V3 Identity API: Unscoped V2 tokens should be treated as domain-scoped tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
In the V2 API, there were I believe two types of token - an unscoped token and a token scoped to a project.
V3 adds a token scoped to a domain, and essentially makes it incredibly unlikely that an unscoped token will ever be returned (a user must not have a default project or must not have access to their default project).
When using the V2 API for authentication, I think that we should return a domain token when no project is specified, instead of an unscoped token (a V2 caller wouldn't be able to tell the difference). That seems to maximize compatibility. Otherwise if the server is V3 enabled and requires a domain token, there is no way for a V2 client to get a domain token. Conversely, when a V2 server requires a domain token, it presumably wants a token that is not bound to a particular project; that is exactly what an unscoped token is in V2.
This implies that a v2 API user must have v3 domain-level authorization.
> if the server is V3 enabled and requires a domain token, there is no way for a V2 client to get a domain token
correct
> when a V2 server requires a domain token
a v2-aware service would have no knowledge of domains, anyway
> when a V2 server requires a domain token, it presumably wants a token that is not bound to a particular project; that is exactly what an unscoped token is in V2
a domain-scoped token is a completely discrete concept from a project-scoped token, so this expectation would be invalid. further, unscoped tokens in v2 are analogous to unscoped token in v3, not to any other scoping concept in v3