Add validation of app cred access rules

This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.

bp whitelist-extension-for-app-creds

Depends-On: https://review.opendev.org/670377

Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88

1 files changed, 2 insertions, 2 deletions

diff --git a/requirements.txt b/requirements.txt
index 80b26d4..d3f07ce 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 
-keystoneauth1>=3.4.0 # Apache-2.0
+keystoneauth1>=3.12.0 # Apache-2.0
 oslo.cache>=1.26.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
@@ -12,7 +12,7 @@ oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.utils>=3.33.0 # Apache-2.0
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 pycadf!=2.0.0,>=1.1.0 # Apache-2.0
-python-keystoneclient>=3.10.0 # Apache-2.0
+python-keystoneclient>=3.20.0 # Apache-2.0
 requests>=2.14.2 # Apache-2.0
 six>=1.10.0 # MIT
 WebOb>=1.7.1 # MIT