Implement Token Binding.
Bug #1196775 reported by
OpenStack Infra
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
Medium
|
Anne Gentle |
Bug Description
https:/
commit 8e90214b294ce34
Author: Jamie Lennox <email address hidden>
Date: Mon Jun 17 04:22:06 2013 +0000
Implement Token Binding.
Brings token binding to keystone server. There are a number of places
where the location or hardcoding of binding checks are not optimal
however fixing them will require having a proper authentication plugin
scheme so just assume that they will be moved when that happens.
DocImpact
Implements: blueprint authentication-
Change-Id: Ib34e5e0b6bd838
Changed in openstack-manuals: | |
milestone: | none → havana |
Changed in openstack-manuals: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in openstack-manuals: | |
assignee: | nobody → Tom Fifield (fifieldt) |
Changed in openstack-manuals: | |
assignee: | Tom Fifield (fifieldt) → Anne Gentle (annegentle) |
To post a comment you must log in.
Need to add this text:
Token Binding
-------------
Token binding refers to the practice of embedding information from external
authentication providers (like a company's Kerberos server) inside the token
such that a client may enforce that the token only be used in conjunction with
that specified authentication. This is an additional security mechanism as it
means that if a token is stolen it will not be usable without also providing the
external authentication.
To activate token binding you must specify the types of authentication that
token binding should be used for in ``keystone.conf`` e.g.::
[token]
bind = kerberos
Currently only ``kerberos`` is supported.
To enforce checking of token binding the ``enforce_ token_bind` ` parameter
should be set to one of the following modes:
* ``disabled`` disable token bind checking
* ``permissive`` enable bind checking, if a token is bound to a mechanism that
is unknown to the server then ignore it. This is the default.
* ``strict`` enable bind checking, if a token is bound to a mechanism that is
unknown to the server then this token should be rejected.
* ``required`` enable bind checking and require that at least 1 bind mechanism
is used for tokens.
* named enable bind checking and require that the specified authentication
mechanism is used. e.g.::
[token] token_bind = kerberos
enforce_
*Do not* set ``enforce_ token_bind = named`` as there is not an authentication
mechanism called ``named``.