5f093bf5ee
This commit adds a validation step in the auth_token middleware to check for the presence of an access_rules attribute in an application credential token and to validate the request against the permissions granted for that token. During token validation it sends a header to keystone to indicate that it is capable of validating these access rules, and not providing this header for a token like this would result in the token failing validation. This disregards access rules for a service request made by a service on behalf of a user, such as nova making a request to glance, because such a request is not under the control of the user and is not expected to be explicitly allowed in the access rules. bp whitelist-extension-for-app-creds Depends-On: https://review.opendev.org/670377 Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88 |
||
---|---|---|
config-generator | ||
doc | ||
keystonemiddleware | ||
releasenotes | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.stestr.conf | ||
.zuul.yaml | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
lower-constraints.txt | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
Middleware for the OpenStack Identity API (Keystone)
This package contains middleware modules designed to provide
authentication and authorization features to web services other than
Keystone
<https://github.com/openstack/keystone>. The most prominent
module is keystonemiddleware.auth_token
. This package does
not expose any CLI or Python API features.
For information on contributing, see
CONTRIBUTING.rst
.
- License: Apache License, Version 2.0
- Documentation: https://docs.openstack.org/keystonemiddleware/latest/
- Source: https://git.openstack.org/cgit/openstack/keystonemiddleware
- Bugs: https://bugs.launchpad.net/keystonemiddleware
- Release notes: https://docs.openstack.org/releasenotes/keystonemiddleware/
For any other information, refer to the parent project, Keystone: