unable to list regions with unscoped token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The default policy for list_regions in keystone is empty [0], meaning so long as the user is authenticated, they should be able to retrieve a list of regions. An authenticated user also doesn't *have* to be using a token scoped to a project or domain, it could simply be a user with an unscoped token.
While using keystoneauth and python-keystone client, listing regions requires a service catalog. Service catalogs are only supplied with project or domain scoped token, ultimately meaning keystoneauth and python-
[0] https:/
[1] http://
[2] http://
What's the use case though? A project scoped token can access multiple regions, via endpoint filtering this could mean that different regions are available to different people because really region is just a tag on an endpoint in the catalog.
What is the person trying to do that they would want to list endpoints in a normal token flow anyway?
From a client perspective this is relatively easy to do because you can fallback to the AUTH_INTERFACE like other calls do.