← Back to team overview

openstack team mailing list archive

Allow keystone users to know their rights

 

Hi!

Currently, user can obtain information about his rights (roles, tenants,
endpoints) only saving response to POST /tokens query. If you are a
non-privileged user, have a token, and haven't saved the mentioned
response, you cannot know your rights - you have to make another POST
/tokens query and retrieve a new token.

However, if you are a keystone admin, you can GET /tokens/{token_id} and
retrieve extended information for token of any user.

Is it a security measure? Would it be acceptable if an ordinary user were
allowed to get his token data in any moment? There could be a GET
/tokens/{token_id} call that returns data for valid token_id or signals
that it is invalid.

-- 
Alessio Ababilov
Software Engineer
Grid Dynamics