yahoo-eng-team team mailing list archive

[Lance Bragstad <lbragstad@xxxxxxxxx>]

Public bug reported:

Keystone supports the ability to trust a certificate authority, meaning
it also has the ability to trust certificates issued to users by that
authority. The work originally landed in Liberty [0], but some of the
examples in the documentation could be more concise [1].

Some things we could do to improve this documentation would be to:

- Explain situations where trusting a CA would be beneficial to a deployment
- Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing)
- Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment
- Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator

[0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html
[1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp

** Affects: keystone
     Importance: Medium
         Status: Triaged


** Tags: documentation

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Tags added: documentation

** Description changed:

  Keystone supports the ability to trust a certificate authority, meaning
  it also has the ability to trust certificates issued to users by that
  authority. The work originally landed in Liberty [0], but some of the
  examples in the documentation could be more concise [1].
  
  Some things we could do to improve this documentation would be to:
  
  - Explain situations where trusting a CA would be beneficial to a deployment
- - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can you to pull the value out of their certificate)
+ - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing)
  - Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment
  - Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator
  
  [0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html
  [1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1813057

Title:
  The tokenless authentication documentation is opaque

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Keystone supports the ability to trust a certificate authority,
  meaning it also has the ability to trust certificates issued to users
  by that authority. The work originally landed in Liberty [0], but some
  of the examples in the documentation could be more concise [1].

  Some things we could do to improve this documentation would be to:

  - Explain situations where trusting a CA would be beneficial to a deployment
  - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing)
  - Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment
  - Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator

  [0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html
  [1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1813057/+subscriptions