Reviewed:  https://review.opendev.org/669790
Committed: 
https://git.openstack.org/cgit/openstack/keystone/commit/?id=4fb4d8b8a4055dfacf13a409e590485461d766b2
Submitter: Zuul
Branch:    master

commit 4fb4d8b8a4055dfacf13a409e590485461d766b2
Author: Guang Yee <[email protected]>
Date:   Mon Jul 8 21:55:47 2019 -0700

    update documentation for X.509 tokenless auth
    
    Explain what this feature is intended for and how to properly
    use it.
    
    Change-Id: I5ef67d9beaa0fc9505270408db4dec5dd9d97ebf
    Closes-Bug: 1813057


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1813057

Title:
  The tokenless/x509 authentication documentation is opaque

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone supports the ability to trust a certificate authority,
  meaning it also has the ability to trust certificates issued to users
  by that authority. The work originally landed in Liberty [0], but some
  of the examples in the documentation could be more concise [1].

  Some things we could do to improve this documentation would be to:

  - Explain situations where trusting a CA would be beneficial to a deployment
  - Explain how operators should know what to configure for the trusted_issuer 
(e.g., this should ideally be an openssl command they can use to pull the value 
out of their certificate - the current documentation doesn't really tell you 
how to get this, leaving you guessing)
  - Put the configuration steps into the configuration guide, which is written 
for operators setting up and configuring their deployment
  - Put the user information in the user guide, so it's easier for users to 
know how they can use a certificate given to them from an operator

  [0] 
https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html
  [1] 
https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1813057/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to