Implement Token Binding.
Bug #1196775 reported by
OpenStack Infra
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openstack-manuals |
Fix Released
|
Medium
|
Anne Gentle | ||
Bug Description
https:/
commit 8e90214b294ce34
Author: Jamie Lennox <email address hidden>
Date: Mon Jun 17 04:22:06 2013 +0000
Implement Token Binding.
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-
Change-Id: Ib34e5e0b6bd838
| Changed in openstack-manuals: | |
| milestone: | none → havana |
| Changed in openstack-manuals: | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
Revision history for this message
| Tom Fifield (fifieldt) wrote | #1 |
| Changed in openstack-manuals: | |
| status: | Confirmed → Triaged |
| Changed in openstack-manuals: | |
| assignee: | nobody → Tom Fifield (fifieldt) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to openstack-manuals (master) | #2 |
| Changed in openstack-manuals: | |
| status: | Triaged → In Progress |
| Changed in openstack-manuals: | |
| assignee: | Tom Fifield (fifieldt) → Anne Gentle (annegentle) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to openstack-manuals (master) | #3 |
| Changed in openstack-manuals: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to openstack-manuals (stable/havana) | #4 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to openstack-manuals (stable/havana) | #5 |
| tags: | added: in-stable-havana |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/openstack-manuals 15.0.0 | #6 |
To post a comment you must log in.
Need to add this text:
Token Binding
-------------
Token binding refers to the practice of embedding information from external
authentication providers (like a company's Kerberos server) inside the token
such that a client may enforce that the token only be used in conjunction with
that specified authentication. This is an additional security mechanism as it
means that if a token is stolen it will not be usable without also providing the
external authentication.
To activate token binding you must specify the types of authentication that
token binding should be used for in ``keystone.conf`` e.g.::
[token]
bind = kerberos
Currently only ``kerberos`` is supported.
To enforce checking of token binding the ``enforce_
should be set to one of the following modes:
* ``disabled`` disable token bind checking
* ``permissive`` enable bind checking, if a token is bound to a mechanism that
is unknown to the server then ignore it. This is the default.
* ``strict`` enable bind checking, if a token is bound to a mechanism that is
unknown to the server then this token should be rejected.
* ``required`` enable bind checking and require that at least 1 bind mechanism
is used for tokens.
* named enable bind checking and require that the specified authentication
mechanism is used. e.g.::
[token]
enforce_
*Do not* set ``enforce_
mechanism called ``named``.