OpenStack Identity (Keystone)
Go to file
Douglas Mendizábal 7dc175a41f Normalize policy checks for domain-scoped tokens
This patch fixes an inconsistency in the policies for role_assignment
where the target object used for policy enforcement was being created
with different properties depending on the request query string.

This required policies to be written in two differnt ways to validate
domain IDs for domain-scoped requests.  e.g. checking for domain reader
was using both:

    role:reader and domain_id:%(target.domain_id)s


    role:reader and domain_id:%(target.project.domain_id)s

With the former only being populated for GET /v3/role_assignments and
the latter only being populated for GET

This patch fixes the target object so that only target.domain_id needs
to be checked for domain-scoped tokens.

Change-Id: Iffbe11c57c61bbd1b045a6567a9249c12dff403c
2024-02-09 11:33:51 -06:00
api-ref/source Merge "api-ref: Correct app credentials auth response" 2023-07-10 13:59:54 +00:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Update keystone gates to use jammy 2023-09-08 13:39:31 -05:00
doc Merge "Keystone to honor the "domain" attribute mapping rules." 2024-01-26 17:37:09 +00:00
etc Fix outdated default catalog template 2023-03-31 18:12:21 +09:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove admin interface in sample Apache file 2018-03-24 12:56:02 +01:00
keystone Normalize policy checks for domain-scoped tokens 2024-02-09 11:33:51 -06:00
keystone_tempest_plugin Replace URLs with URLs 2019-04-24 11:51:00 +08:00
playbooks Add FIPS check job 2021-08-04 14:25:06 -04:00
rally-jobs fix rally docs url 2018-05-21 16:24:51 +08:00
releasenotes reno: Update master for unmaintained/yoga 2024-02-06 15:50:11 +00:00
tools db: Remove legacy migrations 2023-02-28 17:26:39 +00:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Tell reno to ignore the kilo branch 2020-02-21 13:51:02 -05:00
.gitreview OpenDev Migration Patch 2019-04-19 19:30:29 +00:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Consistent and Secure RBAC (Phase 1) 2024-01-19 14:35:37 -05:00
CONTRIBUTING.rst Use https for references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
README.rst Moving IRC network reference to OFTC 2021-07-16 13:58:33 +00:00
bindep.txt Fix bindep.txt for python 3.11 job(Debian Bookworm) 2023-11-29 12:41:29 +09:00
reno.yaml Tell reno to ignore the kilo branch 2020-02-21 13:51:02 -05:00
requirements.txt db: Remove legacy migrations 2023-02-28 17:26:39 +00:00
setup.cfg Merge "Remove babel.cfg" 2024-01-26 17:37:06 +00:00 Cleanup py27 support 2020-04-08 08:37:30 +02:00
test-requirements.txt Stop pinning pep8 related packages 2023-10-02 15:41:36 -05:00
tox.ini Keystone to honor the "domain" attribute mapping rules. 2024-01-16 08:54:56 -03:00


OpenStack Keystone


OpenStack Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

The API reference and documentation are available at:

The canonical client library is available at:

Documentation for cloud administrators is available at:

The source of documentation for cloud administrators is available at:

Information about our team meeting is available at:

Release notes is available at:

Bugs and feature requests are tracked on Launchpad at:

Future design work is tracked at:

Contributors are encouraged to join IRC (#openstack-keystone on OFTC):

Source for the project:

For information on contributing to Keystone, see CONTRIBUTING.rst.