GET /v2.0/tokens/{token_id}/endpoints not implemented

Jason -

What token backing store responded with the NotImplmented response? (In particular, what's the value of "driver" under [token] in your keystone configuration?

This is a potentially valid response if the backing store for the token never implemented that part of the API.

[token]
driver = keystone.token.backends.kvs.Token

I debugged the code and found the following method called.

keystone/keystone/service.py
420 def endpoints(self, context, token_id):
421 """Return a list of endpoints available to the token."""
422 raise exception.NotImplemented()

[Expired for Keystone because there has been no activity for 60 days.]

The relevant implementation was intentionally removed in bug 933555; the call should be implemented correctly moving forward.

WADL (listEndpointsForToken): https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/docbkx/admin/identity-admin.wadl

XSD (identity:EndpointList): https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/docbkx/common/xsd/endpoints.xsd

Example request/responses are below.

GET http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
=================================================================================

Accept: application/json
X-Auth-Token: ADMIN

200 OK
======

Status: 200
Content-Length: 273
Content-Location: http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
Vary: X-Auth-Token
Date: Thu, 06 Sep 2012 14:30:03 GMT
Content-Type: application/json

{
  "endpoints": [
    {
      "name": "Nova",
      "adminURL": "http://admin.openstack/nova",
      "region": "north",
      "internalURL": "http://internal.openstack/nova",
      "type": "compute",
      "id": "8c3426bd730c48f5b59527df3a51b901",
      "publicURL": "http://public.openstack/nova"
    }
  ],
  "endpoints_links": []
}

GET http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
=================================================================================

Accept: application/xml
X-Auth-Token: ADMIN

200 OK
======

Status: 200
Content-Length: 335
Content-Location: http://localhost:35357/v2.0/tokens/e94d61a11ee749ac8d2c2ef76e6ea4df/endpoints
Vary: X-Auth-Token
Date: Thu, 06 Sep 2012 14:30:05 GMT
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<endpoints xmlns="http://docs.openstack.org/identity/api/v2.0">
  <endpoint name="Nova" adminURL="http://admin.openstack/nova" region="north" internalURL="http://internal.openstack/nova" type="compute" id="8c3426bd730c48f5b59527df3a51b901" publicURL="http://public.openstack/nova"/>
</endpoints>

Fix proposed to branch: master
Review: https://review.openstack.org/12499

[08:39am] ttx: user A has a token for tenant B. Admin of tenant C grants A access to C, effectively disabling the token A had for B ?
[08:39am] dolphm: ttx: sure, the user can just re-auth though
[08:39am] ttx: dolphm: letting /anyone/ disabling any token sounds a bit... abusive to me
[08:39am] ttx: and potentially something a bad guy would want to do
[08:40am] ayoung: dolphm, why not filter the list by tenant_id?
[08:40am] ttx: not very critical in its effect, for sure
[08:40am] dolphm: ttx: "anyone" being any admin, and "any token" being for a specific user

[08:43am] ttx: dolphm: oh. So a random user can't become the "admin" of a tenant and grant random users access to his tenant ?
[08:43am] dolphm: ttx: not in identity api v2 / current keystone impl
[08:43am] ttx: dolphm: you have to be the god of all keystone to grant roles ? In which case I agree there is no vector
[08:43am] ttx: and no impact
[08:43am] heckj: ttx: with the V2 API, that's correct

Reviewed: https://review.openstack.org/12499
Committed: http://github.com/openstack/keystone/commit/b6e568ede0d5e7abae69b28920f33f95be6190b5
Submitter: Jenkins
Branch: master

commit b6e568ede0d5e7abae69b28920f33f95be6190b5
Author: Dolph Mathews <email address hidden>
Date: Thu Sep 6 08:15:06 2012 -0500

    Implement token endpoint list (bug 1006777)

    Change-Id: Ia7dad06ec763994ce0beb171c481ab01c20af6cb

For future reference, comment #8 and comment #9 were attached to the wrong bug number.