openstack/openstack-manuals
Code Issues Proposed changes
Files
d276b64d46c416c5ed1a10e893f68bac0d271805
openstack-manuals/doc/config-reference/source/tables/keystone-tokenless.rst
Gauvain Pocentek 0806ec8ea4 [config-ref] Update keystone tables 
Change-Id: Id5bb093eb05a38aa0bd4cd11f2c08de9a5f64c46
2017-04-29 17:11:46 +02:00

27 lines
2.0 KiB
ReStructuredText
Raw Blame History

..
Warning: Do not edit this file. It is automatically generated from the
software project's code and your changes will be overwritten.
The tool to generate this file lives in openstack-doc-tools repository.
Please make any changes needed in the code, then run the
autogenerate-config-doc tool from the openstack-doc-tools repository, or
ask for help on the documentation mailing list, IRC channel or meeting.
.. _keystone-tokenless:
.. list-table:: Description of Tokenless Authorization configuration options
:header-rows: 1
:class: config-ref-table
* - Configuration option = Default value
- Description
* - **[tokenless_auth]**
-
* - ``trusted_issuer`` = ``[]``
- (Multi-valued) The list of distinguished names which identify trusted issuers of client certificates allowed to use X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The format for the values of a distinguished name (DN) must be separated by a comma and contain no spaces. Furthermore, because an individual DN may contain commas, this configuration option may be repeated multiple times to represent multiple values. For example, keystone.conf would include two consecutive lines in order to trust two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` and `trusted_issuer = CN=mary,OU=eng,O=abc`.
* - ``protocol`` = ``x509``
- (String) The federated protocol ID used to represent X.509 tokenless authorization. This is used in combination with the value of `[tokenless_auth] issuer_attribute` to find a corresponding federated mapping. In a typical deployment, there is no reason to change this value.
* - ``issuer_attribute`` = ``SSL_CLIENT_I_DN``
- (String) The name of the WSGI environment variable used to pass the issuer of the client certificate to keystone. This attribute is used as an identity provider ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. In a typical deployment, there is no reason to change this value.
View Git Blame Copy Permalink