Browse Source

Add scope_types for revoke event policies

This commit associates `system` to revoke event policies, since these
policies were developed to assist the system in offline token
validation.

From now on, a warning will be logged when a project-scoped token is
used to get revocation events. Operators can opt into requiring
system-scoped tokens for these policies by enabling oslo.policy's
`enforce_scope` configuration option, which will result in an
HTTP Forbidden exception when mismatching scope is used.

Change-Id: I1dddeb216b2523b8471e5f2d5370921bb7a45e7f
tags/13.0.0.0rc1
Lance Bragstad 2 years ago
parent
commit
93fa014ea7
1 changed files with 5 additions and 0 deletions
  1. +5
    -0
      keystone/common/policies/revoke_event.py

+ 5
- 0
keystone/common/policies/revoke_event.py View File

@@ -18,6 +18,11 @@ revoke_event_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_revoke_events',
check_str=base.RULE_SERVICE_OR_ADMIN,
# NOTE(lbragstad): This API was originally introduced so that services
# could invalidate tokens based on revocation events. This is system
# specific so it make sense to associate `system` as the scope type
# required for this policy.
scope_types=['system'],
description='List revocation events.',
operations=[{'path': '/v3/OS-REVOKE/events',
'method': 'GET'}])


Loading…
Cancel
Save