Hello,
I am trying to make sure that a user can't do anything useful with an
unscoped token, and got to the following code in
keystoneclient.middleware.auth_token:
if _token_is_v2(token_info) and not auth_ref.project_id:
raise InvalidUserToken('Unable to determine tenancy.')
This check is performed on every request, and successfully forbids any
request authenticated by a project-less token. But only for v2 tokens!
In case service is using v3 of Keystone api, the request successfully
passes auth_token middleware filter, and it becomes the task of each
specific service to handle unscopedness of passed token.
While Nova seem to be handling this well (basing on several tests I
made), I was able to fetch a list of available images from Glance using
a token of projectless user.
Is this a desired behavior of keystoneclient?
Why do we check existence of project_id only for v2 tokens?
Thanks,
Roman
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
