yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1208640] Re: V3 Identity API: Remove unscoped tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1208640@xxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Aug 2013 19:24:27 -0000
Reply-to: Bug 1208640 <1208640@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
   Importance: Undecided => Wishlist

** Changed in: keystone
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1208640

Title:
  V3 Identity API: Remove unscoped tokens

Status in OpenStack Identity (Keystone):
  Opinion

Bug description:
  In V3, unscoped tokens are rare, but still possible.  A caller must
  specify neither a project nor a domain, and the user must not have a
  valid default project.

  I think we should actually remove unscoped tokens entirely in V3, and
  return a domain token if the user does not specify a domain or project
  and has no valid default project.  I don't see what we gain from
  distinguishing between a domain token vs an unscoped user token (which
  implicity has a domain, because a user has a domain).

  In short, currently we fall back to an unscoped token if no domain &
  project is specified and the user does not have a valid default
  project.  That seems to be the only way to get an unscoped token.
  Instead, we should return a domain token.

  This would also ensure compatibility with V2 (filed as a related bug).
  We would essentially be renaming an unscoped token to be a domain
  token.  Unscoped tokens always identified a domain, because every
  token identified a user, and every user identified a domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1208640/+subscriptions