diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-07-15 17:03:50 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-07-15 17:03:50 +0000 |
| commit | dec66cd5a716653d25ea8a79827695424d15862d (patch) | |
| tree | 7a872919f5076ece1472b18982e4f17f28545c32 /doc | |
| parent | df63b9c71f2aa5ba727d10f00d4a4b3538d6fcff (diff) | |
| parent | c238ace30981877e5991874c5b193ea7d5107419 (diff) | |
| download | keystone-dec66cd5a716653d25ea8a79827695424d15862d.tar.gz keystone-dec66cd5a716653d25ea8a79827695424d15862d.tar.xz keystone-dec66cd5a716653d25ea8a79827695424d15862d.zip | |
Merge "Implements Pluggable V3 Token Provider"
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/configuration.rst | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 03fa1d63..daa0896f 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -74,7 +74,7 @@ following sections: * ``[s3]`` - Amazon S3 authentication driver configuration. * ``[identity]`` - identity system driver configuration * ``[catalog]`` - service catalog driver configuration -* ``[token]`` - token driver configuration +* ``[token]`` - token driver & token provider configuration * ``[policy]`` - policy system driver configuration for RBAC * ``[signing]`` - cryptographic signatures for PKI based tokens * ``[ssl]`` - SSL configuration @@ -148,6 +148,26 @@ invoked, all plugins must succeed in order to for the entire authentication to be successful. Furthermore, all the plugins invoked must agree on the ``user_id`` in the ``auth_context``. +Token Provider +-------------- + +Keystone supports customizable token provider and it is specified in the +``[token]`` section of the configuration file. Keystone provides both UUID and +PKI token providers, with PKI token provider enabled as default. However, users +may register their own token provider by configuring the following property. + +* ``provider`` - token provider driver. Defaults to + ``keystone.token.providers.pki.Provider`` + +Note that ``token_format`` in the ``[signing]`` section is deprecated but still +being supported for backward compatibility. Therefore, if ``provider`` is set +to ``keystone.token.providers.pki.Provider``, ``token_format`` must be ``PKI``. +Conversely, if ``provider`` is ``keystone.token.providers.uuid.Provider``, +``token_format`` must be ``UUID``. + +For a customized provider, ``token_format`` must not set to ``PKI`` or +``UUID``. + Certificates for PKI -------------------- @@ -163,7 +183,9 @@ private key should only be readable by the system user that will run Keystone. The values that specify where to read the certificates are under the ``[signing]`` section of the configuration file. The configuration values are: -* ``token_format`` - Determines the algorithm used to generate tokens. Can be either ``UUID`` or ``PKI``. Defaults to ``PKI`` +* ``token_format`` - Determines the algorithm used to generate tokens. Can be + either ``UUID`` or ``PKI``. Defaults to ``PKI``. This option must be used in + conjunction with ``provider`` configuration in the ``[token]`` section. * ``certfile`` - Location of certificate used to verify tokens. Default is ``/etc/keystone/ssl/certs/signing_cert.pem`` * ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem`` * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem`` |