Public bug reported: Keystone supports the ability to trust a certificate authority, meaning it also has the ability to trust certificates issued to users by that authority. The work originally landed in Liberty [0], but some of the examples in the documentation could be more concise [1].
Some things we could do to improve this documentation would be to: - Explain situations where trusting a CA would be beneficial to a deployment - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing) - Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment - Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator [0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html [1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp ** Affects: keystone Importance: Medium Status: Triaged ** Tags: documentation ** Changed in: keystone Status: New => Triaged ** Changed in: keystone Importance: Undecided => Medium ** Tags added: documentation ** Description changed: Keystone supports the ability to trust a certificate authority, meaning it also has the ability to trust certificates issued to users by that authority. The work originally landed in Liberty [0], but some of the examples in the documentation could be more concise [1]. Some things we could do to improve this documentation would be to: - Explain situations where trusting a CA would be beneficial to a deployment - - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can you to pull the value out of their certificate) + - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing) - Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment - Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator [0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html [1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1813057 Title: The tokenless authentication documentation is opaque Status in OpenStack Identity (keystone): Triaged Bug description: Keystone supports the ability to trust a certificate authority, meaning it also has the ability to trust certificates issued to users by that authority. The work originally landed in Liberty [0], but some of the examples in the documentation could be more concise [1]. Some things we could do to improve this documentation would be to: - Explain situations where trusting a CA would be beneficial to a deployment - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing) - Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment - Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator [0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html [1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1813057/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
