The identity:revocation_list policy should be deprecated for removal

Bug #1818845 reported by Lance Bragstad on 2019-03-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Lance Bragstad

Bug Description

This API doesn't actually return anything useful. It either gives you a 410 or 403 depending on how keystone is configured. It also doesn't enforce anything.

We don't need a policy for this anymore and we're safe to deprecate identity:revocation_list for removal.

https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/token_revocation.py#L17-L29

tags: added: default-roles policy
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
summary: - The revocation list API doesn't use default roles
+ The revocation list API doesn't use default roles or proper scope types
description: updated
summary: - The revocation list API doesn't use default roles or proper scope types
+ The identity:revocation_list policy should be deprecated for removal
description: updated
tags: added: low-hanging-fruit
removed: default-roles

Fix proposed to branch: master
Review: https://review.opendev.org/672334

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress

Reviewed: https://review.opendev.org/672334
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0bf2d68520f57a44510f19aed50a26d217fe52dc
Submitter: Zuul
Branch: master

commit 0bf2d68520f57a44510f19aed50a26d217fe52dc
Author: Lance Bragstad <email address hidden>
Date: Tue Jul 23 17:21:19 2019 +0000

    Deprecate identity:revocation_list policy for removal

    This policy doesn't actually protect anything. We can safely deprecate
    it for removal and simplify policy files.

    Change-Id: Iff604f6d77b9b0b91e63d4f4b1572dbb18f43947
    Closes-Bug: 1818845

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers