small changes to section_keystone-token-binding file
changed such to so changed some wording around sentence added , removed the added mode Change-Id: I175ee91bcb67f03e6068d0df7f0924134b1b2816
This commit is contained in:
parent
25c95b418b
commit
f006188e70
@ -3,54 +3,55 @@
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
||||
xml:id="keystone-token-binding">
|
||||
<title>Configure the Identity Service for token binding</title>
|
||||
<para>Token binding refers to the practice of embedding
|
||||
information from external authentication providers (like a
|
||||
company's Kerberos server) inside the token such that a client may
|
||||
enforce that the token only be used in conjunction with that
|
||||
specified authentication. This is an additional security mechanism
|
||||
as it means that if a token is stolen it will not be usable
|
||||
without also providing the external authentication.</para>
|
||||
<para>To activate token binding you must specify the types of
|
||||
authentication that token binding should be used for in
|
||||
<filename>keystone.conf</filename>:
|
||||
<title>Configure Identity service for token binding</title>
|
||||
<para>Token binding embeds information from an external
|
||||
authentication mechanism, such as a Kerberos server, inside a
|
||||
token. By using token binding, a client can enforce the use of a
|
||||
specified external authentication mechanism with the token. This
|
||||
additional security mechanism ensures that if a token is stolen,
|
||||
for example, it is not usable without external
|
||||
authentication.</para>
|
||||
<para>You configure the authentication types for a token binding in
|
||||
the <filename>keystone.conf</filename> file:</para>
|
||||
<programlisting language="ini">[token]
|
||||
bind = kerberos</programlisting>
|
||||
Currently only <literal>kerberos</literal> is supported.</para>
|
||||
<para>
|
||||
To enforce checking of token binding the <literal>enforce_token_bind</literal>
|
||||
parameter should be set to one of the following modes:
|
||||
bind = kerberos</programlisting>
|
||||
<para>Currently only <literal>kerberos</literal> is
|
||||
supported.</para>
|
||||
<para>To enforce checking of token binding, set the
|
||||
<option>enforce_token_bind</option> option to one of these
|
||||
modes:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><literal>disabled</literal> disable token bind
|
||||
checking</para>
|
||||
<para><literal>disabled</literal></para>
|
||||
<para>Disables token bind checking.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>permissive</literal> enable bind checking, if
|
||||
a token is bound to a mechanism that is unknown to the server
|
||||
then ignore it. This is the default.</para>
|
||||
<para><literal>permissive</literal></para>
|
||||
<para>Enables bind checking. If a token is bound to an unknown
|
||||
authentication mechanism, the server ignores it. The default
|
||||
is this mode.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>strict</literal> enable bind checking, if a
|
||||
token is bound to a mechanism that is unknown to the server
|
||||
then this token should be rejected.</para>
|
||||
<para><literal>strict</literal></para>
|
||||
<para>Enables bind checking. If a token is bound to an unknown
|
||||
authentication mechanism, the server rejects it.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>required</literal> enable bind checking and
|
||||
require that at least 1 bind mechanism is used for
|
||||
tokens.</para>
|
||||
<para><literal>required</literal></para>
|
||||
<para>Enables bind checking. Requires use of at least
|
||||
authentication mechanism for tokens.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>named</literal> enable bind checking and
|
||||
require that the specified authentication mechanism is used:
|
||||
<programlisting language="ini">[token]
|
||||
enforce_token_bind = kerberos</programlisting>
|
||||
</para>
|
||||
<para><literal>named</literal></para>
|
||||
<para>Enables bind checking. Requires use of the specified
|
||||
authentication mechanism for tokens:</para>
|
||||
<programlisting language="ini">[token]
|
||||
enforce_token_bind = kerberos</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<note><para>Do not set <literal>enforce_token_bind =
|
||||
named</literal> as there is not an authentication mechanism
|
||||
called <literal>named</literal>.</para>
|
||||
<note>
|
||||
<para>Do not set <literal>enforce_token_bind = named</literal>.
|
||||
The <literal>named</literal> authentication mechanism does not
|
||||
exist.</para>
|
||||
</note>
|
||||
</para>
|
||||
</section>
|
||||
|
Loading…
Reference in New Issue
Block a user