AFAIK, that is right we need admin privileges to check validity.<div>Other thing which is surprising, if a service creates a token.. it requires admin privileges to delete that token. I would not expect all services to be aware of admin credentials.</div>
<div><br></div><div><br></div><div>Thanks,</div><div>-Ravi.<br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard <span dir="ltr"><<a href="mailto:jgvant@gmail.com" target="_blank">jgvant@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px">Hi,</span><br>
<div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px"><br>
</span></div><div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px">I'm new to OpenStack. </span><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px">I'm looking at deploying two 3rd party services along OpenStack and would like to use Keystone for they authentication mechanism. Service A will authenticate and get a token from keystone and use it for REST requests to service B. Those two services don't use WSGI, just the REST API. Is there a way for service B to validate the token with keystone without having an admin role or the admin token?</span></div>
<div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px">Sorry for the noob question. The only thing I found in the doc is the GET method that requires admin permissions:</span></div>
<div><a href="http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html" target="_blank">http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html</a><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px"><br>
</span></div><div>And from what I read in the compute admin docs the OpenStack services seem to rely on admin credentials or token. </div><div><br></div><div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px">Regards,</span></div>
<div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px">Janus</span></div>
<div><span style="color:rgb(51,51,51);font-family:Ubuntu,'Bitstream Vera Sans','DejaVu Sans',Tahoma,sans-serif;font-size:12px;line-height:18px"><br></span></div><div><br></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Ravi<br>
</div>