diff options
| author | Jon Robertson <jonrober@stanford.edu> | 2015-02-17 12:27:04 -0800 | 
|---|---|---|
| committer | Jon Robertson <jonrober@stanford.edu> | 2015-06-08 15:24:34 -0700 | 
| commit | ac97f9268b927cec5af229f496b9dd66332445e4 (patch) | |
| tree | 7bf185d831f7ae86944c43b330262470cbf8e1a0 | |
| parent | f14bd8343010ad96104965029e36c5a65d231571 (diff) | |
Updated documentation for duo and password objects
The documentation now includes information about the Duo file types, and
the new password types.  This is both the general information, and the
Stanford-specific naming docs.
Change-Id: Iae256224a063ce42f22cd933ef7bb3ab402e0e2d
| -rw-r--r-- | docs/objects-and-schemes | 24 | ||||
| -rw-r--r-- | docs/stanford-naming | 97 | 
2 files changed, 81 insertions, 40 deletions
| diff --git a/docs/objects-and-schemes b/docs/objects-and-schemes index 97e6289..763a24b 100644 --- a/docs/objects-and-schemes +++ b/docs/objects-and-schemes @@ -10,17 +10,21 @@ Introduction  Object Types -  duo +  duo-ldap +  duo-pam +  duo-radius +  duo-rdp      Stores the configuration for a Duo Security integration.  Duo is a      cloud provider of multifactor authentication services.  A Duo      integration consists of some local configuration and a secret key that      permits verification of a second factor using the Duo cloud service. -    Currently, only UNIX integrations are supported.  In the future, this -    object type will likely be split into several object types -    corresponding to the supported types of Duo integrations. +    Each of these types is the same except for the output, which is +    specialized towards giving information in the format suited for a +    specific application. -    Implemented via Wallet::Object::Duo. +    Implemented via Wallet::Object::Duo::PAM, Wallet::Object::Duo::RDP, +    Wallet::Object::Duo::LDAPProxy, Wallet::Object::Duo::RadiusProxy.    file @@ -33,6 +37,16 @@ Object Types      Implemented via Wallet::Object::File. +  password + +    Stores a file with single password in it and allows retrieval of that +    file.  This is built on the file object and is almost entirely +    identical in function.  It adds the ability to automatically generate +    randomized content if you get the object before it's been stored, +    letting you get autogenerated passwords. + +    Implemented via Wallet::Object::Password. +    keytab      Stores a keytab representing private keys for a given Kerberos diff --git a/docs/stanford-naming b/docs/stanford-naming index c86c820..cb05a23 100644 --- a/docs/stanford-naming +++ b/docs/stanford-naming @@ -90,27 +90,6 @@ Object Naming          (OLD: <group>-<server>-htpasswd-<app>) -    password-ipmi/<server> - -        Stores the password for remote IPMI/iLO/ILOM access to the -        system. - -        (OLD: <group>-<server>-password-ipmi) - -    password-root/<server> - -        Stores the root password for a given server. - -        (OLD: <group>-<server>-password-root) - -    password-tivoli/<server> - -        Stores the Tivoli TSM backup password for a given server.  See -        also tivoli-key/<server>, but depending on what one wants to do -        with the password, this may be a better representation. - -        (OLD: <group>-<server>-password-tivoli) -      ssh-<type>/<server>          Stores the SSH private key for <server>.  For shared private keys @@ -197,20 +176,6 @@ Object Naming          (OLD: <group>-<service>-gpg-key) -    password/<group>/<service>/<name> - -        A password for some account, service, keystore, or something -        similar that is not covered by one of the more specific naming -        conventions, such as a password used to connect to a remote ssh -        service.  <service> is the service that uses this password and -        <name> is the thing the password is used for (such as the remote -        account name).  This may be a file containing only the password, -        or a configuration file of some type that includes a field name -        and the password.  (However, use the db type described above for -        database passwords.) - -        (OLD: <group>-<server>-password-<account>) -      properties/<group>/<service>[/<name>]          The properties file for a Java application that contains some @@ -262,6 +227,68 @@ Object Naming      <group>-<server>-pam-<app>      <group>-<service>-puppetconf      <group>-<service>-shibboleth +    <group>-<server>-password-ipmi +    <group>-<server>-password-root +    <group>-<server>-password-tivoli +    <group>-<server>-password-<account> + +    Replaced by password objects: + +    password-ipmi/<server> +    password-root/<server> +    password-tivoli/<server> + +    password/<group>/<service>/<name> should be replaced by the password +    service/<group>/<service>/<name> object if a single password, or by +    the file object db/* or config/* format if the object contains more +    than just the bare password. + +  Password + +    Passwords are a recent type and so most password data is actually +    in file objects.  However, we'd like to move things there both for +    the added features of password objects to self-set, and because it +    helps clean up the file namespace a little more. + +    Host-based: + +    ipmi/<server> + +        Stores the password for remote IPMI/iLO/ILOM access to the +        system. + +    tivoli/<server> + +        Stores the Tivoli TSM backup password for a given server.  See +        also tivoli-key/<server> in the file section, but depending on +        what one wants to do with the password, this may be a better +        representation. + +    root/<server> + +        Stores the root password for a given server. + +    system/<server>/<account> + +        Stores the password for a non-root system account, such as a user +        required for file uploads. + +    app/<server>/<application> + +        Stores an application password bound to a certain server. + +    Service-based: + +    service/<group>/<service>/<name> + +        A password for some account, service, keystore, or something +        similar that is not covered by one of the more specific naming +        conventions, such as a password used to connect to a remote ssh +        service.  <service> is the service that uses this password and +        <name> is the thing the password is used for (such as the remote +        account name).  This should only be for something including the +        password and nothing else.  See the file password/ object name +        for something that includes more data.  ACL Naming | 
