> Would it be possible to check the location and only pass the token for whitelisted Swift stores or is this un-necessarily complicated?
Remember, the location may or may not be for a Swift store. It could be any (enabled) store, eg an arbitrary http URL.
I think trying to provide a kind of (discoverable) white list would be one approach.
It could be a list of regex's to try to handle different stores etc.
I think really security conscious sites might hesitate to deploy something like that ... it's hard to know if you've caught all the potential bad ones. Using policies to allow setting locations for admin users or openstack services (via service tokens) would be an alternative (possibly complimentary) approach.
> Would it be possible to check the location and only pass the token for whitelisted Swift stores or is this un-necessarily complicated?
Remember, the location may or may not be for a Swift store. It could be any (enabled) store, eg an arbitrary http URL.
I think trying to provide a kind of (discoverable) white list would be one approach.
It could be a list of regex's to try to handle different stores etc.
I think really security conscious sites might hesitate to deploy something like that ... it's hard to know if you've caught all the potential bad ones. Using policies to allow setting locations for admin users or openstack services (via service tokens) would be an alternative (possibly complimentary) approach.