openstack team mailing list archive

[Adam Young <ayoung@xxxxxxxxxx>]

We are moving to an RBAC system for enforcing access to the APIs.  So, 
where as in the past we enforced "is admin" when checking a token, in 
the future, you can specify your own policy rule.

PKI based Tokens  can be verified without talking to Keystone. See the 
auth_token middleware and cms.py files in python-keystoneclient to see 
how that is done.


On 06/20/2013 04:36 PM, Janus Godard wrote:
> Thanks Ravi and Haitao.
>
> The only workaround I found is to create a new token from the one I
> want to validate with:
>
> curl -X POST -d '{ "auth":{ "token":{ "id":"non-admin-token" },
> "tenantName":"testproject" }}' -H "Content-Type:application/json" -H
> "Accept: application/json" http://localhost:5000/v2.0/tokens | python
> -mjson.tool
>
> But since it keeps creating tokens it could spam the db if there were
> a lot of requests and it requires knowing the tenant name if one wants
> to get the roles in the response.
>
> On Thu, Jun 20, 2013 at 4:05 PM, Haitao Jiang <jianghaitao@xxxxxxxxx> wrote:
> > Janus
> >
> > I think you can use curl and Keystone API to validate your token:
> >
> > curl -s -H "X-Auth-Token: <your token>" http://<keystone>:5000/v2.0 |
> > python -mjson.tool
> >
> > I think you can also validate the token against a tenant by using belongsTo.
> >
> > Maybe there are better ways.
> >
> > Best
> >
> > Haitao
> >
> > On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard <jgvant@xxxxxxxxx> wrote:
> > > Hi,
> > >
> > > I'm new to OpenStack. I'm looking at deploying two 3rd party services along
> > > OpenStack and would like to use Keystone for they authentication mechanism.
> > > Service A will authenticate and get a token from keystone and use it for
> > > REST requests to service B. Those two services don't use WSGI, just the REST
> > > API. Is there a way for service B to validate the token with keystone
> > > without having an admin role or the admin token?
> > >
> > > Sorry for the noob question. The only thing I found in the doc is the GET
> > > method that requires admin permissions:
> > > http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html
> > > And from what I read in the compute admin docs the OpenStack services seem
> > > to rely on admin credentials or token.
> > >
> > > Regards,
> > >
> > > Janus
> > >
> > >
> > >
> > > _______________________________________________
> > > Mailing list: https://launchpad.net/~openstack
> > > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe : https://launchpad.net/~openstack
> > > More help   : https://help.launchpad.net/ListHelp
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp