yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1814570] [NEW] Tokenless auth does not support system scope

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Guang Yee <1814570@xxxxxxxxxxxxxxxxxx>
Date: Mon, 04 Feb 2019 17:42:37 -0000
Reply-to: Bug 1814570 <1814570@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

One of the most useful features of X.509 tokenless is to enable services
to validate user tokens without having to obtain a service auth token.
However, with the migration to system scope, this feature is effectively
broken as the default policies had been updated to require a system-
scoped token for these operations. We'll need to update the X.509
tokenless feature to support system-scoped token. Perhaps this can also
be done by using a new header to convey the system scope intention?

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: x509

** Tags added: x509

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1814570

Title:
  Tokenless auth does not support system scope

Status in OpenStack Identity (keystone):
  New

Bug description:
  One of the most useful features of X.509 tokenless is to enable
  services to validate user tokens without having to obtain a service
  auth token. However, with the migration to system scope, this feature
  is effectively broken as the default policies had been updated to
  require a system-scoped token for these operations. We'll need to
  update the X.509 tokenless feature to support system-scoped token.
  Perhaps this can also be done by using a new header to convey the
  system scope intention?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1814570/+subscriptions