diff options
author | Jamie Lennox <jlennox@redhat.com> | 2013-06-17 04:22:06 +0000 |
---|---|---|
committer | Jamie Lennox <jamielennox@gmail.com> | 2013-07-17 15:37:14 +1000 |
commit | 2667c772a30c16ca147f8e38143b59ac53ec5b0c (patch) | |
tree | a0765296b56be440847fa856382f79eed216714f /doc | |
parent | 53a03b53e7541367c07df6d4f6739173330f5353 (diff) | |
download | keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.tar.gz keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.tar.xz keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.zip |
Implement Token Binding.
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/configuration.rst | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index c4db1be2..c13da952 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -506,6 +506,44 @@ default, but can be enabled by including the following in ``keystone.conf``. enabled = True +Token Binding +------------- + +Token binding refers to the practice of embedding information from external +authentication providers (like a company's Kerberos server) inside the token +such that a client may enforce that the token only be used in conjunction with +that specified authentication. This is an additional security mechanism as it +means that if a token is stolen it will not be usable without also providing the +external authentication. + +To activate token binding you must specify the types of authentication that +token binding should be used for in ``keystone.conf`` e.g.:: + + [token] + bind = kerberos + +Currently only ``kerberos`` is supported. + +To enforce checking of token binding the ``enforce_token_bind`` parameter +should be set to one of the following modes: + +* ``disabled`` disable token bind checking +* ``permissive`` enable bind checking, if a token is bound to a mechanism that + is unknown to the server then ignore it. This is the default. +* ``strict`` enable bind checking, if a token is bound to a mechanism that is + unknown to the server then this token should be rejected. +* ``required`` enable bind checking and require that at least 1 bind mechanism + is used for tokens. +* named enable bind checking and require that the specified authentication + mechanism is used. e.g.:: + + [token] + enforce_token_bind = kerberos + + *Do not* set ``enforce_token_bind = named`` as there is not an authentication + mechanism called ``named``. + + Sample Configuration Files -------------------------- |