2013-10-15 23:35:16 |
Dolph Mathews |
description |
As part of fix1186059 we have added user_id from "x-subject-token" to the API target and that is good to introduce a notion of token owner in policy.
https://review.openstack.org/#/c/46123/21/keystone/common/controller.py
Only user_id in the target is not sufficient to define a policy rule like
"role:admin and domain_id:%(target.entity.domain_id)s" (admin role from token owner's domain)
We need to introduce domain_id in policy_dict so that above mentioned rule can be defined. |
As a fix for bug 1186059 we have added user_id from "x-subject-token" to the API target and that is good to introduce a notion of token owner in policy.
https://review.openstack.org/#/c/46123/21/keystone/common/controller.py
Only user_id in the target is not sufficient to define a policy rule like
"role:admin and domain_id:%(target.entity.domain_id)s" (admin role from token owner's domain)
We need to introduce domain_id in policy_dict so that above mentioned rule can be defined. |
|