yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1813057] Re: The tokenless/x509 authentication documentation is opaque

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1813057@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Jul 2019 16:54:11 -0000
Reply-to: Bug 1813057 <1813057@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/669790
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4fb4d8b8a4055dfacf13a409e590485461d766b2
Submitter: Zuul
Branch:    master

commit 4fb4d8b8a4055dfacf13a409e590485461d766b2
Author: Guang Yee <guang.yee@xxxxxxxx>
Date:   Mon Jul 8 21:55:47 2019 -0700

    update documentation for X.509 tokenless auth
    
    Explain what this feature is intended for and how to properly
    use it.
    
    Change-Id: I5ef67d9beaa0fc9505270408db4dec5dd9d97ebf
    Closes-Bug: 1813057


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1813057

Title:
  The tokenless/x509 authentication documentation is opaque

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone supports the ability to trust a certificate authority,
  meaning it also has the ability to trust certificates issued to users
  by that authority. The work originally landed in Liberty [0], but some
  of the examples in the documentation could be more concise [1].

  Some things we could do to improve this documentation would be to:

  - Explain situations where trusting a CA would be beneficial to a deployment
  - Explain how operators should know what to configure for the trusted_issuer (e.g., this should ideally be an openssl command they can use to pull the value out of their certificate - the current documentation doesn't really tell you how to get this, leaving you guessing)
  - Put the configuration steps into the configuration guide, which is written for operators setting up and configuring their deployment
  - Put the user information in the user guide, so it's easier for users to know how they can use a certificate given to them from an operator

  [0] https://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html
  [1] https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-an-identity-provider-idp

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1813057/+subscriptions

References

[Bug 1813057] [NEW] The tokenless authentication documentation is opaque
From: Lance Bragstad, 2019-01-23