yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2107423] [NEW] Removing a role from a user in a project causes their application credentials to be deleted

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adrian Jarvis <2107423@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Apr 2025 01:25:39 -0000
Reply-to: Bug 2107423 <2107423@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

If a user creates an application credential (or has an application
credential created for them) in a project and later removed one of their
roles in a project then the application credential is deleted.

I understand that the decision to delete the application credential on
user role change was done as to prevent a security issue if the user has
a role removed and the application credential still can act with the
role.

This behaviour has an impact on other projects, such as Magnum that use
application credentials.  As if the application credential is deleted
due to the change in the owner user's roles then the Magnum cluster will
not be able to perform resource operations against OpenStack service due
to the now invalid application credential.

I would suggest something like comparing the user's existing roles with
the credentials roles and updating the credential's roles to match.
Unsure of the case where a user loses all roles from a project, perhaps
disable or delete the application credential.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2107423

Title:
  Removing a role from a user in a project causes their application
  credentials to be deleted

Status in OpenStack Identity (keystone):
  New

Bug description:
  If a user creates an application credential (or has an application
  credential created for them) in a project and later removed one of
  their roles in a project then the application credential is deleted.

  I understand that the decision to delete the application credential on
  user role change was done as to prevent a security issue if the user
  has a role removed and the application credential still can act with
  the role.

  This behaviour has an impact on other projects, such as Magnum that
  use application credentials.  As if the application credential is
  deleted due to the change in the owner user's roles then the Magnum
  cluster will not be able to perform resource operations against
  OpenStack service due to the now invalid application credential.

  I would suggest something like comparing the user's existing roles
  with the credentials roles and updating the credential's roles to
  match.  Unsure of the case where a user loses all roles from a
  project, perhaps disable or delete the application credential.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2107423/+subscriptions