[Openstack] Keystone Validate Token

Ziad Sawalha ziad.sawalha at rackspace.com
Wed Dec 14 01:07:37 UTC 2011

Hi Bryan -

There are a couple of points here:

1. The Service API is a subset of the Admin API. There are calls in the
Admin API that need a token with privileged access to be called. The use
of the Service API is a deployment option, but not a requirement (i.e. You
can run Keystone on one endpoint running the Admin API only).

2. Most of that information you're asking the user may want is available
in the response they get when they authenticate. The validate token is a
"privileged" call which is not required for normal use cases. Especially
given that this is a "bearer" token (i.e. Anyone providing the token has
access to resources), any discovery they can make on a token is risky.


On 12/13/11 5:10 PM, "Bryan Taylor" <btaylor at rackspace.com> wrote:

>The keystone management API has a validate token method that looks like:
>GET /tokens/{tokenId}?belongsTo=tenantId
>Why is the validate token method in the keystone admin API and not the
>service API? 
>If the requestor has a token, they can act as the user, creating and
>deleting servers, files, etc..., but we've decided to lock down the
>resource that says when their token expires, their username, and what
>roles and tenants they have. Why?
>Mailing list: https://launchpad.net/~openstack
>Post to     : openstack at lists.launchpad.net
>Unsubscribe : https://launchpad.net/~openstack
>More help   : https://help.launchpad.net/ListHelp

More information about the Openstack mailing list