diff options
Diffstat (limited to 'keystone-moon/keystone/common/config.py')
-rw-r--r-- | keystone-moon/keystone/common/config.py | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/keystone-moon/keystone/common/config.py b/keystone-moon/keystone/common/config.py index 4966dd9c..fcf05abe 100644 --- a/keystone-moon/keystone/common/config.py +++ b/keystone-moon/keystone/common/config.py @@ -529,8 +529,9 @@ FILE_OPTIONS = { 'token, the origin host must be a member of the ' 'trusted_dashboard list. This configuration ' 'option may be repeated for multiple values. ' - 'For example: trusted_dashboard=http://acme.com ' - 'trusted_dashboard=http://beta.com'), + 'For example: ' + 'trusted_dashboard=http://acme.com/auth/websso ' + 'trusted_dashboard=http://beta.com/auth/websso'), cfg.StrOpt('sso_callback_template', default=_SSO_CALLBACK, help='Location of Single Sign-On callback handler, will ' 'return a token to a trusted dashboard host.'), @@ -894,6 +895,32 @@ FILE_OPTIONS = { help='Entrypoint for the oAuth1.0 auth plugin module in ' 'the keystone.auth.oauth1 namespace.'), ], + 'tokenless_auth': [ + cfg.MultiStrOpt('trusted_issuer', default=[], + help='The list of trusted issuers to further filter ' + 'the certificates that are allowed to ' + 'participate in the X.509 tokenless ' + 'authorization. If the option is absent then ' + 'no certificates will be allowed. ' + 'The naming format for the attributes of a ' + 'Distinguished Name(DN) must be separated by a ' + 'comma and contain no spaces. This configuration ' + 'option may be repeated for multiple values. ' + 'For example: ' + 'trusted_issuer=CN=john,OU=keystone,O=openstack ' + 'trusted_issuer=CN=mary,OU=eng,O=abc'), + cfg.StrOpt('protocol', default='x509', + help='The protocol name for the X.509 tokenless ' + 'authorization along with the option issuer_attribute ' + 'below can look up its corresponding mapping.'), + cfg.StrOpt('issuer_attribute', default='SSL_CLIENT_I_DN', + help='The issuer attribute that is served as an IdP ID ' + 'for the X.509 tokenless authorization along with ' + 'the protocol to look up its corresponding mapping. ' + 'It is the environment variable in the WSGI ' + 'environment that references to the issuer of the ' + 'client certificate.'), + ], 'paste_deploy': [ cfg.StrOpt('config_file', default='keystone-paste.ini', help='Name of the paste configuration file that defines ' |