5f093bf5ee
This commit adds a validation step in the auth_token middleware to check for the presence of an access_rules attribute in an application credential token and to validate the request against the permissions granted for that token. During token validation it sends a header to keystone to indicate that it is capable of validating these access rules, and not providing this header for a token like this would result in the token failing validation. This disregards access rules for a service request made by a service on behalf of a user, such as nova making a request to glance, because such a request is not under the control of the user and is not expected to be explicitly allowed in the access rules. bp whitelist-extension-for-app-creds Depends-On: https://review.opendev.org/670377 Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88 |
||
|---|---|---|
| .. | ||
| audit | ||
| auth_token | ||
| __init__.py | ||
| client_fixtures.py | ||
| test_access_rules.py | ||
| test_ec2_token_middleware.py | ||
| test_entry_points.py | ||
| test_fixtures.py | ||
| test_opts.py | ||
| test_s3_token_middleware.py | ||
| utils.py | ||