openstack team mailing list archive

[Alexey Ababilov <aababilov@xxxxxxxxxxxxxxxx>]

Hi!

Currently, user can obtain information about his rights (roles, tenants,
endpoints) only saving response to POST /tokens query. If you are a
non-privileged user, have a token, and haven't saved the mentioned
response, you cannot know your rights - you have to make another POST
/tokens query and retrieve a new token.

However, if you are a keystone admin, you can GET /tokens/{token_id} and
retrieve extended information for token of any user.

Is it a security measure? Would it be acceptable if an ordinary user were
allowed to get his token data in any moment? There could be a GET
/tokens/{token_id} call that returns data for valid token_id or signals
that it is invalid.

-- 
Alessio Ababilov
Software Engineer
Grid Dynamics