Add validation of app cred access rules

This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.

bp whitelist-extension-for-app-creds

Depends-On: https://review.opendev.org/670377

Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88

1 files changed, 7 insertions, 0 deletions

diff --git a/releasenotes/notes/bp-whitelist-extension-for-app-creds-badf088c8ad584bb.yaml b/releasenotes/notes/bp-whitelist-extension-for-app-creds-badf088c8ad584bb.yaml
new file mode 100644
index 0000000..a6e68d4
--- /dev/null
+++ b/releasenotes/notes/bp-whitelist-extension-for-app-creds-badf088c8ad584bb.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    [`spec <http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html>`_]
+    The auth_token middleware now has support for accepting or denying incoming
+    requests based on access rules provided by users in their keystone
+    application credentials.