[openstack-dev] [Keystone] Token Verify Role Check

Adam Young ayoung at redhat.com
Thu Nov 3 13:08:02 UTC 2016

There has been a lot of talk about Policy this past summit and release.  
Based on feedback, we've come up with the following spec to address it.


The idea is that we are going to split the role check off from the 
existing policy checks. The role check will happen at token validation 
time.  The existing policy checks will still be executed in the body of 
the code bases where they are now, as they confirm additional attributes 
about the operations and resources.

It is the amalgamation of work by many people, and I've attempted to 
list them all at the bottom.

Comments highly appreciated, either in the review or in this thread.

More information about the OpenStack-dev mailing list