092570fc5e
This commit adds protection testing for the token API along with changes to default policies to properly consume system-scope and default roles. Originally, this work was going to include the ability for project and domain administrator to validate, check, or revoke tokens within the context of their authorization (e.g., a domain administrator could revoke tokens on projects within their domain). This seems like extra work for not much benefit since we're using bearer tokens. The holder of the token can do anything with that token, which means they can validate it or revoke it without using their own token. Adding project and domain administrator support seems unnecessary given the existing functionality. If someone comes forward asking for this functionality, we can re-evaluate the effort. For now, this patch is limited to system user support, allowing them to validate, check, and revoke any token in the system. Service users can still validate tokens on behalf of users. Users can do anything they wish with their own tokens. This commit also bumps the minimum version of oslo.log so that we can use the official TRAIN deprecated release marker. Change-Id: Ia8b35258b43213bd117df4275c907aac223342b3 Closes-Bug: 1818844 Closes-Bug: 1750676
36 lines
1.8 KiB
YAML
36 lines
1.8 KiB
YAML
---
|
|
features:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The token API now supports the ``admin``, ``member``, and ``reader``
|
|
default roles.
|
|
upgrade:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The token API uses new default policies that make it easier for system
|
|
users to delegate functionality in a secure way. Please consider the new
|
|
policies if your deployment overrides the token policies.
|
|
deprecations:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The ``identity:check_token`` policy now uses ``(role:reader and
|
|
system_scope:all) or rule:token_subject`` instead of ``rule:admin_required
|
|
or rule:token_subject``. The ``identity:validate_token`` policy now uses
|
|
``(role:reader and system_scope:all) or rule:service_role or
|
|
rule:token_subject`` instead or ``rule:service_or_admin or
|
|
rule:token_subject``. The ``identity:revoke_token`` policy now uses
|
|
``(role:admin and system_scope:all) or rule:token_subject`` instead of
|
|
``rule:admin_or_token_subject``. These new defaults automatically account
|
|
for a read-only role by default and allow more granular access to the API.
|
|
Please consider these new defaults if your deployment overrides the token
|
|
policies.
|
|
security:
|
|
- |
|
|
[`bug 1750676 <https://bugs.launchpad.net/keystone/+bug/1750676>`_]
|
|
[`bug 1818844 <https://bugs.launchpad.net/keystone/+bug/1818844>`_]
|
|
The token API now uses system-scope and default roles properly to provide
|
|
more granular access to the token API.
|