Merge "Remove deprecated "bind" in token"
This commit is contained in:
commit
649e058e3c
|
@ -1,67 +0,0 @@
|
|||
============================================
|
||||
Configure Identity service for token binding
|
||||
============================================
|
||||
|
||||
Token binding embeds information from an external authentication
|
||||
mechanism, such as a Kerberos server or X.509 certificate, inside a
|
||||
token. By using token binding, a client can enforce the use of a
|
||||
specified external authentication mechanism with the token. This
|
||||
additional security mechanism ensures that if a token is stolen, for
|
||||
example, it is not usable without external authentication.
|
||||
|
||||
You configure the authentication types for a token binding in the
|
||||
``/etc/keystone/keystone.conf`` file:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
bind = kerberos
|
||||
|
||||
or
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
bind = x509
|
||||
|
||||
Currently ``kerberos`` and ``x509`` are supported.
|
||||
|
||||
To enforce checking of token binding, set the ``enforce_token_bind``
|
||||
option to one of these modes:
|
||||
|
||||
- ``disabled``
|
||||
Disables token bind checking.
|
||||
|
||||
- ``permissive``
|
||||
Enables bind checking. If a token is bound to an unknown
|
||||
authentication mechanism, the server ignores it. The default is this
|
||||
mode.
|
||||
|
||||
- ``strict``
|
||||
Enables bind checking. If a token is bound to an unknown
|
||||
authentication mechanism, the server rejects it.
|
||||
|
||||
- ``required``
|
||||
Enables bind checking. Requires use of at least authentication
|
||||
mechanism for tokens.
|
||||
|
||||
- ``kerberos``
|
||||
Enables bind checking. Requires use of kerberos as the authentication
|
||||
mechanism for tokens:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
enforce_token_bind = kerberos
|
||||
|
||||
- ``x509``
|
||||
Enables bind checking. Requires use of X.509 as the authentication
|
||||
mechanism for tokens:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
enforce_token_bind = x509
|
||||
|
||||
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
|
||||
mechanism called ``named``.
|
|
@ -25,7 +25,6 @@ command-line client.
|
|||
identity-integrate-with-ldap.rst
|
||||
identity-upgrading.rst
|
||||
identity-tokens.rst
|
||||
identity-token-binding.rst
|
||||
identity-fernet-token-faq.rst
|
||||
identity-use-trusts.rst
|
||||
identity-caching-layer.rst
|
||||
|
|
|
@ -108,14 +108,6 @@ notes=OAuth access tokens can be exchanged for keystone tokens.
|
|||
cli=
|
||||
driver-impl-fernet=complete
|
||||
|
||||
[operation.create_token_with_bind]
|
||||
title=Create a token with a bind attribute
|
||||
status=optional
|
||||
notes=Tokens can express a binding to an additional authentication method, such
|
||||
as kerberos or x509.
|
||||
cli=
|
||||
driver-impl-fernet=missing
|
||||
|
||||
[operation.revoke_token]
|
||||
title=Revoke a token
|
||||
status=optional
|
||||
|
|
|
@ -17,20 +17,6 @@ from oslo_log import versionutils
|
|||
|
||||
from keystone.conf import utils
|
||||
|
||||
bind = cfg.ListOpt(
|
||||
'bind',
|
||||
default=[],
|
||||
deprecated_since=versionutils.deprecated.PIKE,
|
||||
deprecated_for_removal=True,
|
||||
help=utils.fmt("""
|
||||
This is a list of external authentication mechanisms which should add token
|
||||
binding metadata to tokens, such as `kerberos` or `x509`. Note that this option
|
||||
is deprecated as keystone no longer supports binding metadata to tokens
|
||||
directly. This option is silently ignored and will be removed in the future.
|
||||
This option no longer has any impact on the behavior of tokens and can be
|
||||
removed.
|
||||
"""))
|
||||
|
||||
expiration = cfg.IntOpt(
|
||||
'expiration',
|
||||
default=3600,
|
||||
|
|
|
@ -69,16 +69,6 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
'minItems': 1,
|
||||
'maxItems': 2,
|
||||
},
|
||||
'bind': {
|
||||
'type': 'object',
|
||||
'properties': {
|
||||
'kerberos': {
|
||||
'type': 'string',
|
||||
},
|
||||
},
|
||||
'required': ['kerberos'],
|
||||
'additionalProperties': False,
|
||||
},
|
||||
'expires_at': {
|
||||
'type': 'string',
|
||||
'pattern': unit.TIME_FORMAT_REGEX,
|
||||
|
@ -172,7 +162,7 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
'properties': properties,
|
||||
'required': ['audit_ids', 'expires_at', 'issued_at', 'methods',
|
||||
'user'],
|
||||
'optional': ['bind'],
|
||||
'optional': [],
|
||||
'additionalProperties': False
|
||||
}
|
||||
|
||||
|
|
|
@ -6,4 +6,7 @@ other:
|
|||
deprecated in Queens and only used for V2 are removed now.
|
||||
- >
|
||||
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
||||
The deprecated token_flush is removed now.
|
||||
The deprecated token_flush is removed now.
|
||||
- >
|
||||
[`blueprint removed-as-of-stein <https://blueprints.launchpad.net/keystone/+spec/removed-as-of-stein>`_]
|
||||
The deprecated config option `bind` is removed now.
|
Loading…
Reference in New Issue