3b80985e56
When SRBAC is enforced(*1), keystone requires one of the following conditions for validate token api. 1) The user has the service role assigned 2) The user is a system reader 3) The user generated the token When authtoken middleware validates tokens in requests, it uses service users to call the validate_token API of Keystone. In this case the condition 3 is never met(The token is generated by an external user while it is validated by the service user used in API). In addition, currently all credentials used for authtoken middleware are project-scoped, not system-scoped, so condition 2 is never met(*2) if SRBAC is enforced. This change adds the project-scoped service role to all service users so that all service users can use the validate_token API even if SRBAC is enforced. An alternative approach would be assign the system-scoped reader role for these users and replace credentials for authtoken middleware by system scoped one, but we are likely to need additional considerations to establish proper design of system-scoped role assignment. (*1) When scope evaluation is enforced(enforce_scope=True) and new rules are enforced(enforce_new_defaults=True) (*2) There are a few exceptions like the nova user which already have the project-scoped service role to use the service token feature. Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24 |
||
|---|---|---|
| .. | ||
| aodh-api-container-puppet.yaml | ||
| aodh-base.yaml | ||
| aodh-evaluator-container-puppet.yaml | ||
| aodh-listener-container-puppet.yaml | ||
| aodh-notifier-container-puppet.yaml | ||