allow auth_token to not require admin user

Bug #1153789 reported by Joe Gordon on 2013-03-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Joe Gordon

Bug Description

Currently an admin user is required to validate tokens (in auth_token middleware). This means admin credentials are stored in config files for every OpenStack service. Instead of using admin user. auth_token can use RBAC, and allow token validation (and related commands). For users that are in a specific tenant / contain a specific role.

Changed in keystone:
assignee: nobody → Joe Gordon (jogo)
status: New → In Progress
Dolph Mathews (dolph) on 2013-05-29
no longer affects: python-keystoneclient
Changed in keystone:
importance: Undecided → Wishlist

Reviewed: https://review.openstack.org/23970
Committed: http://github.com/openstack/keystone/commit/3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6
Submitter: Jenkins
Branch: master

commit 3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6
Author: Joe Gordon <email address hidden>
Date: Fri Mar 8 15:34:25 2013 -0800

    Move auth_token middleware from admin user to an RBAC policy

    Before this patch auth_token middleware required admin user credentials
    stored in assorted config files. With this patch only non-admin user
    credentials are needed. The revocation_list and validate_token commands
    use an policy.json rule, to only allow these commands if you are in have the
    service role.

    Rule used:
        "service_role": [["role:service"]],
        "service_or_admin": [["rule:admin_required"], ["rule:service_role"]],

    Added the policy wrapper on the validate functions.

    Fixes bug 1153789

    Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-07-17
Changed in keystone:
milestone: none → havana-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers