yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77367
[Bug 1818845] [NEW] The revocation list API doesn't use default roles or proper scope types
Public bug reported:
In Rocky, keystone implemented support to ensure at least three default
roles were available [0]. The revocation list API doesn't incorporate
these defaults into its default policies [1], but it should.
Even though this API isn't really useful without PKI/Z tokens, we should
apply the same default role conventions to it that we use for all other
policies in keystone.
The revocation list policy also allows for project-scoped and system-
scoped tokens. This should probably be a system-only API since it's
dealing with sensitive token revocation information (unless there is a
good reason for project or domain users to fetch this list).
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc
** Affects: keystone
Importance: Wishlist
Status: Triaged
** Tags: default-roles policy
** Tags added: default-roles policy
** Changed in: keystone
Status: New => Triaged
** Changed in: keystone
Importance: Undecided => Wishlist
** Summary changed:
- The revocation list API doesn't use default roles
+ The revocation list API doesn't use default roles or proper scope types
** Description changed:
In Rocky, keystone implemented support to ensure at least three default
roles were available [0]. The revocation list API doesn't incorporate
these defaults into its default policies [1], but it should.
Even though this API isn't really useful without PKI/Z tokens, we should
apply the same default role conventions to it that we use for all other
policies in keystone.
+ The revocation list policy also allows for project-scoped and system-
+ scoped tokens. This should probably be a system-only API since it's
+ dealing with sensitive token revocation information (unless there is a
+ good reason for project or domain users to fetch this list).
+
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818845
Title:
The revocation list API doesn't use default roles or proper scope
types
Status in OpenStack Identity (keystone):
Triaged
Bug description:
In Rocky, keystone implemented support to ensure at least three
default roles were available [0]. The revocation list API doesn't
incorporate these defaults into its default policies [1], but it
should.
Even though this API isn't really useful without PKI/Z tokens, we
should apply the same default role conventions to it that we use for
all other policies in keystone.
The revocation list policy also allows for project-scoped and system-
scoped tokens. This should probably be a system-only API since it's
dealing with sensitive token revocation information (unless there is a
good reason for project or domain users to fetch this list).
[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/token_revocation.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818845/+subscriptions
Follow ups
