openinfra/interop
Code Issues Proposed changes

Add tokens validate capability as 2017.08 advisory

Browse Source 
Add keystone validate token capability into next.json/ 2017.08.
non-admin test case is now available in tempest. Further
details on commit Ice1a241445d532ee2c4b1ad8d2c4c896d755798d
TC call GET on /v3/auth/tokens API.

Depends-On: Ice1a241445d532ee2c4b1ad8d2c4c896d755798d

Change-Id: I062e6148e90ae84d34f2df4577eb581ce76d021b
This commit is contained in:
Luz Cazares
2017-06-19 16:10:39 +00:00
parent b397863e9a
commit a7d431a975
4 changed files with 53 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
next.json
View File

@@ -71,6 +71,7 @@
"volumes-v2-upload"
],
"advisory": [
"identity-v3-tokens-validate",
"networks-l3-router",
"networks-l3-CRUD",
"networks-list-api-versions",
@@ -1010,31 +1011,6 @@
}
}
},
"identity-v3-tokens-create": {
"achievements": [
"foundation",
"complete",
"doc",
"proximity",
"clients",
"discover",
"sticky",
"future",
"atomic",
"stable",
"tools",
"deployed"
],
"admin": false,
"description": "Auth operations within the Identity API",
"project": "keystone",
"required-since": "2015.05",
"tests": {
"tempest.api.identity.v3.test_tokens.TokensV3Test.test_create_token": {
"idempotent_id": "id-6f8e4436-fc96-4282-8122-e41df57197a9"
}
}
},
"identity-v3-api-discovery": {
"achievements": [
"atomic",
@@ -1083,13 +1059,60 @@
"admin": false,
"description": "List projects a user belongs to",
"project": "keystone",
"required-since": "",
"required-since": "2017.08",
"tests": {
"tempest.api.identity.v3.test_projects.IdentityV3ProjectsTest.test_list_projects_returns_only_authorized_projects": {
"idempotent_id": "id-86128d46-e170-4644-866a-cc487f699e1d"
}
}
},
"identity-v3-tokens-create": {
"achievements": [
"foundation",
"complete",
"doc",
"proximity",
"clients",
"discover",
"sticky",
"future",
"atomic",
"stable",
"tools",
"deployed"
],
"admin": false,
"description": "Auth operations within the Identity API",
"project": "keystone",
"required-since": "2015.05",
"tests": {
"tempest.api.identity.v3.test_tokens.TokensV3Test.test_create_token": {
"idempotent_id": "id-6f8e4436-fc96-4282-8122-e41df57197a9"
}
}
},
"identity-v3-tokens-validate": {
"achievements": [
"deployed",
"tools",
"clients",
"future",
"stable",
"complete",
"discover",
"doc",
"atomic"
],
"admin": false,
"description": "Validate and show token information",
"project": "keystone",
"required-since": "",
"tests": {
"tempest.api.identity.v3.test_tokens.TokensV3Test.test_validate_token": {
"idempotent_id": "id-a9512ac3-3909-48a4-b395-11f438e16260"
}
}
},
"images-v2-index": {
"achievements": [
"foundation",

2
working_materials/keystone_capabilities_info.csv
View File

@@ -19,7 +19,7 @@ identity-v3-get-role,platform/compute,,GET,/v3/roles/{role_id},,no,,,admin requi
identity-v3-list-domains,platform/compute,,GET,/v3/domains,,no,,,admin required,
identity-v3-get-domain,platform/compute,,GET,/v3/domains/{domain_id},,no,,,admin required,
,,,,,,,,,,
identity-v3-validate-token,platform/compute,,GET,/v3/auth/tokens,,yes,Token to be validated is passed in the X-Subject-Token header,,,"This sounds backwards to me, need to check with steve, shouldn't it be POST for validating and GET for getting a token?"
identity-v3-tokens-validate,platform/compute,,GET,/v3/auth/tokens,,yes,Token to be validated is passed in the X-Subject-Token header,,,"This sounds backwards to me, need to check with steve, shouldn't it be POST for validating and GET for getting a token?"
identity-v3-revoke-token,platform/compute,,DELETE,/v3/auth/tokens,1,yes,Token to be revoked is passed in the X-Subject-Token header,keystone.keystone.tests.unit.test_revoke{test_revoke_by_user},,
identity-v3-get-catalog,platform/compute/object,,GET,/v3/auth/catalog,0,yes,,,"couldn't find a test specific for this, there are some tests related in keystone.tests.unit.test_v3_auth.py",
identity-v3-get-auth-projects,platform/compute,,GET,/v3/auth/projects,0,yes,,,"equivalent as far as I can tell to identity-v3-list-projects. couldn't find a test specific for this, there are some tests related in keystone.tests.unit.test_v3_auth.py",
1 Capability Program Status Method Endpoint Test available? interop relevant? PTL Comments From Defcore Discussion Scorer Comments
19 identity-v3-get-domain platform/compute GET /v3/domains/{domain_id} no admin required
20
21 identity-v3-validate-token identity-v3-tokens-validate platform/compute GET /v3/auth/tokens yes Token to be validated is passed in the X-Subject-Token header This sounds backwards to me, need to check with steve, shouldn't it be POST for validating and GET for getting a token?
22 identity-v3-revoke-token platform/compute DELETE /v3/auth/tokens 1 yes Token to be revoked is passed in the X-Subject-Token header keystone.keystone.tests.unit.test_revoke{test_revoke_by_user}
23 identity-v3-get-catalog platform/compute/object GET /v3/auth/catalog 0 yes couldn't find a test specific for this, there are some tests related in keystone.tests.unit.test_v3_auth.py
24 identity-v3-get-auth-projects platform/compute GET /v3/auth/projects 0 yes equivalent as far as I can tell to identity-v3-list-projects. couldn't find a test specific for this, there are some tests related in keystone.tests.unit.test_v3_auth.py
25

7
working_materials/scoring.txt
View File

@@ -288,7 +288,7 @@ identity-v3-api-discovery: [1,0,1] [1,1,1] [1,1,1] [1,1,1] [1] [94]*
identity-v3-catalog: [1,0,1] [1,1,1] [1,1,0] [1,1,1] [1] [85]*
identity-v3-list-projects: [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
identity-v3-list-groups: [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
identity-v3-validate-token: [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
identity-v3-tokens-validate: [1,1,1] [1,1,1] [1,1,0] [0,1,0] [1] [74]*
Notes:
* identity-v3-catalog is returned when the api for
@@ -312,12 +312,9 @@ Notes:
to be done on the backend system. It probably needs further study to see
if it's really interoperable, but it seems unlikely at this point (I also
don't see it being supported by many external tools, etc).
* identity-v3-validate-token A given user can validate its own token. An
* identity-v3-tokens-validate A given user can validate its own token. An
admin user is able to validate any token. This is enought for capability to
be considered non admin.
At the time of scoring, there is no non-admin test case in Tempest. Patch
https://review.openstack.org/#/c/467493 will add the test case but due to
timing, capability won't be added in this cycle - not until TC is available.
Object Store
------------

2
working_materials/tabulated_scores.csv
View File

@@ -105,7 +105,7 @@ identity-v3-api-discovery,1,0,1,1,1,1,1,1,1,1,1,1,1,94*
identity-v3-catalog,1,0,1,1,1,1,1,1,0,1,1,1,1,85*
identity-v3-list-projects,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
identity-v3-list-groups,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
identity-v3-validate-token,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
identity-v3-tokens-validate,1,1,1,1,1,1,1,1,0,0,1,0,1,74*
objectstore-object-copy,1,1,1,1,1,1,1,1,1,1,1,1,1,100*
objectstore-object-create,1,1,1,1,1,1,1,1,1,1,1,1,1,100*
objectstore-object-delete,1,1,1,1,1,1,1,1,1,1,1,1,1,100*
1 Capability Widely Deployed Used by Tools Used by Clients Future Direction Complete Stable Discoverable Documented Core in Last Release Foundation Atomic Proximity Non-Admin Total
105 identity-v3-catalog 1 0 1 1 1 1 1 1 0 1 1 1 1 85*
106 identity-v3-list-projects 1 1 1 1 1 1 1 1 0 0 1 0 1 74*
107 identity-v3-list-groups 1 1 1 1 1 1 1 1 0 0 1 0 1 74*
108 identity-v3-validate-token identity-v3-tokens-validate 1 1 1 1 1 1 1 1 0 0 1 0 1 74*
109 objectstore-object-copy 1 1 1 1 1 1 1 1 1 1 1 1 1 100*
110 objectstore-object-create 1 1 1 1 1 1 1 1 1 1 1 1 1 100*
111 objectstore-object-delete 1 1 1 1 1 1 1 1 1 1 1 1 1 100*