Token API doesn't use default roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad |
Bug Description
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The token API doesn't incorporate these defaults into its default policies [1], but it should.
For example, a system reader should be able to validate tokens for other users, but only system administrators should be able to revoke them (since it's technically a writeable API).
Building these roles into the token API will make it easier for system users who aren't administrators to diagnose token issues for users.
[0] http://
[1] http://
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: policy |
tags: | added: default-roles |
Changed in keystone: | |
milestone: | none → stein-rc1 |
Changed in keystone: | |
milestone: | stein-rc1 → none |
Fix proposed to branch: master /review. opendev. org/665231
Review: https:/