openstack team mailing list archive

Thread
Date

Re: [keystone] How to validate token without admin privileges

To: Janus Godard <jgvant@xxxxxxxxx>
From: Ravi Chunduru <ravivsn@xxxxxxxxx>
Date: Thu, 20 Jun 2013 13:04:09 -0700
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAH9bpLgTTsqfi+6NXz9gymaNvtJMFOR4O9WxK+JK3r2vSmkTtw@mail.gmail.com>

AFAIK, that is right we need admin privileges to check validity.
Other thing which is surprising, if a service creates a token.. it requires
admin privileges to delete that token. I would not expect all services to
be aware of admin credentials.


Thanks,
-Ravi.

On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard <jgvant@xxxxxxxxx> wrote:

> Hi,
>
> I'm new to OpenStack. I'm looking at deploying two 3rd party services
> along OpenStack and would like to use Keystone for they authentication
> mechanism. Service A will authenticate and get a token from keystone and
> use it for REST requests to service B. Those two services don't use WSGI,
> just the REST API. Is there a way for service B to validate the token with
> keystone without having an admin role or the admin token?
>
> Sorry for the noob question. The only thing I found in the doc is the GET
> method that requires admin permissions:
>
> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html
> And from what I read in the compute admin docs the OpenStack services seem
> to rely on admin credentials or token.
>
> Regards,
>
> Janus
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Ravi

References

[keystone] How to validate token without admin privileges
From: Janus Godard, 2013-06-20