Public bug reported: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The revocation list API doesn't incorporate these defaults into its default policies [1], but it should.
Even though this API isn't really useful without PKI/Z tokens, we should apply the same default role conventions to it that we use for all other policies in keystone. The revocation list policy also allows for project-scoped and system- scoped tokens. This should probably be a system-only API since it's dealing with sensitive token revocation information (unless there is a good reason for project or domain users to fetch this list). [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc ** Affects: keystone Importance: Wishlist Status: Triaged ** Tags: default-roles policy ** Tags added: default-roles policy ** Changed in: keystone Status: New => Triaged ** Changed in: keystone Importance: Undecided => Wishlist ** Summary changed: - The revocation list API doesn't use default roles + The revocation list API doesn't use default roles or proper scope types ** Description changed: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The revocation list API doesn't incorporate these defaults into its default policies [1], but it should. Even though this API isn't really useful without PKI/Z tokens, we should apply the same default role conventions to it that we use for all other policies in keystone. + The revocation list policy also allows for project-scoped and system- + scoped tokens. This should probably be a system-only API since it's + dealing with sensitive token revocation information (unless there is a + good reason for project or domain users to fetch this list). + [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1818845 Title: The revocation list API doesn't use default roles or proper scope types Status in OpenStack Identity (keystone): Triaged Bug description: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The revocation list API doesn't incorporate these defaults into its default policies [1], but it should. Even though this API isn't really useful without PKI/Z tokens, we should apply the same default role conventions to it that we use for all other policies in keystone. The revocation list policy also allows for project-scoped and system- scoped tokens. This should probably be a system-only API since it's dealing with sensitive token revocation information (unless there is a good reason for project or domain users to fetch this list). [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1818845/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
