5f093bf5ee
This commit adds a validation step in the auth_token middleware to check for the presence of an access_rules attribute in an application credential token and to validate the request against the permissions granted for that token. During token validation it sends a header to keystone to indicate that it is capable of validating these access rules, and not providing this header for a token like this would result in the token failing validation. This disregards access rules for a service request made by a service on behalf of a user, such as nova making a request to glance, because such a request is not under the control of the user and is not expected to be explicitly allowed in the access rules. bp whitelist-extension-for-app-creds Depends-On: https://review.opendev.org/670377 Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
19 lines
663 B
Plaintext
19 lines
663 B
Plaintext
# The order of packages is significant, because pip processes them in the order
|
|
# of appearance. Changing the order has an impact on the overall integration
|
|
# process, which may cause wedges in the gate later.
|
|
|
|
keystoneauth1>=3.12.0 # Apache-2.0
|
|
oslo.cache>=1.26.0 # Apache-2.0
|
|
oslo.config>=5.2.0 # Apache-2.0
|
|
oslo.context>=2.19.2 # Apache-2.0
|
|
oslo.i18n>=3.15.3 # Apache-2.0
|
|
oslo.log>=3.36.0 # Apache-2.0
|
|
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
|
|
oslo.utils>=3.33.0 # Apache-2.0
|
|
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
|
pycadf!=2.0.0,>=1.1.0 # Apache-2.0
|
|
python-keystoneclient>=3.20.0 # Apache-2.0
|
|
requests>=2.14.2 # Apache-2.0
|
|
six>=1.10.0 # MIT
|
|
WebOb>=1.7.1 # MIT
|