We talked about this during the keystone virtual midcycle and wanted to note that the domain config API also has an API/policy that allows users to pull password security requirements for a domain.
This API and policy should be updated to also support domain-scoped tokens. Otherwise, the entire domain config API is system-specific and should remain that way in the future for security reasons (a domain admin shouldn't be able to set deployment configuration).
We talked about this during the keystone virtual midcycle and wanted to note that the domain config API also has an API/policy that allows users to pull password security requirements for a domain.
This API and policy should be updated to also support domain-scoped tokens. Otherwise, the entire domain config API is system-specific and should remain that way in the future for security reasons (a domain admin shouldn't be able to set deployment configuration).
https:/ /opendev. org/openstack/ keystone/ src/branch/ master/ keystone/ common/ policies/ domain_ config. py#L74- L101