)]}'
{"doc/source/admin/configure_tokenless_x509.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":".. NOTE::"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    This feature is experimental and unsupported in Liberty."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"-----------"},{"line_number":23,"context_line":"Definitions"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_36177254","line":20,"range":{"start_line":20,"start_character":4,"end_line":20,"end_character":60},"updated":"2019-07-10 01:56:22.000000000","message":"Can we update this?","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":".. NOTE::"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    This feature is experimental and unsupported in Liberty."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"-----------"},{"line_number":23,"context_line":"Definitions"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_83c5ad5d","line":20,"range":{"start_line":20,"start_character":4,"end_line":20,"end_character":60},"in_reply_to":"7faddb67_36177254","updated":"2019-07-11 00:37:54.000000000","message":"Yeah, let me remove it as it should no longer be experimental.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":28,"context_line":"  without having to issue a token."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"  This feature is designed to reduce the complexity of user token validation"},{"line_number":31,"context_line":"  in Keystone auth_token middleware by eliminiating the need for service"},{"line_number":32,"context_line":"  user token for authentication and authorization. Therefore, there\u0027s no need"},{"line_number":33,"context_line":"  to having to create and maintain a service user account for the sole purpose"},{"line_number":34,"context_line":"  of user token validation. Furthermore, this feature improves efficiency by"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_7150940b","line":31,"range":{"start_line":31,"start_character":39,"end_line":31,"end_character":51},"updated":"2019-07-10 01:56:22.000000000","message":"eliminating","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":28,"context_line":"  without having to issue a token."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"  This feature is designed to reduce the complexity of user token validation"},{"line_number":31,"context_line":"  in Keystone auth_token middleware by eliminiating the need for service"},{"line_number":32,"context_line":"  user token for authentication and authorization. Therefore, there\u0027s no need"},{"line_number":33,"context_line":"  to having to create and maintain a service user account for the sole purpose"},{"line_number":34,"context_line":"  of user token validation. Furthermore, this feature improves efficiency by"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_03af7d94","line":31,"range":{"start_line":31,"start_character":39,"end_line":31,"end_character":51},"in_reply_to":"7faddb67_7150940b","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":58,"context_line":"* two-way SSL"},{"line_number":59,"context_line":"* Public Key Infrastructure (PKI) and certificate management"},{"line_number":60,"context_line":"* Apache configuration"},{"line_number":61,"context_line":"* HAProxy configuration"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Configurating this feature requires `OpenSSL Command Line Tool (CLI)`_. Please refer"},{"line_number":64,"context_line":"to the respective OS installation guide on how to install it."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_712bb481","line":61,"updated":"2019-07-10 01:56:22.000000000","message":"Links to external resources on these things might be nice","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":58,"context_line":"* two-way SSL"},{"line_number":59,"context_line":"* Public Key Infrastructure (PKI) and certificate management"},{"line_number":60,"context_line":"* Apache configuration"},{"line_number":61,"context_line":"* HAProxy configuration"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Configurating this feature requires `OpenSSL Command Line Tool (CLI)`_. Please refer"},{"line_number":64,"context_line":"to the respective OS installation guide on how to install it."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_0388dd1c","line":61,"in_reply_to":"7faddb67_712bb481","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":60,"context_line":"* Apache configuration"},{"line_number":61,"context_line":"* HAProxy configuration"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Configurating this feature requires `OpenSSL Command Line Tool (CLI)`_. Please refer"},{"line_number":64,"context_line":"to the respective OS installation guide on how to install it."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":".. _`OpenSSL Command Line Tool (CLI)`: https://www.openssl.org/docs/manmaster/man1/openssl.html"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1157e004","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":13},"updated":"2019-07-10 01:56:22.000000000","message":"Configuring","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":60,"context_line":"* Apache configuration"},{"line_number":61,"context_line":"* HAProxy configuration"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Configurating this feature requires `OpenSSL Command Line Tool (CLI)`_. Please refer"},{"line_number":64,"context_line":"to the respective OS installation guide on how to install it."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":".. _`OpenSSL Command Line Tool (CLI)`: https://www.openssl.org/docs/manmaster/man1/openssl.html"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_6378b129","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":13},"in_reply_to":"7faddb67_1157e004","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":90,"context_line":"        SSLOptions +StdEnvVars"},{"line_number":91,"context_line":"        SSLVerifyClient optional"},{"line_number":92,"context_line":"    \u003c/VirtualHost\u003e"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"----------------------"},{"line_number":95,"context_line":"Keystone Configuration"},{"line_number":96,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_914af052","line":93,"updated":"2019-07-10 01:56:22.000000000","message":"We should have an haproxy example too if you want to claim this works with haproxy as the terminator","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":90,"context_line":"        SSLOptions +StdEnvVars"},{"line_number":91,"context_line":"        SSLVerifyClient optional"},{"line_number":92,"context_line":"    \u003c/VirtualHost\u003e"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"----------------------"},{"line_number":95,"context_line":"Keystone Configuration"},{"line_number":96,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_83736d4d","line":93,"in_reply_to":"7faddb67_914af052","updated":"2019-07-11 00:37:54.000000000","message":"This section has moved. I forgot to delete it here.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":102,"context_line":"is the remote Identity Provider (IDP), and the hexadecimal output of the SHA256"},{"line_number":103,"context_line":"hash of the issuer distinguished name (DN) is used as the IDP ID."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"-- note::"},{"line_number":106,"context_line":"   Client certificate issuer DN may be formatted differently depending on the"},{"line_number":107,"context_line":"   SSL terminator. For example, Apache mod_ssl may use RFC 2253 while HAProxy"},{"line_number":108,"context_line":"   may use the old format. Therefore, it is critically important to keep the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_11a5a004","line":105,"range":{"start_line":105,"start_character":0,"end_line":105,"end_character":9},"updated":"2019-07-10 01:56:22.000000000","message":"This should be formatted the same as on line 18 (s/--/../)","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":102,"context_line":"is the remote Identity Provider (IDP), and the hexadecimal output of the SHA256"},{"line_number":103,"context_line":"hash of the issuer distinguished name (DN) is used as the IDP ID."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"-- note::"},{"line_number":106,"context_line":"   Client certificate issuer DN may be formatted differently depending on the"},{"line_number":107,"context_line":"   SSL terminator. For example, Apache mod_ssl may use RFC 2253 while HAProxy"},{"line_number":108,"context_line":"   may use the old format. Therefore, it is critically important to keep the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_23907943","line":105,"range":{"start_line":105,"start_character":0,"end_line":105,"end_character":9},"in_reply_to":"7faddb67_11a5a004","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"-- note::"},{"line_number":106,"context_line":"   Client certificate issuer DN may be formatted differently depending on the"},{"line_number":107,"context_line":"   SSL terminator. For example, Apache mod_ssl may use RFC 2253 while HAProxy"},{"line_number":108,"context_line":"   may use the old format. Therefore, it is critically important to keep the"},{"line_number":109,"context_line":"   format consistent throughout the configuration as Keystone does exact string"},{"line_number":110,"context_line":"   match when comparing Certificate attributes."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_b15e0c10","line":107,"range":{"start_line":107,"start_character":55,"end_line":107,"end_character":63},"updated":"2019-07-10 01:56:22.000000000","message":"Add a link to this RFC","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"-- note::"},{"line_number":106,"context_line":"   Client certificate issuer DN may be formatted differently depending on the"},{"line_number":107,"context_line":"   SSL terminator. For example, Apache mod_ssl may use RFC 2253 while HAProxy"},{"line_number":108,"context_line":"   may use the old format. Therefore, it is critically important to keep the"},{"line_number":109,"context_line":"   format consistent throughout the configuration as Keystone does exact string"},{"line_number":110,"context_line":"   match when comparing Certificate attributes."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_83a84d77","line":107,"range":{"start_line":107,"start_character":55,"end_line":107,"end_character":63},"in_reply_to":"7faddb67_b15e0c10","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":105,"context_line":"-- note::"},{"line_number":106,"context_line":"   Client certificate issuer DN may be formatted differently depending on the"},{"line_number":107,"context_line":"   SSL terminator. For example, Apache mod_ssl may use RFC 2253 while HAProxy"},{"line_number":108,"context_line":"   may use the old format. Therefore, it is critically important to keep the"},{"line_number":109,"context_line":"   format consistent throughout the configuration as Keystone does exact string"},{"line_number":110,"context_line":"   match when comparing Certificate attributes."},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_519b18c8","line":108,"range":{"start_line":108,"start_character":15,"end_line":108,"end_character":25},"updated":"2019-07-10 01:56:22.000000000","message":"Explain what this is or link to an external reference","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":105,"context_line":"-- note::"},{"line_number":106,"context_line":"   Client certificate issuer DN may be formatted differently depending on the"},{"line_number":107,"context_line":"   SSL terminator. For example, Apache mod_ssl may use RFC 2253 while HAProxy"},{"line_number":108,"context_line":"   may use the old format. Therefore, it is critically important to keep the"},{"line_number":109,"context_line":"   format consistent throughout the configuration as Keystone does exact string"},{"line_number":110,"context_line":"   match when comparing Certificate attributes."},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_6381918f","line":108,"range":{"start_line":108,"start_character":15,"end_line":108,"end_character":25},"in_reply_to":"7faddb67_519b18c8","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Since version 2.3.11, Apache mod_ssl by default uses RFC 2253 when handling"},{"line_number":118,"context_line":"certificate distinguished names. However, deployer have the option to use"},{"line_number":119,"context_line":"the old format by configuring the `LegacyDNStringFormat` option."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":".. _`LegacyDNStringFormat`: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#ssloptions"},{"line_number":122,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d1270812","line":119,"range":{"start_line":119,"start_character":34,"end_line":119,"end_character":56},"updated":"2019-07-10 01:56:22.000000000","message":"I would use double backticks here since it\u0027s a config option","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Since version 2.3.11, Apache mod_ssl by default uses RFC 2253 when handling"},{"line_number":118,"context_line":"certificate distinguished names. However, deployer have the option to use"},{"line_number":119,"context_line":"the old format by configuring the `LegacyDNStringFormat` option."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":".. _`LegacyDNStringFormat`: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#ssloptions"},{"line_number":122,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_2332b911","line":119,"range":{"start_line":119,"start_character":34,"end_line":119,"end_character":56},"in_reply_to":"7faddb67_d1270812","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":122,"context_line":""},{"line_number":123,"context_line":"HAProxy, on the other hand, only supports the old format."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"To obtain issuer DN in RFC 2253 format:"},{"line_number":126,"context_line":".. code-block:: bash"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | sed \u0027s/^\\s*issuer\u003d//\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_31a8dcd9","line":125,"updated":"2019-07-10 01:56:22.000000000","message":"This needs a newline to render properly (see http://logs.openstack.org/90/669790/1/check/openstack-tox-docs/fd6c2d1/html/admin/configure_tokenless_x509.html#how-to-obtain-trusted-issuer-dn )","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":122,"context_line":""},{"line_number":123,"context_line":"HAProxy, on the other hand, only supports the old format."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"To obtain issuer DN in RFC 2253 format:"},{"line_number":126,"context_line":".. code-block:: bash"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | sed \u0027s/^\\s*issuer\u003d//\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_832a8d8d","line":125,"in_reply_to":"7faddb67_31a8dcd9","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":125,"context_line":"To obtain issuer DN in RFC 2253 format:"},{"line_number":126,"context_line":".. code-block:: bash"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | sed \u0027s/^\\s*issuer\u003d//\u0027"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"To obtain issuer DN in old format:"},{"line_number":131,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d16ce837","line":128,"range":{"start_line":128,"start_character":37,"end_line":128,"end_character":52},"updated":"2019-07-10 01:56:22.000000000","message":"As an operator, especially one not super familiar with X.509, it\u0027s confusing to see references to the issue intermixed with references to the client cert. It would be helpful to be really explicit about which is which, maybe even with a short example of how you might create a client cert given an existing issuer cert.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":125,"context_line":"To obtain issuer DN in RFC 2253 format:"},{"line_number":126,"context_line":".. code-block:: bash"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | sed \u0027s/^\\s*issuer\u003d//\u0027"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"To obtain issuer DN in old format:"},{"line_number":131,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_fe251aac","line":128,"range":{"start_line":128,"start_character":37,"end_line":128,"end_character":52},"in_reply_to":"7faddb67_d16ce837","updated":"2019-07-11 00:37:54.000000000","message":"It would be difficult for operators to use this feature if they don\u0027t have a basic understanding of SSL and certificates. There are a lot of examples out there on how to generate a PKI already. I don\u0027t think we should go too deep in to educating people on what PKI and certificates are. Perhaps we can suggest them to read the OpenSSL book as a prereq?","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | sed \u0027s/^\\s*issuer\u003d//\u0027"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"To obtain issuer DN in old format:"},{"line_number":131,"context_line":".. code-block:: bash"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"   $ openssl x509 -issuer -noout -in /etc/keystone/server_ssl_cert.pem -nameopt compat | sed \u0027s/^\\s*issuer\u003d//\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d1ae28e6","line":130,"updated":"2019-07-10 01:56:22.000000000","message":"newline","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":127,"context_line":""},{"line_number":128,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | sed \u0027s/^\\s*issuer\u003d//\u0027"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"To obtain issuer DN in old format:"},{"line_number":131,"context_line":".. code-block:: bash"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"   $ openssl x509 -issuer -noout -in /etc/keystone/server_ssl_cert.pem -nameopt compat | sed \u0027s/^\\s*issuer\u003d//\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_be37a2e3","line":130,"in_reply_to":"7faddb67_d1ae28e6","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":130,"context_line":"To obtain issuer DN in old format:"},{"line_number":131,"context_line":".. code-block:: bash"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"   $ openssl x509 -issuer -noout -in /etc/keystone/server_ssl_cert.pem -nameopt compat | sed \u0027s/^\\s*issuer\u003d//\u0027"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"How to calculate the IDP ID from trusted issuer DN"},{"line_number":136,"context_line":"--------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_c3917b9b","line":133,"range":{"start_line":133,"start_character":37,"end_line":133,"end_character":70},"updated":"2019-07-10 01:56:22.000000000","message":"Again using the keystone cert instead of the client cert here is confusing","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":130,"context_line":"To obtain issuer DN in old format:"},{"line_number":131,"context_line":".. code-block:: bash"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"   $ openssl x509 -issuer -noout -in /etc/keystone/server_ssl_cert.pem -nameopt compat | sed \u0027s/^\\s*issuer\u003d//\u0027"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"How to calculate the IDP ID from trusted issuer DN"},{"line_number":136,"context_line":"--------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1e4ef66e","line":133,"range":{"start_line":133,"start_character":37,"end_line":133,"end_character":70},"in_reply_to":"7faddb67_c3917b9b","updated":"2019-07-11 00:37:54.000000000","message":"Yes, we should use client_cert.pem in this example.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":138,"context_line":"used as the Identity Provider ID in Keystone. It can be obtained using"},{"line_number":139,"context_line":"OpenSSL CLI."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"To calculate the IDP ID for issuer DN in RFC 2253 format:"},{"line_number":142,"context_line":".. code-block:: bash"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_5184785e","line":141,"updated":"2019-07-10 01:56:22.000000000","message":"newline","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":138,"context_line":"used as the Identity Provider ID in Keystone. It can be obtained using"},{"line_number":139,"context_line":"OpenSSL CLI."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"To calculate the IDP ID for issuer DN in RFC 2253 format:"},{"line_number":142,"context_line":".. code-block:: bash"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_3e51720f","line":141,"in_reply_to":"7faddb67_5184785e","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":143,"context_line":""},{"line_number":144,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"To calculate the IDP ID for issuer DN in old format:"},{"line_number":147,"context_line":".. code-block:: bash"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt compat | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_71873463","line":146,"updated":"2019-07-10 01:56:22.000000000","message":"newline","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":143,"context_line":""},{"line_number":144,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt rfc2253 | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"To calculate the IDP ID for issuer DN in old format:"},{"line_number":147,"context_line":".. code-block:: bash"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt compat | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_fe5afa27","line":146,"in_reply_to":"7faddb67_71873463","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":147,"context_line":".. code-block:: bash"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt compat | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Keystone Configuration File Changes"},{"line_number":153,"context_line":"-----------------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_23464f23","line":150,"updated":"2019-07-10 01:56:22.000000000","message":"I can\u0027t get these instructions to work. I created a client cert like this:\n\n$ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout /etc/glance/glance_private_key.pem\n$ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out /etc/glance/glance.pem -CAcreateserial\n\nThe issuer DN comes out to either \n\n$ openssl x509 -issuer -noout -in /etc/glance/glance.pem -nameopt rfc2253 \nissuer\u003d CN\u003dRoot CA,OU\u003dDevStack Certificate Authority,O\u003dOpenStack\n\nor\n\n$ openssl x509 -issuer -noout -in /etc/glance/glance.pem -nameopt compat\nissuer\u003d O\u003dOpenStack, OU\u003dDevStack Certificate Authority, CN\u003dRoot CA\n\nthe IdP ID then comes out to either\n\n$ openssl x509 -issuer -noout -in /etc/glance/glance.pem -nameopt rfc2253 | tr -d \u0027\\n \u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027\n5e2e7c4b847cf9bf2c5f45d27276427a135344227a379e6bb5b55cc7a839e75a\n\nor\n\n$ openssl x509 -issuer -noout -in /etc/glance/glance.pem -nameopt compat | tr -d \u0027\\n \u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027\n7ff4d95816af30b19e68afeaa566b7db3b0080248c53748b3e6a91a72e4e4495\n\nBut when I try to authenticate, keystone says the IdP ID is ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663\n\nWhat did I miss?","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":147,"context_line":".. code-block:: bash"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt compat | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Keystone Configuration File Changes"},{"line_number":153,"context_line":"-----------------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_7e8daa79","line":150,"in_reply_to":"7faddb67_23464f23","updated":"2019-07-11 00:37:54.000000000","message":"Which version of openssl are you using? I think you maybe hitting this bug.\n\nhttps://github.com/openssl/openssl/issues/5605\n\nThis is what I got, using opensuse/openSUSE-15.0-x86_64 vagrant box.\n\nvagrant@keystone-idp:~\u003e openssl x509 -issuer -noout -in /etc/glance/glance.pem -nameopt compat\nissuer\u003d/DC\u003dcom/DC\u003dsomedemo/O\u003dopenstack/OU\u003dkeystone/CN\u003dIntermediate CA\nvagrant@keystone-idp:~\u003e openssl version\nOpenSSL 1.1.0i-fips  14 Aug 2018","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":147,"context_line":".. code-block:: bash"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"   $ openssl x509 -issuer -noout -in client_cert.pem -nameopt compat | tr -d \u0027\\n\u0027 | sed \u0027s/^\\s*issuer\u003d//\u0027 | openssl dgst -sha256 -hex | awk \u0027{print $2}\u0027"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Keystone Configuration File Changes"},{"line_number":153,"context_line":"-----------------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_19335ff8","line":150,"in_reply_to":"7faddb67_7e8daa79","updated":"2019-07-11 22:40:31.000000000","message":"Yep, must have been an openssl bug, I was using 1.0.2g, switching to a newer distro worked.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":163,"context_line":"  terminator passed into the request environment. For example, if SSL"},{"line_number":164,"context_line":"  terminates in Apache mod_ssl, then the issuer DN should be in RFC 2253"},{"line_number":165,"context_line":"  format. Whereas if SSL terminates in HAProxy, then the issuer DN"},{"line_number":166,"context_line":"  is expected to be in the old format. This is a multi-str list option. The"},{"line_number":167,"context_line":"  absence of any trusted issuers means the X.509 tokenless authorization"},{"line_number":168,"context_line":"  feature is effectively disabled."},{"line_number":169,"context_line":"* ``protocol`` - The protocol name for the X.509 tokenless authorization"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_91e67044","line":166,"range":{"start_line":166,"start_character":55,"end_line":166,"end_character":58},"updated":"2019-07-10 01:56:22.000000000","message":"multi-string?","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":163,"context_line":"  terminator passed into the request environment. For example, if SSL"},{"line_number":164,"context_line":"  terminates in Apache mod_ssl, then the issuer DN should be in RFC 2253"},{"line_number":165,"context_line":"  format. Whereas if SSL terminates in HAProxy, then the issuer DN"},{"line_number":166,"context_line":"  is expected to be in the old format. This is a multi-str list option. The"},{"line_number":167,"context_line":"  absence of any trusted issuers means the X.509 tokenless authorization"},{"line_number":168,"context_line":"  feature is effectively disabled."},{"line_number":169,"context_line":"* ``protocol`` - The protocol name for the X.509 tokenless authorization"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_bed8027f","line":166,"range":{"start_line":166,"start_character":55,"end_line":166,"end_character":58},"in_reply_to":"7faddb67_91e67044","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":168,"context_line":"  feature is effectively disabled."},{"line_number":169,"context_line":"* ``protocol`` - The protocol name for the X.509 tokenless authorization"},{"line_number":170,"context_line":"  along with the option `issuer_attribute` below can look up its"},{"line_number":171,"context_line":"  corresponding mapping. It defaults to ``x509``."},{"line_number":172,"context_line":"* ``issuer_attribute`` - The issuer attribute that is served as an IdP ID for"},{"line_number":173,"context_line":"  the X.509 tokenless authorization along with the protocol to look up its"},{"line_number":174,"context_line":"  corresponding mapping. It is the environment variable in the WSGI"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d1c5c88f","line":171,"range":{"start_line":171,"start_character":25,"end_line":171,"end_character":49},"updated":"2019-07-10 01:56:22.000000000","message":"Because of the way setuptools entrypoints works, it\u0027s effectively limited to just x509","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":168,"context_line":"  feature is effectively disabled."},{"line_number":169,"context_line":"* ``protocol`` - The protocol name for the X.509 tokenless authorization"},{"line_number":170,"context_line":"  along with the option `issuer_attribute` below can look up its"},{"line_number":171,"context_line":"  corresponding mapping. It defaults to ``x509``."},{"line_number":172,"context_line":"* ``issuer_attribute`` - The issuer attribute that is served as an IdP ID for"},{"line_number":173,"context_line":"  the X.509 tokenless authorization along with the protocol to look up its"},{"line_number":174,"context_line":"  corresponding mapping. It is the environment variable in the WSGI"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d94e276e","line":171,"range":{"start_line":171,"start_character":25,"end_line":171,"end_character":49},"in_reply_to":"7faddb67_3e3bb29c","updated":"2019-07-11 22:40:31.000000000","message":"Hmm, you are right that it works...but it shouldn\u0027t work. Generally federated auth requires you to use one of a few specific protocol names listed in the auth methods. This is doing some kind of magic to circumvent that.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":168,"context_line":"  feature is effectively disabled."},{"line_number":169,"context_line":"* ``protocol`` - The protocol name for the X.509 tokenless authorization"},{"line_number":170,"context_line":"  along with the option `issuer_attribute` below can look up its"},{"line_number":171,"context_line":"  corresponding mapping. It defaults to ``x509``."},{"line_number":172,"context_line":"* ``issuer_attribute`` - The issuer attribute that is served as an IdP ID for"},{"line_number":173,"context_line":"  the X.509 tokenless authorization along with the protocol to look up its"},{"line_number":174,"context_line":"  corresponding mapping. It is the environment variable in the WSGI"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_3e3bb29c","line":171,"range":{"start_line":171,"start_character":25,"end_line":171,"end_character":49},"in_reply_to":"7faddb67_d1c5c88f","updated":"2019-07-11 00:37:54.000000000","message":"This feature is using the federation mechanism so protocol should be configurable.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":171,"context_line":"  corresponding mapping. It defaults to ``x509``."},{"line_number":172,"context_line":"* ``issuer_attribute`` - The issuer attribute that is served as an IdP ID for"},{"line_number":173,"context_line":"  the X.509 tokenless authorization along with the protocol to look up its"},{"line_number":174,"context_line":"  corresponding mapping. It is the environment variable in the WSGI"},{"line_number":175,"context_line":"  environment that references to the Issuer of the client certificate. It"},{"line_number":176,"context_line":"  defaults to ``SSL_CLIENT_I_DN``."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"This is a sample configuration for two `trusted_issuer` and a `protocol` set"},{"line_number":179,"context_line":"to ``x509``."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1141200c","line":176,"range":{"start_line":174,"start_character":25,"end_line":176,"end_character":34},"updated":"2019-07-10 01:56:22.000000000","message":"Does this apply if the terminator is haproxy?","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":171,"context_line":"  corresponding mapping. It defaults to ``x509``."},{"line_number":172,"context_line":"* ``issuer_attribute`` - The issuer attribute that is served as an IdP ID for"},{"line_number":173,"context_line":"  the X.509 tokenless authorization along with the protocol to look up its"},{"line_number":174,"context_line":"  corresponding mapping. It is the environment variable in the WSGI"},{"line_number":175,"context_line":"  environment that references to the Issuer of the client certificate. It"},{"line_number":176,"context_line":"  defaults to ``SSL_CLIENT_I_DN``."},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"This is a sample configuration for two `trusted_issuer` and a `protocol` set"},{"line_number":179,"context_line":"to ``x509``."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_fe443a1d","line":176,"range":{"start_line":174,"start_character":25,"end_line":176,"end_character":34},"in_reply_to":"7faddb67_1141200c","updated":"2019-07-11 00:37:54.000000000","message":"It depends on how Apache map those X-SSL-* request headers into request env. i.e.\n\nSetEnvIf X-SSL-Issuer \"^(.*)$\" SSL_CLIENT_I_DN\u003d$0","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":182,"context_line":""},{"line_number":183,"context_line":"    [tokenless_auth]"},{"line_number":184,"context_line":"    trusted_issuer \u003d emailAddress\u003dmary@abc.com,CN\u003dmary,OU\u003deng,O\u003dabc,L\u003dSan Jose,ST\u003dCalifornia,C\u003dUS"},{"line_number":185,"context_line":"    trusted_issuer \u003d emailAddress\u003djohn@openstack.com,CN\u003djohn,OU\u003dkeystone,O\u003dopenstack,L\u003dSunnyvale,ST\u003dCalifornia,C\u003dUS"},{"line_number":186,"context_line":"    protocol \u003d x509"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_f1456416","line":185,"updated":"2019-07-10 01:56:22.000000000","message":"It might be good to update these examples. The example gives the impression that each client certificate must be listed here (i.e. Mary\u0027s cert, John\u0027s cert, etc, where actually just the issuer of the end users\u0027 certs should be here, like maybe admin@abc.com and ca@openstack.com)","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":182,"context_line":""},{"line_number":183,"context_line":"    [tokenless_auth]"},{"line_number":184,"context_line":"    trusted_issuer \u003d emailAddress\u003dmary@abc.com,CN\u003dmary,OU\u003deng,O\u003dabc,L\u003dSan Jose,ST\u003dCalifornia,C\u003dUS"},{"line_number":185,"context_line":"    trusted_issuer \u003d emailAddress\u003djohn@openstack.com,CN\u003djohn,OU\u003dkeystone,O\u003dopenstack,L\u003dSunnyvale,ST\u003dCalifornia,C\u003dUS"},{"line_number":186,"context_line":"    protocol \u003d x509"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_9e4bc629","line":185,"in_reply_to":"7faddb67_f1456416","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":184,"context_line":"    trusted_issuer \u003d emailAddress\u003dmary@abc.com,CN\u003dmary,OU\u003deng,O\u003dabc,L\u003dSan Jose,ST\u003dCalifornia,C\u003dUS"},{"line_number":185,"context_line":"    trusted_issuer \u003d emailAddress\u003djohn@openstack.com,CN\u003djohn,OU\u003dkeystone,O\u003dopenstack,L\u003dSunnyvale,ST\u003dCalifornia,C\u003dUS"},{"line_number":186,"context_line":"    protocol \u003d x509"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"-------------"},{"line_number":189,"context_line":"Setup Mapping"},{"line_number":190,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d173887f","line":187,"updated":"2019-07-10 01:56:22.000000000","message":"Also [auth]/methods needs \u0027x509\u0027 added to the list","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":184,"context_line":"    trusted_issuer \u003d emailAddress\u003dmary@abc.com,CN\u003dmary,OU\u003deng,O\u003dabc,L\u003dSan Jose,ST\u003dCalifornia,C\u003dUS"},{"line_number":185,"context_line":"    trusted_issuer \u003d emailAddress\u003djohn@openstack.com,CN\u003djohn,OU\u003dkeystone,O\u003dopenstack,L\u003dSunnyvale,ST\u003dCalifornia,C\u003dUS"},{"line_number":186,"context_line":"    protocol \u003d x509"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"-------------"},{"line_number":189,"context_line":"Setup Mapping"},{"line_number":190,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_be6fa290","line":187,"in_reply_to":"7faddb67_d173887f","updated":"2019-07-11 00:37:54.000000000","message":"No need. It is using the \u0027mapped\u0027 method as it is using the federation mechanism.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":200,"context_line":"As mentioned, the Identity Provider ID is the hexadecimal output of the SHA256"},{"line_number":201,"context_line":"hash of the issuer distinguished name (DN)."},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"-- note::"},{"line_number":204,"context_line":"   If there are multiple trusted issuers, there must be multiple IDP created,"},{"line_number":205,"context_line":"   one for each trsuted issuer."},{"line_number":206,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_b1684c87","line":203,"range":{"start_line":203,"start_character":0,"end_line":203,"end_character":9},"updated":"2019-07-10 01:56:22.000000000","message":"fix rendering","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":200,"context_line":"As mentioned, the Identity Provider ID is the hexadecimal output of the SHA256"},{"line_number":201,"context_line":"hash of the issuer distinguished name (DN)."},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"-- note::"},{"line_number":204,"context_line":"   If there are multiple trusted issuers, there must be multiple IDP created,"},{"line_number":205,"context_line":"   one for each trsuted issuer."},{"line_number":206,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_5e030eb9","line":203,"range":{"start_line":203,"start_character":0,"end_line":203,"end_character":9},"in_reply_to":"7faddb67_b1684c87","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":202,"context_line":""},{"line_number":203,"context_line":"-- note::"},{"line_number":204,"context_line":"   If there are multiple trusted issuers, there must be multiple IDP created,"},{"line_number":205,"context_line":"   one for each trsuted issuer."},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"To create an IDP for a given trusted issuer, follow the instructions in the"},{"line_number":208,"context_line":"`How to calculate the IDP ID from trusted issuer DN`_ section to calculate"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_510558c1","line":205,"range":{"start_line":205,"start_character":16,"end_line":205,"end_character":23},"updated":"2019-07-10 01:56:22.000000000","message":"trusted","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":210,"context_line":""},{"line_number":211,"context_line":".. code-block:: bash"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"   $ openstack identity provider create --description \u0027IDP foo\u0027 \u003cIDP ID\u003e"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"Create a Map"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d1f868c5","line":213,"updated":"2019-07-10 01:56:22.000000000","message":"\\o/","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":231,"context_line":""},{"line_number":232,"context_line":".. code-block:: javascript"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"    {"},{"line_number":235,"context_line":"         \"mapping\": {"},{"line_number":236,"context_line":"             \"rules\": ["},{"line_number":237,"context_line":"                 {"},{"line_number":238,"context_line":"                     \"local\": ["},{"line_number":239,"context_line":"                         {"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_31ed3c8b","line":236,"range":{"start_line":234,"start_character":4,"end_line":236,"end_character":21},"updated":"2019-07-10 01:56:22.000000000","message":"This is valid for the raw API call but when using the CLI the JSON blob just starts with [{\"local\":[\n\nhttps://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#create-a-mapping","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":231,"context_line":""},{"line_number":232,"context_line":".. code-block:: javascript"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"    {"},{"line_number":235,"context_line":"         \"mapping\": {"},{"line_number":236,"context_line":"             \"rules\": ["},{"line_number":237,"context_line":"                 {"},{"line_number":238,"context_line":"                     \"local\": ["},{"line_number":239,"context_line":"                         {"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_3e32d2a8","line":236,"range":{"start_line":234,"start_character":4,"end_line":236,"end_character":21},"in_reply_to":"7faddb67_31ed3c8b","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":271,"context_line":"   the proper role assignments (i.e. allow token validation) If not, it will"},{"line_number":272,"context_line":"   need to be created."},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"When user\u0027s ``type`` is not defined or set to ``ephemeral``, the mapped user"},{"line_number":275,"context_line":"does not have to be a valid local user but the mapping must yield at least"},{"line_number":276,"context_line":"one valid local group. For example:"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":".. code-block:: javascript"},{"line_number":279,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_713174a2","line":276,"range":{"start_line":274,"start_character":61,"end_line":276,"end_character":22},"updated":"2019-07-10 01:56:22.000000000","message":"I don\u0027t think the above addition of a \"group\" section should be necessary, because of this. local users already have role assignments and perhaps group memberships. ephemeral users need to have the group membership defined here (or project role assignments, but iirc auto-provisioning doesn\u0027t work for this feature).","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":271,"context_line":"   the proper role assignments (i.e. allow token validation) If not, it will"},{"line_number":272,"context_line":"   need to be created."},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"When user\u0027s ``type`` is not defined or set to ``ephemeral``, the mapped user"},{"line_number":275,"context_line":"does not have to be a valid local user but the mapping must yield at least"},{"line_number":276,"context_line":"one valid local group. For example:"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":".. code-block:: javascript"},{"line_number":279,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_deddbe42","line":276,"range":{"start_line":274,"start_character":61,"end_line":276,"end_character":22},"in_reply_to":"7faddb67_713174a2","updated":"2019-07-11 00:37:54.000000000","message":"You\u0027re right. Interestingly, mapping to local group still works if the assignment doens\u0027t exist.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":312,"context_line":""},{"line_number":313,"context_line":".. note::"},{"line_number":314,"context_line":""},{"line_number":315,"context_line":"   The mapping ID is user designed and it can be any string as opposed to"},{"line_number":316,"context_line":"   IDP ID."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Create a Protocol"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_11284032","line":315,"range":{"start_line":315,"start_character":21,"end_line":315,"end_character":34},"updated":"2019-07-10 01:56:22.000000000","message":"suggest using the word \"arbitrary\" instead of \"user designed\"","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":312,"context_line":""},{"line_number":313,"context_line":".. note::"},{"line_number":314,"context_line":""},{"line_number":315,"context_line":"   The mapping ID is user designed and it can be any string as opposed to"},{"line_number":316,"context_line":"   IDP ID."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Create a Protocol"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_feb99ae8","line":315,"range":{"start_line":315,"start_character":21,"end_line":315,"end_character":34},"in_reply_to":"7faddb67_11284032","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":320,"context_line":""},{"line_number":321,"context_line":"The name of the protocol must be the same as the one specified by the"},{"line_number":322,"context_line":"``protocol`` option in ``tokenless_auth`` section of the Keystone"},{"line_number":323,"context_line":"configuration file. The protocol name is user designed and it can be any"},{"line_number":324,"context_line":"name as opposed to IDP ID."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"A protocol name and an IDP ID will uniquely identify a mapping."},{"line_number":327,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_d121484f","line":324,"range":{"start_line":323,"start_character":20,"end_line":324,"end_character":26},"updated":"2019-07-10 01:56:22.000000000","message":"I don\u0027t think this is true, the protocol name must match an entry point registered with setuptools: https://opendev.org/openstack/keystone/src/branch/master/setup.cfg#L78-L111","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":320,"context_line":""},{"line_number":321,"context_line":"The name of the protocol must be the same as the one specified by the"},{"line_number":322,"context_line":"``protocol`` option in ``tokenless_auth`` section of the Keystone"},{"line_number":323,"context_line":"configuration file. The protocol name is user designed and it can be any"},{"line_number":324,"context_line":"name as opposed to IDP ID."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"A protocol name and an IDP ID will uniquely identify a mapping."},{"line_number":327,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_becb2270","line":324,"range":{"start_line":323,"start_character":20,"end_line":324,"end_character":26},"in_reply_to":"7faddb67_d121484f","updated":"2019-07-11 00:37:54.000000000","message":"We are using the federation mechanism so the protocol name can be arbitrary.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":325,"context_line":""},{"line_number":326,"context_line":"A protocol name and an IDP ID will uniquely identify a mapping."},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"To create a protocl using OpenStack CLI:"},{"line_number":329,"context_line":".. code-block:: bash"},{"line_number":330,"context_line":""},{"line_number":331,"context_line":"   $ openstack federation protocol create --identity-provider \u003cIDP ID\u003e"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_f11c8414","line":328,"range":{"start_line":328,"start_character":12,"end_line":328,"end_character":19},"updated":"2019-07-10 01:56:22.000000000","message":"protocol","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":325,"context_line":""},{"line_number":326,"context_line":"A protocol name and an IDP ID will uniquely identify a mapping."},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"To create a protocl using OpenStack CLI:"},{"line_number":329,"context_line":".. code-block:: bash"},{"line_number":330,"context_line":""},{"line_number":331,"context_line":"   $ openstack federation protocol create --identity-provider \u003cIDP ID\u003e"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_5eca2e6d","line":328,"range":{"start_line":328,"start_character":12,"end_line":328,"end_character":19},"in_reply_to":"7faddb67_f11c8414","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":359,"context_line":"    \u003cVirtualHost *:443\u003e"},{"line_number":360,"context_line":"        WSGIScriptAlias / /var/www/cgi-bin/keystone/main"},{"line_number":361,"context_line":"        ErrorLog /var/log/apache2/keystone.log"},{"line_number":362,"context_line":"        LogLevel debug"},{"line_number":363,"context_line":"        CustomLog /var/log/apache2/access.log combined"},{"line_number":364,"context_line":"        SSLEngine on"},{"line_number":365,"context_line":"        SSLCertificateFile    /etc/apache2/ssl/apache.cer"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_31ae9c98","line":362,"updated":"2019-07-10 01:56:22.000000000","message":"Probably don\u0027t want this","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":359,"context_line":"    \u003cVirtualHost *:443\u003e"},{"line_number":360,"context_line":"        WSGIScriptAlias / /var/www/cgi-bin/keystone/main"},{"line_number":361,"context_line":"        ErrorLog /var/log/apache2/keystone.log"},{"line_number":362,"context_line":"        LogLevel debug"},{"line_number":363,"context_line":"        CustomLog /var/log/apache2/access.log combined"},{"line_number":364,"context_line":"        SSLEngine on"},{"line_number":365,"context_line":"        SSLCertificateFile    /etc/apache2/ssl/apache.cer"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_7ec5aa5a","line":362,"in_reply_to":"7faddb67_31ae9c98","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":368,"context_line":"        SSLOptions +StdEnvVars"},{"line_number":369,"context_line":"        SSLVerifyClient optional"},{"line_number":370,"context_line":"    \u003c/VirtualHost\u003e"},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"HAProxy and Apache Configuration"},{"line_number":373,"context_line":"--------------------------------"},{"line_number":374,"context_line":"If SSL terminates at HAProxy and Apache is the API proxy for the Keystone"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_b1160cf1","line":371,"updated":"2019-07-10 01:56:22.000000000","message":"Looks like a duplicate of lines 68-92? I would probably keep these setup instructions at the top since they are prerequisites for everything else","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":368,"context_line":"        SSLOptions +StdEnvVars"},{"line_number":369,"context_line":"        SSLVerifyClient optional"},{"line_number":370,"context_line":"    \u003c/VirtualHost\u003e"},{"line_number":371,"context_line":""},{"line_number":372,"context_line":"HAProxy and Apache Configuration"},{"line_number":373,"context_line":"--------------------------------"},{"line_number":374,"context_line":"If SSL terminates at HAProxy and Apache is the API proxy for the Keystone"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1ea276af","line":371,"in_reply_to":"7faddb67_b1160cf1","updated":"2019-07-11 00:37:54.000000000","message":"Yes, it is a duplication. I removed the section from the top because this section is about the SSL terminator configuration.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":403,"context_line":".. code-block:: ini"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"    \u003cVirtualHost 192.168.0.10:80\u003e"},{"line_number":406,"context_line":"        ProxyPass \"/identity\" \"unix:/var/run/uwsgi/keystone-wsgi-public.socket|uwsgi://uwsgi-uds-keystone-wsgi-public/\" retry\u003d0"},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"        # Bring the needed SSL certificate attributes from HAProxy into the"},{"line_number":409,"context_line":"        # request environment"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_71d6542a","line":406,"updated":"2019-07-10 01:56:22.000000000","message":"I think this comes from devstack and is inconsistent with your other apache examples and with the haproxy bind to 5000 in the above example.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":403,"context_line":".. code-block:: ini"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"    \u003cVirtualHost 192.168.0.10:80\u003e"},{"line_number":406,"context_line":"        ProxyPass \"/identity\" \"unix:/var/run/uwsgi/keystone-wsgi-public.socket|uwsgi://uwsgi-uds-keystone-wsgi-public/\" retry\u003d0"},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"        # Bring the needed SSL certificate attributes from HAProxy into the"},{"line_number":409,"context_line":"        # request environment"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_deab7e86","line":406,"in_reply_to":"7faddb67_71d6542a","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":14495,"name":"Adam Heczko","email":"aheczko@mirantis.com","username":"aheczko-mirantis"},"change_message_id":"f6a4a6f0de9be52cb1cf842d45aa2db48f19e364","unresolved":false,"context_lines":[{"line_number":448,"context_line":"    project_domain_name \u003d Default"},{"line_number":449,"context_line":"    project_name \u003d service"},{"line_number":450,"context_line":"    auth_url \u003d https://192.168.0.10/identity/v3"},{"line_number":451,"context_line":"    auth_type \u003d v3tokenlessauth"},{"line_number":452,"context_line":"    certfile \u003d /etc/glance/glance.pem"},{"line_number":453,"context_line":"    keyfile \u003d /etc/glance/glance_private_key.pem"},{"line_number":454,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_c8bbebc1","line":451,"range":{"start_line":451,"start_character":16,"end_line":451,"end_character":31},"updated":"2019-07-09 07:31:45.000000000","message":"Thank you for posting a patch!\nIt may be worth noting that v3tokenless was merged into projects in Rocky for the most part. And is available only with V3 Client API.\nhttps://docs.openstack.org/python-keystoneclient/latest/using-api-v3.html#authenticating-using-sessions\nThanks!","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":448,"context_line":"    project_domain_name \u003d Default"},{"line_number":449,"context_line":"    project_name \u003d service"},{"line_number":450,"context_line":"    auth_url \u003d https://192.168.0.10/identity/v3"},{"line_number":451,"context_line":"    auth_type \u003d v3tokenlessauth"},{"line_number":452,"context_line":"    certfile \u003d /etc/glance/glance.pem"},{"line_number":453,"context_line":"    keyfile \u003d /etc/glance/glance_private_key.pem"},{"line_number":454,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_fe9c3a5e","line":451,"range":{"start_line":451,"start_character":16,"end_line":451,"end_character":31},"in_reply_to":"7faddb67_c8bbebc1","updated":"2019-07-11 00:37:54.000000000","message":"We should only be using v3 API now. V2 had been deprecated and removed.","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c6add701fdf9cb52f6c4d3db7b4f8c7371cb7f05","unresolved":false,"context_lines":[{"line_number":449,"context_line":"    project_name \u003d service"},{"line_number":450,"context_line":"    auth_url \u003d https://192.168.0.10/identity/v3"},{"line_number":451,"context_line":"    auth_type \u003d v3tokenlessauth"},{"line_number":452,"context_line":"    certfile \u003d /etc/glance/glance.pem"},{"line_number":453,"context_line":"    keyfile \u003d /etc/glance/glance_private_key.pem"},{"line_number":454,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_b1eb6cda","line":453,"range":{"start_line":452,"start_character":4,"end_line":453,"end_character":48},"updated":"2019-07-10 01:56:22.000000000","message":"I think you\u0027d more often find these in e.g. /etc/glance/certs/glance.pem and /etc/glance/private/glance_private_key.pem","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"1393e0b0f8d89b5b774302f8b63f15a85b55ab44","unresolved":false,"context_lines":[{"line_number":449,"context_line":"    project_name \u003d service"},{"line_number":450,"context_line":"    auth_url \u003d https://192.168.0.10/identity/v3"},{"line_number":451,"context_line":"    auth_type \u003d v3tokenlessauth"},{"line_number":452,"context_line":"    certfile \u003d /etc/glance/glance.pem"},{"line_number":453,"context_line":"    keyfile \u003d /etc/glance/glance_private_key.pem"},{"line_number":454,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_5ead4e86","line":453,"range":{"start_line":452,"start_character":4,"end_line":453,"end_character":48},"in_reply_to":"7faddb67_b1eb6cda","updated":"2019-07-11 00:37:54.000000000","message":"Done","commit_id":"9f1abd4364b163471297a23192305ecc7fec7cda"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":49,"context_line":"* `X.509 Certificate`: a time bound digital identity, which is"},{"line_number":50,"context_line":"  certified or digitally signed by its issuer using cryptographic means as"},{"line_number":51,"context_line":"  defined by the `X.509`_ standard. It contains information which can be"},{"line_number":52,"context_line":"  used to uniquely identity its owner. For example, the owner of the"},{"line_number":53,"context_line":"  certificate is identified by the ``Subject`` attribute while the issuer"},{"line_number":54,"context_line":"  is identified by ``Issuer`` attribute."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_19bd9f01","line":52,"range":{"start_line":52,"start_character":19,"end_line":52,"end_character":27},"updated":"2019-07-11 22:40:31.000000000","message":"identify","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"9fa27285b9747ae08c794b4524186d4be50f3c11","unresolved":false,"context_lines":[{"line_number":49,"context_line":"* `X.509 Certificate`: a time bound digital identity, which is"},{"line_number":50,"context_line":"  certified or digitally signed by its issuer using cryptographic means as"},{"line_number":51,"context_line":"  defined by the `X.509`_ standard. It contains information which can be"},{"line_number":52,"context_line":"  used to uniquely identity its owner. For example, the owner of the"},{"line_number":53,"context_line":"  certificate is identified by the ``Subject`` attribute while the issuer"},{"line_number":54,"context_line":"  is identified by ``Issuer`` attribute."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_dc905546","line":52,"range":{"start_line":52,"start_character":19,"end_line":52,"end_character":27},"in_reply_to":"7faddb67_19bd9f01","updated":"2019-07-11 23:44:28.000000000","message":"Done","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":140,"context_line":"             e0:38:f7:58:d1:90:82:44:01:ab:05:fd:68:0c:ab:9e:c6:94:"},{"line_number":141,"context_line":"             76:34:46:8b:66:bb:02:07"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  See `public key certificate` for more information."},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* `Issuer`: the issuer of a X.509 certificate. It is also known as"},{"line_number":146,"context_line":"  `Certificate Authority (CA)` or Certification Authority. Issuer is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_f93d238f","line":143,"range":{"start_line":143,"start_character":0,"end_line":143,"end_character":2},"updated":"2019-07-11 22:40:31.000000000","message":"Should be unindented, otherwise it renders as part of the code example","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":140,"context_line":"             e0:38:f7:58:d1:90:82:44:01:ab:05:fd:68:0c:ab:9e:c6:94:"},{"line_number":141,"context_line":"             76:34:46:8b:66:bb:02:07"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  See `public key certificate` for more information."},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* `Issuer`: the issuer of a X.509 certificate. It is also known as"},{"line_number":146,"context_line":"  `Certificate Authority (CA)` or Certification Authority. Issuer is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_56052445","line":143,"range":{"start_line":143,"start_character":6,"end_line":143,"end_character":30},"updated":"2019-07-11 22:40:31.000000000","message":"needs a _ to turn it into a link","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"9fa27285b9747ae08c794b4524186d4be50f3c11","unresolved":false,"context_lines":[{"line_number":140,"context_line":"             e0:38:f7:58:d1:90:82:44:01:ab:05:fd:68:0c:ab:9e:c6:94:"},{"line_number":141,"context_line":"             76:34:46:8b:66:bb:02:07"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  See `public key certificate` for more information."},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* `Issuer`: the issuer of a X.509 certificate. It is also known as"},{"line_number":146,"context_line":"  `Certificate Authority (CA)` or Certification Authority. Issuer is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_7ca12194","line":143,"range":{"start_line":143,"start_character":0,"end_line":143,"end_character":2},"in_reply_to":"7faddb67_f93d238f","updated":"2019-07-11 23:44:28.000000000","message":"Done","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":388,"context_line":"                    \"type\": \"SSL_CLIENT_S_DN_CN\""},{"line_number":389,"context_line":"                },"},{"line_number":390,"context_line":"                {"},{"line_number":391,"context_line":"                    \"type\": \"SSL_CLIENT_S_DN_O\""},{"line_number":392,"context_line":"                }"},{"line_number":393,"context_line":"            ]"},{"line_number":394,"context_line":"        }"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_f97c4384","line":391,"range":{"start_line":391,"start_character":29,"end_line":391,"end_character":46},"updated":"2019-07-11 22:40:31.000000000","message":"There\u0027s no {1} in this mapping example, so this wouldn\u0027t map to anything","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"9fa27285b9747ae08c794b4524186d4be50f3c11","unresolved":false,"context_lines":[{"line_number":388,"context_line":"                    \"type\": \"SSL_CLIENT_S_DN_CN\""},{"line_number":389,"context_line":"                },"},{"line_number":390,"context_line":"                {"},{"line_number":391,"context_line":"                    \"type\": \"SSL_CLIENT_S_DN_O\""},{"line_number":392,"context_line":"                }"},{"line_number":393,"context_line":"            ]"},{"line_number":394,"context_line":"        }"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_bcb479d2","line":391,"range":{"start_line":391,"start_character":29,"end_line":391,"end_character":46},"in_reply_to":"7faddb67_f97c4384","updated":"2019-07-11 23:44:28.000000000","message":"let me use the domain mapping example here instead","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5e8f4aa53920229145f146254f91d6290fe3f2dd","unresolved":false,"context_lines":[{"line_number":481,"context_line":"    frontend http-frontend"},{"line_number":482,"context_line":"        mode http"},{"line_number":483,"context_line":"        option forwardfor"},{"line_number":484,"context_line":"        bind 10.1.1.1:5000 ssl crt /etc/keystone/ssl/keystone.pem ca-file /etc/keystone/ssl/ca.pem verify optional"},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"        reqadd X-Forwarded-Proto:\\ https if { ssl_fc }"},{"line_number":487,"context_line":"        http-request set-header X-SSL                   %[ssl_fc]"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_39ee5bb4","line":484,"range":{"start_line":484,"start_character":13,"end_line":484,"end_character":21},"updated":"2019-07-11 22:40:31.000000000","message":"Should this match the IP on line 502?","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"9fa27285b9747ae08c794b4524186d4be50f3c11","unresolved":false,"context_lines":[{"line_number":481,"context_line":"    frontend http-frontend"},{"line_number":482,"context_line":"        mode http"},{"line_number":483,"context_line":"        option forwardfor"},{"line_number":484,"context_line":"        bind 10.1.1.1:5000 ssl crt /etc/keystone/ssl/keystone.pem ca-file /etc/keystone/ssl/ca.pem verify optional"},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"        reqadd X-Forwarded-Proto:\\ https if { ssl_fc }"},{"line_number":487,"context_line":"        http-request set-header X-SSL                   %[ssl_fc]"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7faddb67_bce9d9b7","line":484,"range":{"start_line":484,"start_character":13,"end_line":484,"end_character":21},"in_reply_to":"7faddb67_39ee5bb4","updated":"2019-07-11 23:44:28.000000000","message":"No. I purposely use a different IP because HAProxy typically binds to a VIP while Keystone binds to an local NIC.","commit_id":"166043d7c6842636811d9f3c03cc4d115f4e9d90"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"8dc281ac7d12aa630a15219aacefbf12dbc75298","unresolved":false,"context_lines":[{"line_number":375,"context_line":"                        \"name\": \"{0}\","},{"line_number":376,"context_line":"                        \"domain\": {"},{"line_number":377,"context_line":"                            \"name\": \"{1}\""},{"line_number":378,"context_line":"                        },"},{"line_number":379,"context_line":"                        \"type\": \"ephemeral\""},{"line_number":380,"context_line":"                    },"},{"line_number":381,"context_line":"                    \"group\": {"}],"source_content_type":"text/x-rst","patch_set":5,"id":"7faddb67_b560e3d0","line":378,"updated":"2019-07-15 19:44:13.000000000","message":"I don\u0027t think this would work, the ephemeral user would be mapped to the IdP-specific domain. You could use {1} in place of the hardcoded group domain though.","commit_id":"72b2a2ad69e8a1124ac15d23fac8d71c91536db7"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"936fc4af669c76232397c3bcea4889989411098c","unresolved":false,"context_lines":[{"line_number":375,"context_line":"                        \"name\": \"{0}\","},{"line_number":376,"context_line":"                        \"domain\": {"},{"line_number":377,"context_line":"                            \"name\": \"{1}\""},{"line_number":378,"context_line":"                        },"},{"line_number":379,"context_line":"                        \"type\": \"ephemeral\""},{"line_number":380,"context_line":"                    },"},{"line_number":381,"context_line":"                    \"group\": {"}],"source_content_type":"text/x-rst","patch_set":5,"id":"7faddb67_e64b0f28","line":378,"in_reply_to":"7faddb67_b560e3d0","updated":"2019-07-16 00:57:13.000000000","message":"yeah, no need to specify domain in the mapping. I just tested it again with the ephemeral mapping this time.","commit_id":"72b2a2ad69e8a1124ac15d23fac8d71c91536db7"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"dac9f9b47c1808a42e827e887bf726fa3065fc37","unresolved":false,"context_lines":[{"line_number":94,"context_line":"                        c1:2d"},{"line_number":95,"context_line":"                    Exponent: 65537 (0x10001)"},{"line_number":96,"context_line":"            X509v3 extensions:"},{"line_number":97,"context_line":"                X509v3 Basic Constraints: "},{"line_number":98,"context_line":"                    CA:FALSE"},{"line_number":99,"context_line":"                Netscape Cert Type: "},{"line_number":100,"context_line":"                    SSL Client, S/MIME"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_73efcae8","line":97,"range":{"start_line":97,"start_character":41,"end_line":97,"end_character":42},"updated":"2019-07-17 10:02:38.000000000","message":"Could we get rid of these spaces?","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"854f941d9064cacf006a3c0ab1d0d46efab4836d","unresolved":false,"context_lines":[{"line_number":94,"context_line":"                        c1:2d"},{"line_number":95,"context_line":"                    Exponent: 65537 (0x10001)"},{"line_number":96,"context_line":"            X509v3 extensions:"},{"line_number":97,"context_line":"                X509v3 Basic Constraints: "},{"line_number":98,"context_line":"                    CA:FALSE"},{"line_number":99,"context_line":"                Netscape Cert Type: "},{"line_number":100,"context_line":"                    SSL Client, S/MIME"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_f495dd87","line":97,"range":{"start_line":97,"start_character":41,"end_line":97,"end_character":42},"in_reply_to":"7faddb67_73efcae8","updated":"2019-07-17 15:18:12.000000000","message":"Done","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"dac9f9b47c1808a42e827e887bf726fa3065fc37","unresolved":false,"context_lines":[{"line_number":143,"context_line":"  See `public key certificate`_ for more information."},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* `Issuer`: the issuer of a X.509 certificate. It is also known as"},{"line_number":146,"context_line":"  `Certificate Authority (CA)` or Certification Authority. Issuer is"},{"line_number":147,"context_line":"  typically represented in `RFC 2253`_ format. Throughout this document,"},{"line_number":148,"context_line":"  ``issuer``, ``issuer DN``, ``CA``, and ``trusted issuer`` are used"},{"line_number":149,"context_line":"  interchangeably."}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_33d6322a","line":146,"range":{"start_line":146,"start_character":2,"end_line":146,"end_character":29},"updated":"2019-07-17 10:02:38.000000000","message":"NIT: To make it a link adding an underscore after a word.","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"854f941d9064cacf006a3c0ab1d0d46efab4836d","unresolved":false,"context_lines":[{"line_number":143,"context_line":"  See `public key certificate`_ for more information."},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* `Issuer`: the issuer of a X.509 certificate. It is also known as"},{"line_number":146,"context_line":"  `Certificate Authority (CA)` or Certification Authority. Issuer is"},{"line_number":147,"context_line":"  typically represented in `RFC 2253`_ format. Throughout this document,"},{"line_number":148,"context_line":"  ``issuer``, ``issuer DN``, ``CA``, and ``trusted issuer`` are used"},{"line_number":149,"context_line":"  interchangeably."}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_5998ac1a","line":146,"range":{"start_line":146,"start_character":2,"end_line":146,"end_character":29},"in_reply_to":"7faddb67_33d6322a","updated":"2019-07-17 15:18:12.000000000","message":"good catch!","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"dac9f9b47c1808a42e827e887bf726fa3065fc37","unresolved":false,"context_lines":[{"line_number":178,"context_line":".. _`Apache SSL configuration`: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#ssloptions"},{"line_number":179,"context_line":".. _`HAProxy SSL configuration`: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.4"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Configuring this feature requires `OpenSSL Command Line Tool (CLI)`_. Please refer"},{"line_number":182,"context_line":"to the respective OS installation guide on how to install it."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":".. _`OpenSSL Command Line Tool (CLI)`: https://www.openssl.org/docs/manmaster/man1/openssl.html"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_3392b24d","line":181,"range":{"start_line":181,"start_character":34,"end_line":181,"end_character":68},"updated":"2019-07-17 10:02:38.000000000","message":"Link is broken?","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"854f941d9064cacf006a3c0ab1d0d46efab4836d","unresolved":false,"context_lines":[{"line_number":178,"context_line":".. _`Apache SSL configuration`: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#ssloptions"},{"line_number":179,"context_line":".. _`HAProxy SSL configuration`: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.4"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"Configuring this feature requires `OpenSSL Command Line Tool (CLI)`_. Please refer"},{"line_number":182,"context_line":"to the respective OS installation guide on how to install it."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":".. _`OpenSSL Command Line Tool (CLI)`: https://www.openssl.org/docs/manmaster/man1/openssl.html"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_1440b906","line":181,"range":{"start_line":181,"start_character":34,"end_line":181,"end_character":68},"in_reply_to":"7faddb67_3392b24d","updated":"2019-07-17 15:18:12.000000000","message":"seem fine here\nhttp://logs.openstack.org/90/669790/6/check/openstack-tox-docs/1555623/html/admin/configure_tokenless_x509.html","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"dac9f9b47c1808a42e827e887bf726fa3065fc37","unresolved":false,"context_lines":[{"line_number":431,"context_line":".. code-block:: bash"},{"line_number":432,"context_line":""},{"line_number":433,"context_line":"   $ openstack federation protocol create --identity-provider \u003cIDP ID\u003e"},{"line_number":434,"context_line":"     --mapping x509_tokenless x509"},{"line_number":435,"context_line":""},{"line_number":436,"context_line":""},{"line_number":437,"context_line":".. NOTE::"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_531acecb","line":434,"range":{"start_line":434,"start_character":15,"end_line":434,"end_character":34},"updated":"2019-07-17 10:02:38.000000000","message":"it should be x509_tokenless","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"854f941d9064cacf006a3c0ab1d0d46efab4836d","unresolved":false,"context_lines":[{"line_number":431,"context_line":".. code-block:: bash"},{"line_number":432,"context_line":""},{"line_number":433,"context_line":"   $ openstack federation protocol create --identity-provider \u003cIDP ID\u003e"},{"line_number":434,"context_line":"     --mapping x509_tokenless x509"},{"line_number":435,"context_line":""},{"line_number":436,"context_line":""},{"line_number":437,"context_line":".. NOTE::"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_59c18ce4","line":434,"range":{"start_line":434,"start_character":15,"end_line":434,"end_character":34},"in_reply_to":"7faddb67_531acecb","updated":"2019-07-17 15:18:12.000000000","message":"the protocol name should be x509","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"dac9f9b47c1808a42e827e887bf726fa3065fc37","unresolved":false,"context_lines":[{"line_number":533,"context_line":"* ``auth_type`` - Must set to ``v3tokenlessauth``."},{"line_number":534,"context_line":"* ``certfile`` - Set to the full path of the certificate file."},{"line_number":535,"context_line":"* ``keyfile`` - Set to the full path of the private key file."},{"line_number":536,"context_line":"* ``cafile`` - Set to the full path of the trusted CA certificate file"},{"line_number":537,"context_line":"* ``project_name`` or ``project_id`` - set to the scoped project"},{"line_number":538,"context_line":"* ``project_domain_name`` or ``project_domain_id`` - if ``project_name`` is"},{"line_number":539,"context_line":"  specified."}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_73758af9","line":536,"range":{"start_line":536,"start_character":66,"end_line":536,"end_character":70},"updated":"2019-07-17 10:02:38.000000000","message":"Full stop required.","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"854f941d9064cacf006a3c0ab1d0d46efab4836d","unresolved":false,"context_lines":[{"line_number":533,"context_line":"* ``auth_type`` - Must set to ``v3tokenlessauth``."},{"line_number":534,"context_line":"* ``certfile`` - Set to the full path of the certificate file."},{"line_number":535,"context_line":"* ``keyfile`` - Set to the full path of the private key file."},{"line_number":536,"context_line":"* ``cafile`` - Set to the full path of the trusted CA certificate file"},{"line_number":537,"context_line":"* ``project_name`` or ``project_id`` - set to the scoped project"},{"line_number":538,"context_line":"* ``project_domain_name`` or ``project_domain_id`` - if ``project_name`` is"},{"line_number":539,"context_line":"  specified."}],"source_content_type":"text/x-rst","patch_set":6,"id":"7faddb67_99aaa416","line":536,"range":{"start_line":536,"start_character":66,"end_line":536,"end_character":70},"in_reply_to":"7faddb67_73758af9","updated":"2019-07-17 15:18:12.000000000","message":"Done","commit_id":"ea7f84256a935fad829f0340a8271acde010ce7f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6f10267952e59b14426f6fbac588fc84f4de4db6","unresolved":false,"context_lines":[{"line_number":187,"context_line":"Keystone Configuration"},{"line_number":188,"context_line":"----------------------"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"This feature utilizes Keystone federation capability to determine the"},{"line_number":191,"context_line":"authorization associated with the incoming X.509 SSL client certificate by"},{"line_number":192,"context_line":"mapping the certificate attributes to a Keystone identity. Therefore, the"},{"line_number":193,"context_line":"direct issuer or trusted Certification Authority (CA) of the client certificate"}],"source_content_type":"text/x-rst","patch_set":7,"id":"7faddb67_e8e2cbd4","line":190,"range":{"start_line":190,"start_character":30,"end_line":190,"end_character":52},"updated":"2019-07-18 15:36:35.000000000","message":"nit: we could link to generic federation documentation we have\n\nhttps://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html","commit_id":"4fb4d8b8a4055dfacf13a409e590485461d766b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6f10267952e59b14426f6fbac588fc84f4de4db6","unresolved":false,"context_lines":[{"line_number":444,"context_line":"SSL Terminator Configuration"},{"line_number":445,"context_line":"----------------------------"},{"line_number":446,"context_line":""},{"line_number":447,"context_line":"Apache Configuration"},{"line_number":448,"context_line":"--------------------"},{"line_number":449,"context_line":""},{"line_number":450,"context_line":"If SSL terminates at Apache mod_ssl, Apache must be configured to handle"}],"source_content_type":"text/x-rst","patch_set":7,"id":"7faddb67_48d3df04","line":447,"updated":"2019-07-18 15:36:35.000000000","message":"++\n\nThanks for elaborating on this.","commit_id":"4fb4d8b8a4055dfacf13a409e590485461d766b2"}]}