With the removal of KeystoneToken from the token model, we longer
have the ability to use the token data syntax in the policy rules.
This change broke backward compatibility for those is deploying
customized Keystone policies. Unfortunately, we can't go back
to KeystoneToken model as the change was tightly coupled with
the other refactored authorization functionalities.
Since the scope information is now available in the credential
dictionary, we can just make use of it instead. Those who have
custom policies must update their policy files accordingly.
Reviewed: https:/ /review. openstack. org/629692 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=a2e307ed4d5 26e21cddf7551f1 60b587b89360e4
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit a2e307ed4d526e2 1cddf7551f160b5 87b89360e4
Author: Guang Yee <email address hidden>
Date: Wed Jan 9 16:07:36 2019 -0800
correct the admin_or_ target_ domain rule
With the removal of KeystoneToken from the token model, we longer
have the ability to use the token data syntax in the policy rules.
This change broke backward compatibility for those is deploying
customized Keystone policies. Unfortunately, we can't go back
to KeystoneToken model as the change was tightly coupled with
the other refactored authorization functionalities.
Since the scope information is now available in the credential
dictionary, we can just make use of it instead. Those who have
custom policies must update their policy files accordingly.
Change-Id: I83eae5c390d720 da05e91264519ae 01e8ca32159
closes-bug: 1810983