From c238ace30981877e5991874c5b193ea7d5107419 Mon Sep 17 00:00:00 2001 From: Guang Yee Date: Thu, 20 Jun 2013 10:06:17 -0700 Subject: Implements Pluggable V3 Token Provider Abstract V3 token provider backend to make token provider pluggable. It enables deployers to customize token management to add their own capabilities. Token provider is responsible for issuing, checking, validating, and revoking tokens. Note the distinction between token 'driver' and 'provider'. Token 'driver' simply provides token persistence. It does not issue or interpret tokens. Token provider is specified by the 'provider' property in the '[token]' section of the Keystone configuration file. Partially implemented blueprint pluggable-token-format. This patch also fixes bug 1186061. Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3 --- doc/source/configuration.rst | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 03fa1d63..daa0896f 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -74,7 +74,7 @@ following sections: * ``[s3]`` - Amazon S3 authentication driver configuration. * ``[identity]`` - identity system driver configuration * ``[catalog]`` - service catalog driver configuration -* ``[token]`` - token driver configuration +* ``[token]`` - token driver & token provider configuration * ``[policy]`` - policy system driver configuration for RBAC * ``[signing]`` - cryptographic signatures for PKI based tokens * ``[ssl]`` - SSL configuration @@ -148,6 +148,26 @@ invoked, all plugins must succeed in order to for the entire authentication to be successful. Furthermore, all the plugins invoked must agree on the ``user_id`` in the ``auth_context``. +Token Provider +-------------- + +Keystone supports customizable token provider and it is specified in the +``[token]`` section of the configuration file. Keystone provides both UUID and +PKI token providers, with PKI token provider enabled as default. However, users +may register their own token provider by configuring the following property. + +* ``provider`` - token provider driver. Defaults to + ``keystone.token.providers.pki.Provider`` + +Note that ``token_format`` in the ``[signing]`` section is deprecated but still +being supported for backward compatibility. Therefore, if ``provider`` is set +to ``keystone.token.providers.pki.Provider``, ``token_format`` must be ``PKI``. +Conversely, if ``provider`` is ``keystone.token.providers.uuid.Provider``, +``token_format`` must be ``UUID``. + +For a customized provider, ``token_format`` must not set to ``PKI`` or +``UUID``. + Certificates for PKI -------------------- @@ -163,7 +183,9 @@ private key should only be readable by the system user that will run Keystone. The values that specify where to read the certificates are under the ``[signing]`` section of the configuration file. The configuration values are: -* ``token_format`` - Determines the algorithm used to generate tokens. Can be either ``UUID`` or ``PKI``. Defaults to ``PKI`` +* ``token_format`` - Determines the algorithm used to generate tokens. Can be + either ``UUID`` or ``PKI``. Defaults to ``PKI``. This option must be used in + conjunction with ``provider`` configuration in the ``[token]`` section. * ``certfile`` - Location of certificate used to verify tokens. Default is ``/etc/keystone/ssl/certs/signing_cert.pem`` * ``keyfile`` - Location of private key used to sign tokens. Default is ``/etc/keystone/ssl/private/signing_key.pem`` * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem`` -- cgit