diff options
| author | Joe Gordon <jogo@cloudscaling.com> | 2013-03-08 15:34:25 -0800 |
|---|---|---|
| committer | Joe Gordon <jogo@cloudscaling.com> | 2013-05-16 18:45:52 +0000 |
| commit | 3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6 (patch) | |
| tree | 4ba4f702a1a454c7d921450041377fa3755d143b /keystone/token | |
| parent | 96a816f50d2ab9fdf88af4489d51f24188a555a4 (diff) | |
| download | keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.tar.gz keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.tar.xz keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.zip | |
Move auth_token middleware from admin user to an RBAC policy
Before this patch auth_token middleware required admin user credentials
stored in assorted config files. With this patch only non-admin user
credentials are needed. The revocation_list and validate_token commands
use an policy.json rule, to only allow these commands if you are in have the
service role.
Rule used:
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
Added the policy wrapper on the validate functions.
Fixes bug 1153789
Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
Diffstat (limited to 'keystone/token')
| -rw-r--r-- | keystone/token/controllers.py | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index bc62d883..3e2ac670 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -456,8 +456,6 @@ class Auth(controller.V2Controller): Optionally, limited to a token owned by a specific tenant. """ - # TODO(termie): this stuff should probably be moved to middleware - self.assert_admin(context) data = self.token_api.get_token(context=context, token_id=token_id) if belongs_to: @@ -509,7 +507,7 @@ class Auth(controller.V2Controller): if project_ref['domain_id'] != DEFAULT_DOMAIN_ID: raise exception.Unauthorized(msg) - # admin only + @controller.protected def validate_token_head(self, context, token_id): """Check that a token is valid. @@ -523,7 +521,7 @@ class Auth(controller.V2Controller): assert token_ref self._assert_default_domain(context, token_ref) - # admin only + @controller.protected def validate_token(self, context, token_id): """Check that a token is valid. @@ -561,8 +559,8 @@ class Auth(controller.V2Controller): self.assert_admin(context) self.token_api.delete_token(context=context, token_id=token_id) + @controller.protected def revocation_list(self, context, auth=None): - self.assert_admin(context) tokens = self.token_api.list_revoked_tokens(context) for t in tokens: |