Tokens with subsets of roles

Registered by Adam Young on 2016-10-21

Allow a user to request a token with a subset of the roles that they have so they on't give away too much authority with each token

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Adam Young
Direction:
Needs approval
Assignee:
None
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Lance Bragstad on 2019-02-15

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:310074,n,z

Addressed by: https://review.openstack.org/310074
    Fernet token formatter with explicit role

(vishakha) 19-02-13 Can be marked as invalid now, as default roles work is going to land soon which makes sure of limited access in token [1].

[1] https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles.

(lbragstad): Looks like this specification is still in the discussion phase [0] without negative feedback. We should keep this open until we have a reason to close it or an implementation merged.

[0] https://review.openstack.org/#/c/186979/

Certainly not invalid. The closest we have are App Creds, but those do not cover all use cases. This is a security hardening step that removes elevation of priv type attacks. It should have been supported from the beginning, and needs to be implemented at some point.

(lbragstad) 19-02-15: I'm marking this as superseded based on the plan socialized on the mailing list [0]. All relevant content from this blueprint has been ported to an RFE bug report [1].

[0] http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002672.html
[1] https://bugs.launchpad.net/keystone/+bug/1816166

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.