2019-03-06 14:55:15 |
Lance Bragstad |
bug |
|
|
added bug |
2019-03-06 14:55:24 |
Lance Bragstad |
tags |
|
default-roles policy |
|
2019-03-06 14:55:27 |
Lance Bragstad |
keystone: status |
New |
Triaged |
|
2019-03-06 14:55:29 |
Lance Bragstad |
keystone: importance |
Undecided |
Wishlist |
|
2019-03-06 14:56:09 |
Lance Bragstad |
summary |
The revocation list API doesn't use default roles |
The revocation list API doesn't use default roles or proper scope types |
|
2019-03-06 14:57:34 |
Lance Bragstad |
description |
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The revocation list API doesn't incorporate these defaults into its default policies [1], but it should.
Even though this API isn't really useful without PKI/Z tokens, we should apply the same default role conventions to it that we use for all other policies in keystone.
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc |
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The revocation list API doesn't incorporate these defaults into its default policies [1], but it should.
Even though this API isn't really useful without PKI/Z tokens, we should apply the same default role conventions to it that we use for all other policies in keystone.
The revocation list policy also allows for project-scoped and system-scoped tokens. This should probably be a system-only API since it's dealing with sensitive token revocation information (unless there is a good reason for project or domain users to fetch this list).
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc |
|
2019-07-23 16:03:19 |
Lance Bragstad |
summary |
The revocation list API doesn't use default roles or proper scope types |
The identity:revocation_list policy should be deprecated for removal |
|
2019-07-23 16:04:21 |
Lance Bragstad |
description |
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The revocation list API doesn't incorporate these defaults into its default policies [1], but it should.
Even though this API isn't really useful without PKI/Z tokens, we should apply the same default role conventions to it that we use for all other policies in keystone.
The revocation list policy also allows for project-scoped and system-scoped tokens. This should probably be a system-only API since it's dealing with sensitive token revocation information (unless there is a good reason for project or domain users to fetch this list).
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc |
This API doesn't actually return anything useful. It either gives you a 410 or 403 depending on how keystone is configured. It also doesn't enforce anything.
We don't need a policy for this anymore and we're safe to deprecate identity:revocation_list for removal.
https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/token_revocation.py#L17-L29 |
|
2019-07-23 16:04:32 |
Lance Bragstad |
tags |
default-roles policy |
low-hanging-fruit policy |
|
2019-07-23 17:22:30 |
OpenStack Infra |
keystone: status |
Triaged |
In Progress |
|
2019-07-23 17:22:30 |
OpenStack Infra |
keystone: assignee |
|
Lance Bragstad (lbragstad) |
|
2019-07-24 19:09:59 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|