openstack
/
keystone
Code Issues Proposed changes
keystone/keystone
History
Lance Bragstad 092570fc5e Implement system scope and default roles for token API 
This commit adds protection testing for the token API along with
changes to default policies to properly consume system-scope and
default roles.

Originally, this work was going to include the ability for project and
domain administrator to validate, check, or revoke tokens within the
context of their authorization (e.g., a domain administrator could
revoke tokens on projects within their domain). This seems like extra
work for not much benefit since we're using bearer tokens. The holder
of the token can do anything with that token, which means they can
validate it or revoke it without using their own token. Adding
project and domain administrator support seems unnecessary given the
existing functionality. If someone comes forward asking for this
functionality, we can re-evaluate the effort. For now, this patch is
limited to system user support, allowing them to validate, check, and
revoke any token in the system. Service users can still validate
tokens on behalf of users. Users can do anything they wish with their
own tokens.

This commit also bumps the minimum version of oslo.log so that we can
use the official TRAIN deprecated release marker.

Change-Id: Ia8b35258b43213bd117df4275c907aac223342b3
Closes-Bug: 1818844
Closes-Bug: 1750676
 		2019-06-17 15:57:51 +00:00
..
access_rules_config Add a permissive mode for access rules config 2019-03-03 18:33:49 +01:00
api Merge "Allow an explicit_domain_id parameter when creating a domain" 2019-04-09 22:36:45 +00:00
application_credential Add manager support for app cred access rules 2019-03-04 09:22:21 +01:00
assignment Merge "Remove [token]/ infer_roles" 2019-05-23 07:30:46 +00:00
auth Emit CADF notifications on authentication for invalid users 2018-10-25 17:43:37 -07:00
catalog Region update extra support 2018-11-07 22:57:11 +00:00
cmd Don't throw valueerror on bootstrap 2019-05-23 14:37:11 +00:00
common Implement system scope and default roles for token API 2019-06-17 15:57:51 +00:00
conf Merge "Adds caching of credentials" 2019-05-29 23:32:16 +00:00
credential Adds caching of credentials 2019-05-17 15:04:31 +02:00
endpoint_policy Convert policy API to flask 2018-08-31 07:14:32 +00:00
federation Report correct domain in federated user token 2019-06-06 10:13:01 -04:00
identity Revert "Blacklist bandit 1.6.0" 2019-05-14 21:09:32 +00:00
limit Add domain level support for strict-two-level-model 2019-02-19 11:09:13 +08:00
locale Imported Translations from Zanata 2018-08-09 06:06:59 +00:00
models Add missing ws seperator between words 2018-11-19 14:36:40 +08:00
oauth1 Revert "Blacklist bandit 1.6.0" 2019-05-14 21:09:32 +00:00
policy Convert policy API to flask 2018-08-31 07:14:32 +00:00
receipt Change __all__ list to tuple 2018-11-07 16:40:02 -06:00
resource Allow an explicit_domain_id parameter when creating a domain 2019-04-09 16:29:52 +00:00
revoke Remove unused revoke_by_user_and_project 2018-09-14 04:08:01 +00:00
server Fix for werkzeug > 0.15 2019-05-02 00:37:45 +00:00
tests Implement system scope and default roles for token API 2019-06-17 15:57:51 +00:00
token Fix unscoped federated token formatter 2019-04-16 15:35:39 -07:00
trust Move redelegation fields out of extras 2019-04-12 20:27:34 -07:00
__init__.py Revert "Disable eventlet monkey-patching of DNS" 2013-05-10 10:24:48 -04:00
exception.py Merge "Allow an explicit_domain_id parameter when creating a domain" 2019-04-09 22:36:45 +00:00
i18n.py Update links in keystone 2017-09-12 15:18:13 +08:00
notifications.py Revert "Blacklist bandit 1.6.0" 2019-05-14 21:09:32 +00:00
version.py bump Keystone version for Stein 2019-01-22 15:34:06 +13:00