openstack-manuals/doc/common/tables/keystone-tokenless.xml

<?xml version='1.0' encoding='UTF-8'?>
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
  <!-- Warning: Do not edit this file. It is automatically
     generated and your changes will be overwritten.
     The tool to do so lives in openstack-doc-tools repository. -->
  <table rules="all" xml:id="config_table_keystone_tokenless">
    <caption>Description of Tokenless Authorization configuration options</caption>
    <col width="50%"/>
    <col width="50%"/>
    <thead>
      <tr>
        <th>Configuration option = Default value</th>
        <th>Description</th>
      </tr>
    </thead>
    <tbody>
      <tr>
        <th colspan="2">[tokenless_auth]</th>
      </tr>
      <tr>
        <td><option>issuer_attribute</option> = <replaceable>SSL_CLIENT_I_DN</replaceable></td>
        <td>(StrOpt) The issuer attribute that is served as an IdP ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. It is the environment variable in the WSGI environment that references to the issuer of the client certificate.</td>
      </tr>
      <tr>
        <td><option>protocol</option> = <replaceable>x509</replaceable></td>
        <td>(StrOpt) The protocol name for the X.509 tokenless authorization along with the option issuer_attribute below can look up its corresponding mapping.</td>
      </tr>
      <tr>
        <td><option>trusted_issuer</option> = <replaceable>[]</replaceable></td>
        <td>(MultiStrOpt) The list of trusted issuers to further filter the certificates that are allowed to participate in the X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The naming format for the attributes of a Distinguished Name(DN) must be separated by a comma and contain no spaces. This configuration option may be repeated for multiple values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack trusted_issuer=CN=mary,OU=eng,O=abc</td>
      </tr>
    </tbody>
  </table>
</para>