openstack team mailing list archive

Thread
Date

openstack team
Mailing list archive
Message #06110

Keystone Validate Token

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Bryan Taylor <btaylor@xxxxxxxxxxxxx>
Date: Tue, 13 Dec 2011 17:10:37 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110927 Thunderbird/7.0

The keystone management API has a validate token method that looks like:
GET /tokens/{tokenId}?belongsTo=tenantId

See <http://docs.openstack.org/incubation/identity-dev-guide/content/Validate_Token-d1e1914.html>

Why is the validate token method in the keystone admin API and not the service API? 

If the requestor has a token, they can act as the user, creating and deleting servers, files, etc..., but we've decided to lock down the resource that says when their token expires, their username, and what roles and tenants they have. Why?

Follow ups

Re: Keystone Validate Token
From: Ziad Sawalha, 2011-12-14