Refresh the admin_token doc
The AdminTokenAuthMiddleware is removed already. Remove the related doc and config help message to avoid misleading. Change-Id: I87f41b26776b351087f0bd89ba8f1a3cb3d4a062
This commit is contained in:
parent
0ff1414609
commit
c22b9e97cc
|
@ -102,7 +102,8 @@ Using a shared secret
|
||||||
``keystone-manage bootstrap`` command and not the ``ADMIN_TOKEN``. The
|
``keystone-manage bootstrap`` command and not the ``ADMIN_TOKEN``. The
|
||||||
``ADMIN_TOKEN`` can leave your deployment vulnerable by exposing
|
``ADMIN_TOKEN`` can leave your deployment vulnerable by exposing
|
||||||
administrator functionality through the API based solely on a single
|
administrator functionality through the API based solely on a single
|
||||||
secret.
|
secret. You shouldn't have to use ``ADMIN_TOKEN`` at all, unless you have
|
||||||
|
some special case bootstrapping requirements.
|
||||||
|
|
||||||
|
|
||||||
Before you can use the identity API, you need to configure keystone with a
|
Before you can use the identity API, you need to configure keystone with a
|
||||||
|
@ -120,7 +121,5 @@ keystone that bootstrap the rest of the deployment. You must create a project,
|
||||||
user, and role in order to use normal user authentication through the API.
|
user, and role in order to use normal user authentication through the API.
|
||||||
|
|
||||||
The ``admin_token`` does not represent a user or explicit authorization of any
|
The ``admin_token`` does not represent a user or explicit authorization of any
|
||||||
kind. It is imperative that you disable the ``AdminTokenAuthMiddleware`` from
|
kind. After bootstrapping, failure to remove this functionality exposes an
|
||||||
your paste application pipelines after bootstrapping, especially in production
|
additional attack vector and security risk.
|
||||||
deployments. Failure to remove this functionality exposes an additional attack
|
|
||||||
vector and security risk.
|
|
||||||
|
|
|
@ -41,10 +41,6 @@ that can be used to bootstrap Keystone through the API. This "token" does not
|
||||||
represent a user (it has no identity), and carries no explicit authorization
|
represent a user (it has no identity), and carries no explicit authorization
|
||||||
(it effectively bypasses most authorization checks). If set to `None`, the
|
(it effectively bypasses most authorization checks). If set to `None`, the
|
||||||
value is ignored and the `admin_token` middleware is effectively disabled.
|
value is ignored and the `admin_token` middleware is effectively disabled.
|
||||||
However, to completely disable `admin_token` in production (highly recommended,
|
|
||||||
as it presents a security risk), remove `AdminTokenAuthMiddleware`
|
|
||||||
(the `admin_token_auth` filter) from your paste application pipelines (for
|
|
||||||
example, in `keystone-paste.ini`).
|
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
public_endpoint = cfg.URIOpt(
|
public_endpoint = cfg.URIOpt(
|
||||||
|
|
Loading…
Reference in New Issue