Add section on Keystone Token Binding

Havana added this feature, here are the docs. Change-Id: I9c8c785f3eed91cc688f49e7dda7228cc1ff5216 Closes-Bug: 1196775
2013-12-20 11:32:45 +08:00 · 2013-12-20 11:32:45 +08:00 · 9d93c4f71f
commit 9d93c4f71f
parent b339aac910
2 changed files with 45 additions and 0 deletions
--- a/doc/config-reference/ch_identityconfigure.xml
+++ b/doc/config-reference/ch_identityconfigure.xml
@ -15,5 +15,6 @@
    <xi:include href="../common/section_keystone-ssl-config.xml"/>
    <xi:include href="../common/section_keystone-external-auth.xml"/>
    <xi:include href="../common/section_config_keystone_ldap.xml"/>
+    <xi:include href="identity/section_keystone-token-binding.xml"/>
    <xi:include href="../common/section_keystone-sample-conf-files.xml"/>
 </chapter>
--- a/doc/config-reference/identity/section_keystone-token-binding.xml
+++ b/doc/config-reference/identity/section_keystone-token-binding.xml
@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook"
+    xmlns:xi="http://www.w3.org/2001/XInclude"
+    xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+    xml:id="keystone-token-binding">
+    <title>Configure the Identity Service for token binding</title>
+    <para>Token binding refers to the practice of embedding
+    information from external authentication providers (like a
+    company's Kerberos server) inside the token such that a client may
+    enforce that the token only be used in conjunction with that
+    specified authentication. This is an additional security mechanism
+    as it means that if a token is stolen it will not be usable
+    without also providing the external authentication. </para>
+  <para> To activate token binding you must specify the types of
+    authentication that token binding should be used for in
+      <filename>keystone.conf</filename>:
+    <programlisting language="ini">[token]
+    bind = kerberos</programlisting>
+    Currently only <literal>kerberos</literal> is supported.</para>
+   <para>
+To enforce checking of token binding the <literal>enforce_token_bind</literal> parameter
+should be set to one of the following modes:
+<itemizedlist>
+<listitem><para><literal>disabled</literal> disable token bind checking</para>
+</listitem>
+<listitem><para><literal>permissive</literal> enable bind checking, if a token is bound to a mechanism that
+  is unknown to the server then ignore it. This is the default.</para>
+</listitem>
+<listitem><para><literal>strict</literal> enable bind checking, if a token is bound to a mechanism that is
+  unknown to the server then this token should be rejected.</para>
+</listitem>
+<listitem><para><literal>required</literal> enable bind checking and require that at least 1 bind mechanism
+  is used for tokens.</para>
+</listitem>
+<listitem><para><literal>named</literal> enable bind checking and require that the specified authentication
+  mechanism is used:
+<programlisting language="ini">[token]
+    enforce_token_bind = kerberos</programlisting></para>
+</listitem>
+</itemizedlist>
+  <note><para>Do not set <literal>enforce_token_bind = named</literal> as there is not an authentication
+  mechanism called <literal>named</literal>.</para></note>
+</para>
+</section>