When SRBAC is enforced(*1), keystone requires one of the following
conditions for validate token api.
1) The user has the service role assigned
2) The user is a system reader
3) The user generated the token
When authtoken middleware validates tokens in requests, it uses service
users to call the validate_token API of Keystone. In this case
the condition 3 is never met(The token is generated by an external user
while it is validated by the service user used in API). In addition,
currently all credentials used for authtoken middleware are
project-scoped, not system-scoped, so condition 2 is never met(*2) if
SRBAC is enforced.
This change adds the project-scoped service role to all service
users so that all service users can use the validate_token API even
if SRBAC is enforced. An alternative approach would be assign
the system-scoped reader role for these users and replace credentials
for authtoken middleware by system scoped one, but we are likely to
need additional considerations to establish proper design of
system-scoped role assignment.
(*1)
When scope evaluation is enforced(enforce_scope=True) and new rules
are enforced(enforce_new_defaults=True)
(*2)
There are a few exceptions like the nova user which already have
the project-scoped service role to use the service token feature.
Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24