Hi Bryan - There are a couple of points here:
1. The Service API is a subset of the Admin API. There are calls in the Admin API that need a token with privileged access to be called. The use of the Service API is a deployment option, but not a requirement (i.e. You can run Keystone on one endpoint running the Admin API only). 2. Most of that information you're asking the user may want is available in the response they get when they authenticate. The validate token is a "privileged" call which is not required for normal use cases. Especially given that this is a "bearer" token (i.e. Anyone providing the token has access to resources), any discovery they can make on a token is risky. Z On 12/13/11 5:10 PM, "Bryan Taylor" <[email protected]> wrote: >The keystone management API has a validate token method that looks like: >GET /tokens/{tokenId}?belongsTo=tenantId > >See ><http://docs.openstack.org/incubation/identity-dev-guide/content/Validate_ >Token-d1e1914.html> > >Why is the validate token method in the keystone admin API and not the >service API? > >If the requestor has a token, they can act as the user, creating and >deleting servers, files, etc..., but we've decided to lock down the >resource that says when their token expires, their username, and what >roles and tenants they have. Why? > >_______________________________________________ >Mailing list: https://launchpad.net/~openstack >Post to : [email protected] >Unsubscribe : https://launchpad.net/~openstack >More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
