[openstack-dev] [Keystone] keystoneclient and project-less v3 tokens
Roman Bodnarchuk
roman.bodnarchuk at indigitus.ch
Thu Apr 17 16:58:55 UTC 2014
Hello,
I am trying to make sure that a user can't do anything useful with an
unscoped token, and got to the following code in
keystoneclient.middleware.auth_token:
if _token_is_v2(token_info) and not auth_ref.project_id:
raise InvalidUserToken('Unable to determine tenancy.')
This check is performed on every request, and successfully forbids any
request authenticated by a project-less token. But only for v2 tokens!
In case service is using v3 of Keystone api, the request successfully
passes auth_token middleware filter, and it becomes the task of each
specific service to handle unscopedness of passed token.
While Nova seem to be handling this well (basing on several tests I
made), I was able to fetch a list of available images from Glance using
a token of projectless user.
Is this a desired behavior of keystoneclient?
Why do we check existence of project_id only for v2 tokens?
Thanks,
Roman
More information about the OpenStack-dev
mailing list