121 lines
4.1 KiB
INI
121 lines
4.1 KiB
INI
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# For information about the format of this file, refer to the documentation
|
|
# for sphinx-feature-classification:
|
|
#
|
|
# https://docs.openstack.org/sphinx-feature-classification/latest/
|
|
|
|
[driver.fernet]
|
|
title=Fernet tokens
|
|
|
|
[driver.jws]
|
|
title=JWS tokens
|
|
|
|
[operation.create_unscoped_token]
|
|
title=Create unscoped token
|
|
status=mandatory
|
|
notes=All token providers must be capable of issuing tokens without an explicit
|
|
scope of authorization.
|
|
cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
|
--os-password=<password> token issue
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[operation.create_system_token]
|
|
title=Create system-scoped token
|
|
status=mandatory
|
|
notes=All token providers must be capable of issuing system-scoped tokens.
|
|
cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
|
--os-system-scope all token issue
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[operation.create_project_scoped_token]
|
|
title=Create project-scoped token
|
|
status=mandatory
|
|
notes=All token providers must be capable of issuing project-scoped tokens.
|
|
cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
|
--os-password=<password> --os-project-name=<project>
|
|
--os-project-domain-name=<domain> token issue
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[operation.create_domain_scoped_token]
|
|
title=Create domain-scoped token
|
|
status=optional
|
|
notes=Domain-scoped tokens are not required for all use cases, and for some use
|
|
cases, projects can be used instead.
|
|
cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
|
--os-password=<password> --os-domain-name=<domain> token issue
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[operation.create_trust_scoped_token]
|
|
title=Create trust-scoped token
|
|
status=optional
|
|
notes=Tokens scoped to a trust convey only the user impersonation and
|
|
project-based authorization attributes included in the delegation.
|
|
cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
|
--os-password=<password> --os-trust-id=<trust> token issue
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[operation.create_token_using_oauth]
|
|
title=Create a token given an OAuth access token
|
|
status=optional
|
|
notes=OAuth access tokens can be exchanged for keystone tokens.
|
|
cli=
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[operation.revoke_token]
|
|
title=Revoke a token
|
|
status=optional
|
|
notes=Tokens may be individually revoked, such as when a user logs out of
|
|
Horizon. Under certain circumstances, it's acceptable for more than just a
|
|
single token may be revoked as a result of this operation (such as when the
|
|
revoked token was previously used to create additional tokens).
|
|
cli=openstack token revoke
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[feature.online_validation]
|
|
title=Online validation
|
|
status=mandatory
|
|
notes=Keystone must be able to validate the tokens that it issues when
|
|
presented with a token that it previously issued.
|
|
cli=
|
|
driver.fernet=complete
|
|
driver.jws=complete
|
|
|
|
[feature.offline_validation]
|
|
title=Offline validation
|
|
status=optional
|
|
notes=Services using Keystone for authentication may want to validate tokens
|
|
themselves, rather than calling back to keystone, in order to improve
|
|
performance and scalability.
|
|
cli=
|
|
driver.fernet=missing
|
|
driver.jws=missing
|
|
|
|
[feature.non_persistent]
|
|
title=Non-persistent
|
|
status=optional
|
|
notes=If a token format does not require persistence (such as to a SQL
|
|
backend), then there is no scalability limit to the number of tokens that
|
|
keystone can issue at once, and there is no need to perform clean up
|
|
operations such as `keystone-manage token_flush`.
|
|
cli=
|
|
driver.fernet=complete
|
|
driver.jws=complete
|