diff options
author | Jamie Lennox <jlennox@redhat.com> | 2013-06-17 04:22:06 +0000 |
---|---|---|
committer | Jamie Lennox <jamielennox@gmail.com> | 2013-07-17 15:37:14 +1000 |
commit | 2667c772a30c16ca147f8e38143b59ac53ec5b0c (patch) | |
tree | a0765296b56be440847fa856382f79eed216714f /etc | |
parent | 53a03b53e7541367c07df6d4f6739173330f5353 (diff) | |
download | keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.tar.gz keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.tar.xz keystone-2667c772a30c16ca147f8e38143b59ac53ec5b0c.zip |
Implement Token Binding.
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-tied-to-token
Change-Id: Ib34e5e0b6bd83837f6addbd45d4c5b828ce2f3bd
Diffstat (limited to 'etc')
-rw-r--r-- | etc/keystone.conf.sample | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index 7fa232f0..43884951 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -133,6 +133,15 @@ # Amount of time a token should remain valid (in seconds) # expiration = 86400 +# External auth mechanisms that should add bind information to token. +# eg kerberos, x509 +# bind = + +# Enforcement policy on tokens presented to keystone with bind information. +# One of disabled, permissive, strict, required or a specifically required bind +# mode e.g. kerberos or x509 to require binding to that authentication. +# enforce_token_bind = permissive + [policy] # driver = keystone.policy.backends.sql.Policy |