Reviewed: https://review.opendev.org/665231 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=092570fc5ef43497c29cf174bfff43323a49fb58 Submitter: Zuul Branch: master
commit 092570fc5ef43497c29cf174bfff43323a49fb58 Author: Lance Bragstad <lbrags...@gmail.com> Date: Thu Jun 13 20:12:56 2019 +0000 Implement system scope and default roles for token API This commit adds protection testing for the token API along with changes to default policies to properly consume system-scope and default roles. Originally, this work was going to include the ability for project and domain administrator to validate, check, or revoke tokens within the context of their authorization (e.g., a domain administrator could revoke tokens on projects within their domain). This seems like extra work for not much benefit since we're using bearer tokens. The holder of the token can do anything with that token, which means they can validate it or revoke it without using their own token. Adding project and domain administrator support seems unnecessary given the existing functionality. If someone comes forward asking for this functionality, we can re-evaluate the effort. For now, this patch is limited to system user support, allowing them to validate, check, and revoke any token in the system. Service users can still validate tokens on behalf of users. Users can do anything they wish with their own tokens. This commit also bumps the minimum version of oslo.log so that we can use the official TRAIN deprecated release marker. Change-Id: Ia8b35258b43213bd117df4275c907aac223342b3 Closes-Bug: 1818844 Closes-Bug: 1750676 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1818844 Title: Token API doesn't use default roles Status in OpenStack Identity (keystone): Fix Released Bug description: In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The token API doesn't incorporate these defaults into its default policies [1], but it should. For example, a system reader should be able to validate tokens for other users, but only system administrators should be able to revoke them (since it's technically a writeable API). Building these roles into the token API will make it easier for system users who aren't administrators to diagnose token issues for users. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1818844/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp