openstack
/
keystone
Code Issues Proposed changes

Add scope_types for revoke event policies 

This commit associates `system` to revoke event policies, since these
policies were developed to assist the system in offline token
validation.

From now on, a warning will be logged when a project-scoped token is
used to get revocation events. Operators can opt into requiring
system-scoped tokens for these policies by enabling oslo.policy's
`enforce_scope` configuration option, which will result in an
HTTP Forbidden exception when mismatching scope is used.

Change-Id: I1dddeb216b2523b8471e5f2d5370921bb7a45e7f
This commit is contained in:
Lance Bragstad 2017-12-06 21:10:23 +00:00
parent 41cd37b494
commit 93fa014ea7
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
keystone/common/policies/revoke_event.py
View File

@ -18,6 +18,11 @@ revoke_event_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_revoke_events', name=base.IDENTITY % 'list_revoke_events',
check_str=base.RULE_SERVICE_OR_ADMIN, check_str=base.RULE_SERVICE_OR_ADMIN,
# NOTE(lbragstad): This API was originally introduced so that services
# could invalidate tokens based on revocation events. This is system
# specific so it make sense to associate `system` as the scope type
# required for this policy.
scope_types=['system'],
description='List revocation events.', description='List revocation events.',
operations=[{'path': '/v3/OS-REVOKE/events', operations=[{'path': '/v3/OS-REVOKE/events',
'method': 'GET'}]) 'method': 'GET'}])