yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95909
[Bug 2107423] Re: Removing a role from a user in a project causes their application credentials to be deleted
Please note that we can't accept any bug reports for such old version. More than 12 following releases are EOL and can't be fixed.
Anyway, good that we have figured out it is not the case in the currently maintained versions
** Changed in: keystone
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2107423
Title:
Removing a role from a user in a project causes their application
credentials to be deleted
Status in OpenStack Identity (keystone):
Won't Fix
Bug description:
If a user creates an application credential (or has an application
credential created for them) in a project and later removed one of
their roles in a project then the application credential is deleted.
I understand that the decision to delete the application credential on
user role change was done as to prevent a security issue if the user
has a role removed and the application credential still can act with
the role.
This behaviour has an impact on other projects, such as Magnum that
use application credentials. As if the application credential is
deleted due to the change in the owner user's roles then the Magnum
cluster will not be able to perform resource operations against
OpenStack service due to the now invalid application credential.
I would suggest something like comparing the user's existing roles
with the credentials roles and updating the credential's roles to
match. Unsure of the case where a user loses all roles from a
project, perhaps disable or delete the application credential.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2107423/+subscriptions
References