yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79526
[Bug 1773967] Re: Application credentials can't be used with group-only role assignments
** Also affects: keystone (Ubuntu)
Importance: Undecided
Status: New
** Also affects: cloud-archive
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1773967
Title:
Application credentials can't be used with group-only role assignments
Status in Ubuntu Cloud Archive:
New
Status in OpenStack Identity (keystone):
Fix Released
Status in keystone package in Ubuntu:
New
Bug description:
If a user only has a role assignment on a project via a group
membership, the user can create an application credential for the
project but it cannot be used. If someone tries to use it, the debug
logs will report:
User <uuid> has no access to project <uuid>
We need to ensure that any application credential that is created can
be used so long as it is not expired and the user exists and has
access to the project they created the application credential for. If
we decide that application credentials should not be valid for users
who have no explicit role assignments on projects, then we should
prevent it from being created and provide a useful message to the
user.
This is probably related to
https://bugs.launchpad.net/keystone/+bug/1589993
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1773967/+subscriptions
References