OpenStack Identity (keystone)

Bug #890411
Comment #13

Comment 13 for bug 890411

Revision history for this message

Guang Yee (guang-yee) wrote on 2011-11-30:

#13

Proposed Solution:

We'll be changing the validate token APIs to look for the mandatory request
parameter "serviceId" for scoped token validation. Specifically,

GET/HEAD /tokens/{tokenId}?[belongsTo=<tenantID>&][serviceId=<comma-separated service IDs>]

"serviceId" is a comma-separated list of service IDs.

The Keystone service will filter the roles with the given service IDs. If the serviceId
was not provided, or was invalid, or no roles were found for that serviceId, then a
401 would be returned.

Global roles (roles without any tenant association) will only be returned if
the global service ID is included in "serviceId". For example,

serviceId=<service ID>,<global service ID>

Keep in mind that the global service ID is just an special string denoting the need to return
the global roles. It is configurable in keystone.conf. For example,

global_service_id = global

The global service ID in middleware must match the one specified in keystone.conf inorder for
the global roles to return. Any mismatch will result in 401 since the global service ID does
not match any valid service in the backend.

MAKE NO MISTAKE, THIS CHANGE WILL NOT BE BACKWARD COMPATIBLE.

As mentioned above, If the serviceId was not provided, or was invalid, or no roles were found
for that serviceId, then a 401 would be returned.

Furthermore, we will be modifying the middleware and keystone-manage CLI to facilitate
service IDs.

Affected Middleware Components: auth_token.py, swift_auth.py, and quantum_auth_token.py.

auth_token.py and quantum_auth_token.py:

Users are required to specify the "service_ids" property in the auth_token section of the conf file.
"service_ids" is a comma-separated list if service IDs.

For example, if this is a Nova service instance and its service ID is 888, user will need to set it
in api-paste.ini.

[filter:authtoken]
...
service_ids = 888
...

To specify multiple service IDs.

[filter:authtoken]
...
service_ids = 888,999
...

By default, global roles (roles without tenant association) will not be return on validate token call.
To ask Keystone to return the global roles, user must specify the global service ID. For example,

[filter:authtoken]
...
service_ids = 888,999,global
...

As mentioned above, the global service ID is also configurable in keystone.conf. The global service ID
in middleware must match the one specified in keystone.conf inorder for the global roles to return.

swift_auth.py:

Same as auth_token.py exception it is using the "keystone_service_ids" property instead of "service_ids".

Affected CLI: keystone-manage

"keystone-manage role add" will not accept an optional service name parameter. For example,

keystone-manage role add nova_role nova_service

However, service name can be part of the role name. For example,

keystone-manage role add nove_service:nova_role

Though redundant, but user may also specify service name and prefix the role name with the service name.
For example,

keystone-manage role add nova_service:nova_role nova_service

However, if both service name and serive_name prefix are specified, they must match. Otherwise, ValueError
will be raised.