As part of the new "restricted services" feature we want to make some updates to the authz scheme for Tokens. Specifically:
- Services should not be allowed to create tokens for other services.
Additionally:
2. User tokens should not be allowed to create tokens for themselves directly with Tokens.
3. There is an assumption here [1] that the requestor is a service account in the site admin tenant (i.e., that g.tenant_id is the admin tenant), but this is not necessarily true;
[1] https://github.com/tapis-project/tokens-api/blob/prod/service/auth.py#L220
As part of the new "restricted services" feature we want to make some updates to the authz scheme for Tokens. Specifically:
Additionally:
2. User tokens should not be allowed to create tokens for themselves directly with Tokens.
3. There is an assumption here [1] that the requestor is a service account in the site admin tenant (i.e., that g.tenant_id is the admin tenant), but this is not necessarily true;
[1] https://github.com/tapis-project/tokens-api/blob/prod/service/auth.py#L220