← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #04227

[Bug 1208639] Re: V3 Identity API: Unscoped V2 tokens should be treated as domain-scoped tokens

  Thread PreviousDate PreviousThread Next 
This implies that a v2 API user must have v3 domain-level authorization.

> if the server is V3 enabled and requires a domain token, there is no
way for a V2 client to get a domain token

correct

> when a V2 server requires a domain token

a v2-aware service would have no knowledge of domains, anyway

> when a V2 server requires a domain token, it presumably wants a token
that is not bound to a particular project; that is exactly what an
unscoped token is in V2

a domain-scoped token is a completely discrete concept from a project-
scoped token, so this expectation would be invalid. further, unscoped
tokens in v2 are analogous to unscoped token in v3, not to any other
scoping concept in v3

** Changed in: keystone
   Importance: Undecided => Wishlist

** Changed in: keystone
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1208639

Title:
  V3 Identity API: Unscoped V2 tokens should be treated as domain-scoped
  tokens

Status in OpenStack Identity (Keystone):
  Opinion

Bug description:
  In the V2 API, there were I believe two types of token - an unscoped
  token and a token scoped to a project.

  V3 adds a token scoped to a domain, and essentially makes it
  incredibly unlikely that an unscoped token will ever be returned (a
  user must not have a default project or must not have access to their
  default project).

  When using the V2 API for authentication, I think that we should
  return a domain token when no project is specified, instead of an
  unscoped token (a V2 caller wouldn't be able to tell the difference).
  That seems to maximize compatibility.  Otherwise if the server is V3
  enabled and requires a domain token, there is no way for a V2 client
  to get a domain token.  Conversely, when a V2 server requires a domain
  token, it presumably wants a token that is not bound to a particular
  project; that is exactly what an unscoped token is in V2.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1208639/+subscriptions
  Thread PreviousDate PreviousThread Next