From 51dc6a0cef657cf9fa110da11d81d1c3f13194fa Mon Sep 17 00:00:00 2001
From: Dean Troyer <dtroyer@gmail.com>
Date: Fri, 16 Nov 2012 17:43:05 -0600
Subject: Use requests module for HTTP/HTTPS

* Implement correct certificate verification
* Add requests to tools/pip-requires
* Fix OS_CACERT env var help text
* Add info to README
* Rework tests to use requests

Pinned requests module to < 1.0 as 1.0.2 is now current in pipi
as of 17Dec2012.

Change-Id: I120d2c12d6f20ebe2fd7182ec8988cc73f623b80
---
 README.rst | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

(limited to 'README.rst')

diff --git a/README.rst b/README.rst
index deed59c..e6d2928 100644
--- a/README.rst
+++ b/README.rst
@@ -75,6 +75,17 @@ OS_REGION_NAME``)::
     If a region is not specified and multiple regions are returned by the
     Identity service, the client may not access the same region consistently.
 
+If you need to connect to a server that is TLS-enabled (the auth URL begins
+with 'https') and it uses a certificate from a private CA or a self-signed
+certificate you will need to specify the path to an appropriate CA certificate
+to use to validate the server certificate with ``--os-cacert`` or an
+environment variable::
+
+    export OS_CACERT=/etc/ssl/my-root-cert.pem
+
+Certificate verification can be turned off using ``--insecure``. This should
+be used with caution.
+
 You'll find complete documentation on the shell by running ``keystone help``::
 
     usage: keystone [--os-username <auth-user-name>]
@@ -85,8 +96,8 @@ You'll find complete documentation on the shell by running ``keystone help``::
                     [--os-identity-api-version <identity-api-version>]
                     [--os-token <service-token>]
                     [--os-endpoint <service-endpoint>]
-                    [--os-cacert <ca-certificate>] [--os-cert <certificate>]
-                    [--os-key <key>] [--insecure]
+                    [--os-cacert <ca-certificate>] [--insecure]
+                    [--os-cert <certificate>] [--os-key <key>] [--no-cache]
                     <subcommand> ...
 
     Command-line interface to the OpenStack Identity API.
@@ -167,13 +178,14 @@ You'll find complete documentation on the shell by running ``keystone help``::
                             from the service catalog (via authentication).
                             Defaults to env[OS_SERVICE_ENDPOINT]
     --os-cacert <ca-certificate>
-                            Defaults to env[OS_CACERT]
+                            Specify a CA bundle file to use in verifying a TLS
+                            (https) server certificate. Defaults to env[OS_CACERT]
+    --insecure              Explicitly allow keystoneclient to perform "insecure"
+                            TLS (https) requests. The server's certificate will
+                            not be verified against any certificate authorities.
+                            This option should be used with caution.
     --os-cert <certificate>
                             Defaults to env[OS_CERT]
     --os-key <key>        Defaults to env[OS_KEY]
-    --insecure            Explicitly allow keystoneclient to perform "insecure"
-                            SSL (https) requests. The server's certificate will
-                            not be verified against any certificate authorities.
-                            This option should be used with caution.
 
     See "keystone help COMMAND" for help on a specific command.
-- 
cgit v1.2.1