Add scope_types for revoke event policies
This commit associates `system` to revoke event policies, since these policies were developed to assist the system in offline token validation. From now on, a warning will be logged when a project-scoped token is used to get revocation events. Operators can opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option, which will result in an HTTP Forbidden exception when mismatching scope is used. Change-Id: I1dddeb216b2523b8471e5f2d5370921bb7a45e7f
This commit is contained in:
parent
41cd37b494
commit
93fa014ea7
|
@ -18,6 +18,11 @@ revoke_event_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_revoke_events',
|
||||
check_str=base.RULE_SERVICE_OR_ADMIN,
|
||||
# NOTE(lbragstad): This API was originally introduced so that services
|
||||
# could invalidate tokens based on revocation events. This is system
|
||||
# specific so it make sense to associate `system` as the scope type
|
||||
# required for this policy.
|
||||
scope_types=['system'],
|
||||
description='List revocation events.',
|
||||
operations=[{'path': '/v3/OS-REVOKE/events',
|
||||
'method': 'GET'}])
|
||||
|
|
Loading…
Reference in New Issue