diff options
author | Jamie Lennox <jamielennox@gmail.com> | 2016-09-29 09:32:19 +1000 |
---|---|---|
committer | Steve Martinelli <s.martinelli@gmail.com> | 2016-12-15 16:15:35 +0000 |
commit | 4c6282ff70e22710ebf0c806d3ce8cc388e6510a (patch) | |
tree | f075d6a648318e0abd1d90fe8f1f310dae5bd31e /releasenotes | |
parent | 29a879c0ed5d1af5dca0cf6fd0394487f97b1670 (diff) | |
download | keystonemiddleware-4c6282ff70e22710ebf0c806d3ce8cc388e6510a.tar.gz |
Pass ?allow_expired
When a service token is present we should bypass the expiry checks and
pass the allow_expired flag to the server. This will let the server
return expired tokens.
This has a very basic policy enforcement that is not backwards
compatible with the current (sensible) default. We will need to discuss
how we can make this work.
Implements bp: allow-expired
Change-Id: If3583ac08e33380f1c52ad50d7d5c74194393480
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/allow-expired-5ddbabcffc5678af.yaml | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/releasenotes/notes/allow-expired-5ddbabcffc5678af.yaml b/releasenotes/notes/allow-expired-5ddbabcffc5678af.yaml new file mode 100644 index 0000000..648d4d6 --- /dev/null +++ b/releasenotes/notes/allow-expired-5ddbabcffc5678af.yaml @@ -0,0 +1,30 @@ +--- +prelude: > + Fetching expired tokens when using a valid service token is now allowed. + This will help with long running operations that must continue between + services longer than the original expiry of the token. +features: + - AuthToken middleware will now allow fetching an expired token when a valid + service token is present. This service token must contain any one of the + roles specified in ``service_token_roles``. + - Service tokens are compared against a list of possible roles for validity. + This will ensure that only services are submitting tokens as an + ``X-Service-Token``. + For backwards compatibility, if ``service_token_roles_required`` is not set, + a warning will be emitted. To enforce the check properly, set + ``service_token_roles_required`` to ``True``. It currently defaults to + ``False`` +upgrade: + - Set the ``service_token_roles`` to a list of roles that services may have. + The likely list is ``service`` or ``admin``. Any ``service_token_roles`` may + apply to accept the service token. Ensure service users have one of these + roles so interservice communication continues to work correctly. When verified, + set the ``service_token_roles_required`` flag to ``True`` to enforce this + behaviour. This will become the default setting in future releases. +deprecations: + - For backwards compatibility the ``service_token_roles_required`` option in + ``[keystone_authtoken]`` was added. The option defaults to ``False`` and + has been immediately deprecated. This will allow the current behaviour + that service tokens are validated but not checked for roles to continue. + The option should be set to ``True`` as soon as possible. The option will + default to ``True`` in a future release. |