Reviewed: https://review.opendev.org/665231
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=092570fc5ef43497c29cf174bfff43323a49fb58
Submitter: Zuul
Branch: master
commit 092570fc5ef43497c29cf174bfff43323a49fb58
Author: Lance Bragstad <lbrags...@gmail.com>
Date: Thu Jun 13 20:12:56 2019 +0000
Implement system scope and default roles for token API
This commit adds protection testing for the token API along with
changes to default policies to properly consume system-scope and
default roles.
Originally, this work was going to include the ability for project and
domain administrator to validate, check, or revoke tokens within the
context of their authorization (e.g., a domain administrator could
revoke tokens on projects within their domain). This seems like extra
work for not much benefit since we're using bearer tokens. The holder
of the token can do anything with that token, which means they can
validate it or revoke it without using their own token. Adding
project and domain administrator support seems unnecessary given the
existing functionality. If someone comes forward asking for this
functionality, we can re-evaluate the effort. For now, this patch is
limited to system user support, allowing them to validate, check, and
revoke any token in the system. Service users can still validate
tokens on behalf of users. Users can do anything they wish with their
own tokens.
This commit also bumps the minimum version of oslo.log so that we can
use the official TRAIN deprecated release marker.
Change-Id: Ia8b35258b43213bd117df4275c907aac223342b3
Closes-Bug: 1818844
Closes-Bug: 1750676
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818844
Title:
Token API doesn't use default roles
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
In Rocky, keystone implemented support to ensure at least three
default roles were available [0]. The token API doesn't incorporate
these defaults into its default policies [1], but it should.
For example, a system reader should be able to validate tokens for
other users, but only system administrators should be able to revoke
them (since it's technically a writeable API).
Building these roles into the token API will make it easier for system
users who aren't administrators to diagnose token issues for users.
[0]
http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1]
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818844/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
