Add scope_types for revoke event policies
This commit associates `system` to revoke event policies, since these policies were developed to assist the system in offline token validation. From now on, a warning will be logged when a project-scoped token is used to get revocation events. Operators can opt into requiring system-scoped tokens for these policies by enabling oslo.policy's `enforce_scope` configuration option, which will result in an HTTP Forbidden exception when mismatching scope is used. Change-Id: I1dddeb216b2523b8471e5f2d5370921bb7a45e7f
This commit is contained in:
parent
41cd37b494
commit
93fa014ea7
|
@ -18,6 +18,11 @@ revoke_event_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_revoke_events',
|
name=base.IDENTITY % 'list_revoke_events',
|
||||||
check_str=base.RULE_SERVICE_OR_ADMIN,
|
check_str=base.RULE_SERVICE_OR_ADMIN,
|
||||||
|
# NOTE(lbragstad): This API was originally introduced so that services
|
||||||
|
# could invalidate tokens based on revocation events. This is system
|
||||||
|
# specific so it make sense to associate `system` as the scope type
|
||||||
|
# required for this policy.
|
||||||
|
scope_types=['system'],
|
||||||
description='List revocation events.',
|
description='List revocation events.',
|
||||||
operations=[{'path': '/v3/OS-REVOKE/events',
|
operations=[{'path': '/v3/OS-REVOKE/events',
|
||||||
'method': 'GET'}])
|
'method': 'GET'}])
|
||||||
|
|
Loading…
Reference in New Issue