yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1773967] [NEW] Application credentials can't be used with group-only role assignments

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Tue, 29 May 2018 11:18:57 -0000
Reply-to: Bug 1773967 <1773967@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If a user only has a role assignment on a project via a group
membership, the user can create an application credential for the
project but it cannot be used. If someone tries to use it, the debug
logs will report:

 User <uuid> has no access to project <uuid>

We need to ensure that any application credential that is created can be
used so long as it is not expired and the user exists and has access to
the project they created the application credential for. If we decide
that application credentials should not be valid for users who have no
explicit role assignments on projects, then we should prevent it from
being created and provide a useful message to the user.

This is probably related to
https://bugs.launchpad.net/keystone/+bug/1589993

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1773967

Title:
  Application credentials can't be used with group-only role assignments

Status in OpenStack Identity (keystone):
  New

Bug description:
  If a user only has a role assignment on a project via a group
  membership, the user can create an application credential for the
  project but it cannot be used. If someone tries to use it, the debug
  logs will report:

   User <uuid> has no access to project <uuid>

  We need to ensure that any application credential that is created can
  be used so long as it is not expired and the user exists and has
  access to the project they created the application credential for. If
  we decide that application credentials should not be valid for users
  who have no explicit role assignments on projects, then we should
  prevent it from being created and provide a useful message to the
  user.

  This is probably related to
  https://bugs.launchpad.net/keystone/+bug/1589993

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1773967/+subscriptions

Follow ups

[Bug 1773967] Re: Application credentials can't be used with group-only role assignments
From: Chris MacNaughton, 2020-10-21
[Bug 1773967] Re: Application credentials can't be used with group-only role assignments
From: Dmitrii Shcherbakov, 2019-08-07
[Bug 1773967] Re: Application credentials can't be used with group-only role assignments
From: OpenStack Infra, 2019-08-07