diff options
| author | Zuul <zuul@review.opendev.org> | 2021-10-30 09:25:07 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2021-10-30 09:25:07 +0000 |
| commit | 46519e2089b9bc0ec88a6c4b19517126a0a36980 (patch) | |
| tree | 0f34b7a31f04eeb5a9ed9131a148ecb0d47492ab /doc | |
| parent | db5744a1bbdbaa494d4bad8d05f8c72e99821865 (diff) | |
| parent | 0cfd75d7ef0048e497ea44b694841c616e70cd6a (diff) | |
| download | zuul-46519e2089b9bc0ec88a6c4b19517126a0a36980.tar.gz | |
Merge "Zuul-web: Add authentication-realm attribute to tenants"
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/reference/tenants.rst | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/source/reference/tenants.rst b/doc/source/reference/tenants.rst index 8e8d5f070..a5c828dda 100644 --- a/doc/source/reference/tenants.rst +++ b/doc/source/reference/tenants.rst @@ -340,6 +340,22 @@ configuration. Some examples of tenant definitions are: :ref:`tenant-scoped-rest-api`. + .. attr:: authentication-realm + + Each authenticator defined in Zuul's configuration is associated to a realm. + When authenticating through Zuul's Web User Interface under this tenant, the + Web UI will redirect the user to this realm's authentication service. The + authenticator must be of the type ``OpenIDConnect``. + + .. note:: + + Defining a default realm for a tenant will not invalidate access tokens + issued from other configured realms, especially if they match the tenant's + admin rules. This is intended, so that an operator can for example issue + an overriding access token manually. If this is an issue, it is advised + to add finer filtering to admin rules, for example filtering by the ``iss`` + claim (generally equal to the issuer ID). + .. _admin_rule_definition: Access Rule |