Currently some of the config references docs are a part of general OpenStack-manuals. Migrating those docs to keystone documentation so that they can be reviewed effectively by keystone developers too. Following the specs, the files are added to admin/ and configuration/ directories. The files containing congiguration options are added in a subsequent patch using oslo.config plugin. Partial-Bug #1694460 Change-Id: I9a85f610e66a10dac54c50b2a54305e979888ee5
1.7 KiB
Token provider
OpenStack Identity supports customizable token providers. This is
specified in the [token]
section of the configuration file.
The token provider controls the token construction, validation, and
revocation operations.
You can register your own token provider by configuring the following property:
Note
More commonly, you can use this option to change the token provider to one of the ones built in. Alternatively, you can use it to configure your own token provider.
provider
- token provider driver. Defaults touuid
. Implemented bykeystone.token.providers.uuid.Provider
. This is the entry point for the token provider in thekeystone.token.provider
namespace.
Each token format uses different technologies to achieve various
performance, scaling, and architectural requirements. The Identity
service includes fernet
, pkiz
,
pki
, and uuid
token providers.
Below is the detailed list of the token formats:
- UUID
-
uuid
tokens must be persisted (using the back end specified in the[token] driver
option), but do not require any extra configuration or setup. - PKI and PKIZ
-
pki
andpkiz
tokens can be validated offline, without making HTTP calls to keystone. However, this format requires that certificates be installed and distributed to facilitate signing tokens and later validating those signatures. - Fernet
-
fernet
tokens do not need to be persisted at all, but require that you runkeystone-manage fernet_setup
(also see thekeystone-manage fernet_rotate
command).
Warning
UUID, PKI, PKIZ, and Fernet tokens are all bearer tokens. They must be protected from unnecessary disclosure to prevent unauthorized access.