openstack/keystonemiddleware
Code Issues Proposed changes
946abf1f02
keystonemiddleware/releasenotes/notes/allow-expired-5ddbabcffc5678af.yaml
Jamie Lennox 4c6282ff70 Pass ?allow_expired 
When a service token is present we should bypass the expiry checks and
pass the allow_expired flag to the server. This will let the server
return expired tokens.

This has a very basic policy enforcement that is not backwards
compatible with the current (sensible) default. We will need to discuss
how we can make this work.

Implements bp: allow-expired
Change-Id: If3583ac08e33380f1c52ad50d7d5c74194393480
2016-12-15 16:15:35 +00:00

31 lines
1.7 KiB
YAML
Raw Blame History

---
prelude: >
Fetching expired tokens when using a valid service token is now allowed.
This will help with long running operations that must continue between
services longer than the original expiry of the token.
features:
- AuthToken middleware will now allow fetching an expired token when a valid
service token is present. This service token must contain any one of the
roles specified in ``service_token_roles``.
- Service tokens are compared against a list of possible roles for validity.
This will ensure that only services are submitting tokens as an
``X-Service-Token``.
For backwards compatibility, if ``service_token_roles_required`` is not set,
a warning will be emitted. To enforce the check properly, set
``service_token_roles_required`` to ``True``. It currently defaults to
``False``
upgrade:
- Set the ``service_token_roles`` to a list of roles that services may have.
The likely list is ``service`` or ``admin``. Any ``service_token_roles`` may
apply to accept the service token. Ensure service users have one of these
roles so interservice communication continues to work correctly. When verified,
set the ``service_token_roles_required`` flag to ``True`` to enforce this
behaviour. This will become the default setting in future releases.
deprecations:
- For backwards compatibility the ``service_token_roles_required`` option in
``[keystone_authtoken]`` was added. The option defaults to ``False`` and
has been immediately deprecated. This will allow the current behaviour
that service tokens are validated but not checked for roles to continue.
The option should be set to ``True`` as soon as possible. The option will
default to ``True`` in a future release.
View Git Blame Copy Permalink