Implement system scope and default roles for token API

This commit adds protection testing for the token API along with
changes to default policies to properly consume system-scope and
default roles.

Originally, this work was going to include the ability for project and
domain administrator to validate, check, or revoke tokens within the
context of their authorization (e.g., a domain administrator could
revoke tokens on projects within their domain). This seems like extra
work for not much benefit since we're using bearer tokens. The holder
of the token can do anything with that token, which means they can
validate it or revoke it without using their own token. Adding
project and domain administrator support seems unnecessary given the
existing functionality. If someone comes forward asking for this
functionality, we can re-evaluate the effort. For now, this patch is
limited to system user support, allowing them to validate, check, and
revoke any token in the system. Service users can still validate
tokens on behalf of users. Users can do anything they wish with their
own tokens.

This commit also bumps the minimum version of oslo.log so that we can
use the official TRAIN deprecated release marker.

Change-Id: Ia8b35258b43213bd117df4275c907aac223342b3
Closes-Bug: 1818844
Closes-Bug: 1750676

1 files changed, 1 insertions, 1 deletions

diff --git a/requirements.txt b/requirements.txt
index 90e0375b6..b46f3cfe4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -27,7 +27,7 @@ oslo.context>=2.22.0 # Apache-2.0
 oslo.messaging>=5.29.0 # Apache-2.0
 oslo.db>=4.27.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
-oslo.log>=3.38.0 # Apache-2.0
+oslo.log>=3.44.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
 oslo.policy>=1.43.1 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0