[Openstack] [keystone] How to validate token without admin privileges
Adam Young
ayoung at redhat.com
Fri Jun 21 01:47:00 UTC 2013
We are moving to an RBAC system for enforcing access to the APIs. So,
where as in the past we enforced "is admin" when checking a token, in
the future, you can specify your own policy rule.
PKI based Tokens can be verified without talking to Keystone. See the
auth_token middleware and cms.py files in python-keystoneclient to see
how that is done.
On 06/20/2013 04:36 PM, Janus Godard wrote:
> Thanks Ravi and Haitao.
>
> The only workaround I found is to create a new token from the one I
> want to validate with:
>
> curl -X POST -d '{ "auth":{ "token":{ "id":"non-admin-token" },
> "tenantName":"testproject" }}' -H "Content-Type:application/json" -H
> "Accept: application/json" http://localhost:5000/v2.0/tokens | python
> -mjson.tool
>
> But since it keeps creating tokens it could spam the db if there were
> a lot of requests and it requires knowing the tenant name if one wants
> to get the roles in the response.
>
> On Thu, Jun 20, 2013 at 4:05 PM, Haitao Jiang <jianghaitao at gmail.com> wrote:
>> Janus
>>
>> I think you can use curl and Keystone API to validate your token:
>>
>> curl -s -H "X-Auth-Token: <your token>" http://<keystone>:5000/v2.0 |
>> python -mjson.tool
>>
>> I think you can also validate the token against a tenant by using belongsTo.
>>
>> Maybe there are better ways.
>>
>> Best
>>
>> Haitao
>>
>> On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard <jgvant at gmail.com> wrote:
>>> Hi,
>>>
>>> I'm new to OpenStack. I'm looking at deploying two 3rd party services along
>>> OpenStack and would like to use Keystone for they authentication mechanism.
>>> Service A will authenticate and get a token from keystone and use it for
>>> REST requests to service B. Those two services don't use WSGI, just the REST
>>> API. Is there a way for service B to validate the token with keystone
>>> without having an admin role or the admin token?
>>>
>>> Sorry for the noob question. The only thing I found in the doc is the GET
>>> method that requires admin permissions:
>>> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html
>>> And from what I read in the compute admin docs the OpenStack services seem
>>> to rely on admin credentials or token.
>>>
>>> Regards,
>>>
>>> Janus
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack at lists.launchpad.net
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
More information about the Openstack
mailing list