Merge "small changes to section_keystone-token-binding file"

This commit is contained in:
Jenkins 2014-03-18 00:05:05 +00:00 committed by Gerrit Code Review
commit fe369cf02f

View File

@ -3,54 +3,55 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="keystone-token-binding">
<title>Configure the Identity Service for token binding</title>
<para>Token binding refers to the practice of embedding
information from external authentication providers (like a
company's Kerberos server) inside the token such that a client may
enforce that the token only be used in conjunction with that
specified authentication. This is an additional security mechanism
as it means that if a token is stolen it will not be usable
without also providing the external authentication.</para>
<para>To activate token binding you must specify the types of
authentication that token binding should be used for in
<filename>keystone.conf</filename>:
<title>Configure Identity service for token binding</title>
<para>Token binding embeds information from an external
authentication mechanism, such as a Kerberos server, inside a
token. By using token binding, a client can enforce the use of a
specified external authentication mechanism with the token. This
additional security mechanism ensures that if a token is stolen,
for example, it is not usable without external
authentication.</para>
<para>You configure the authentication types for a token binding in
the <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[token]
bind = kerberos</programlisting>
Currently only <literal>kerberos</literal> is supported.</para>
<para>
To enforce checking of token binding the <literal>enforce_token_bind</literal>
parameter should be set to one of the following modes:
bind = kerberos</programlisting>
<para>Currently only <literal>kerberos</literal> is
supported.</para>
<para>To enforce checking of token binding, set the
<option>enforce_token_bind</option> option to one of these
modes:</para>
<itemizedlist>
<listitem>
<para><literal>disabled</literal> disable token bind
checking</para>
<para><literal>disabled</literal></para>
<para>Disables token bind checking.</para>
</listitem>
<listitem>
<para><literal>permissive</literal> enable bind checking, if
a token is bound to a mechanism that is unknown to the server
then ignore it. This is the default.</para>
<para><literal>permissive</literal></para>
<para>Enables bind checking. If a token is bound to an unknown
authentication mechanism, the server ignores it. The default
is this mode.</para>
</listitem>
<listitem>
<para><literal>strict</literal> enable bind checking, if a
token is bound to a mechanism that is unknown to the server
then this token should be rejected.</para>
<para><literal>strict</literal></para>
<para>Enables bind checking. If a token is bound to an unknown
authentication mechanism, the server rejects it.</para>
</listitem>
<listitem>
<para><literal>required</literal> enable bind checking and
require that at least 1 bind mechanism is used for
tokens.</para>
<para><literal>required</literal></para>
<para>Enables bind checking. Requires use of at least
authentication mechanism for tokens.</para>
</listitem>
<listitem>
<para><literal>named</literal> enable bind checking and
require that the specified authentication mechanism is used:
<programlisting language="ini">[token]
enforce_token_bind = kerberos</programlisting>
</para>
<para><literal>named</literal></para>
<para>Enables bind checking. Requires use of the specified
authentication mechanism for tokens:</para>
<programlisting language="ini">[token]
enforce_token_bind = kerberos</programlisting>
</listitem>
</itemizedlist>
<note><para>Do not set <literal>enforce_token_bind =
named</literal> as there is not an authentication mechanism
called <literal>named</literal>.</para>
<note>
<para>Do not set <literal>enforce_token_bind = named</literal>.
The <literal>named</literal> authentication mechanism does not
exist.</para>
</note>
</para>
</section>