal> enable bind checking and <listitem>
require that at least 1 bind mechanism is used for <para><literal>required</literal></para>
tokens.</para> <para>Enables bind checking. Requires use of at least
</listitem> authentication mechanism for tokens.</para>
<listitem> </listitem>
<para><literal>named</literal> enable bind checking and <listitem>
require that the specified authentication mechanism is used: <para><literal>named</literal></para>
<programlisting language="ini">[token] <para>Enables bind checking. Requires use of the specified
enforce_token_bind = kerberos</programlisting> authentication mechanism for tokens:</para>
</para> <programlisting language="ini">[token]
</listitem> enforce_token_bind = kerberos</programlisting>
</itemizedlist> </listitem>
<note><para>Do not set <literal>enforce_token_bind = </itemizedlist>
named</literal> as there is not an authentication mechanism <note>
called <literal>named</literal>.</para> <para>Do not set <literal>enforce_token_bind = named</literal>.
</note> The <literal>named</literal> authentication mechanism does not
</para> exist.</para>
</note>
</section> </section>