← Back to team overview

openstack team mailing list archive

Re: [keystone] How to validate token without admin privileges

 

Thanks Ravi and Haitao.

The only workaround I found is to create a new token from the one I
want to validate with:

curl -X POST -d '{ "auth":{ "token":{ "id":"non-admin-token" },
"tenantName":"testproject" }}' -H "Content-Type:application/json" -H
"Accept: application/json" http://localhost:5000/v2.0/tokens | python
-mjson.tool

But since it keeps creating tokens it could spam the db if there were
a lot of requests and it requires knowing the tenant name if one wants
to get the roles in the response.

On Thu, Jun 20, 2013 at 4:05 PM, Haitao Jiang <jianghaitao@xxxxxxxxx> wrote:
> Janus
>
> I think you can use curl and Keystone API to validate your token:
>
> curl -s -H "X-Auth-Token: <your token>" http://<keystone>:5000/v2.0 |
> python -mjson.tool
>
> I think you can also validate the token against a tenant by using belongsTo.
>
> Maybe there are better ways.
>
> Best
>
> Haitao
>
> On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard <jgvant@xxxxxxxxx> wrote:
>> Hi,
>>
>> I'm new to OpenStack. I'm looking at deploying two 3rd party services along
>> OpenStack and would like to use Keystone for they authentication mechanism.
>> Service A will authenticate and get a token from keystone and use it for
>> REST requests to service B. Those two services don't use WSGI, just the REST
>> API. Is there a way for service B to validate the token with keystone
>> without having an admin role or the admin token?
>>
>> Sorry for the noob question. The only thing I found in the doc is the GET
>> method that requires admin permissions:
>> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html
>> And from what I read in the compute admin docs the OpenStack services seem
>> to rely on admin credentials or token.
>>
>> Regards,
>>
>> Janus
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>


Follow ups

References