yahoo-eng-team team mailing list archive

[Artem Goncharov <2107423@xxxxxxxxxxxxxxxxxx>]

Please note that we can't accept any bug reports for such old version. More than 12 following releases are EOL and can't be fixed.
Anyway, good that we have figured out it is not the case in the currently maintained versions

** Changed in: keystone
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2107423

Title:
  Removing a role from a user in a project causes their application
  credentials to be deleted

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  If a user creates an application credential (or has an application
  credential created for them) in a project and later removed one of
  their roles in a project then the application credential is deleted.

  I understand that the decision to delete the application credential on
  user role change was done as to prevent a security issue if the user
  has a role removed and the application credential still can act with
  the role.

  This behaviour has an impact on other projects, such as Magnum that
  use application credentials.  As if the application credential is
  deleted due to the change in the owner user's roles then the Magnum
  cluster will not be able to perform resource operations against
  OpenStack service due to the now invalid application credential.

  I would suggest something like comparing the user's existing roles
  with the credentials roles and updating the credential's roles to
  match.  Unsure of the case where a user loses all roles from a
  project, perhaps disable or delete the application credential.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2107423/+subscriptions