Comment 2 for bug 1750676
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 092570fc5ef4349
Author: Lance Bragstad <email address hidden>
Date: Thu Jun 13 20:12:56 2019 +0000
Implement system scope and default roles for token API
This commit adds protection testing for the token API along with
changes to default policies to properly consume system-scope and
default roles.
Originally, this work was going to include the ability for project and
domain administrator to validate, check, or revoke tokens within the
context of their authorization (e.g., a domain administrator could
revoke tokens on projects within their domain). This seems like extra
work for not much benefit since we're using bearer tokens. The holder
of the token can do anything with that token, which means they can
validate it or revoke it without using their own token. Adding
project and domain administrator support seems unnecessary given the
existing functionality. If someone comes forward asking for this
functionality, we can re-evaluate the effort. For now, this patch is
limited to system user support, allowing them to validate, check, and
revoke any token in the system. Service users can still validate
tokens on behalf of users. Users can do anything they wish with their
own tokens.
This commit also bumps the minimum version of oslo.log so that we can
use the official TRAIN deprecated release marker.
Change-Id: Ia8b35258b43213
Closes-Bug: 1818844
Closes-Bug: 1750676