EC2 token creation no longer possible for admin

IMO this is a feature not a bug - the service admin token shouldn't be associated with ec2 credentials like this, you should request a token as a real user and create the ec2 credentials as that user.

Can you expand on the use-case for this?

Seems like another security hole in the making to me, since you're creating (non expiring) credentials, which can be trivially used by any admin (any user with admin role in any project, not just the service admin token) to gain all the roles of the trustor, not only those delegated, defeating the entire point of trusts in all environments which enable the ec2tokens extension.

Also, when considering this issue, please bear in mind bug #968696 - the fact that admin role gives admin everywhere is a bug (a really bad one, specific to keystone), so IMO we should not perpetuate that wrong assumption by allowing code to circumvent delegation restrictions just because the user has the admin role.

I would like to also know the actual usecase for this configuration. I am concerned about the security implications.

Fix proposed to branch: master
Review: https://review.openstack.org/69007

Reviewed: https://review.openstack.org/70847
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b5ab8fe9d63dd65786dd13adee2a6dd25b7c483a
Submitter: Jenkins
Branch: master

commit b5ab8fe9d63dd65786dd13adee2a6dd25b7c483a
Author: guang-yee <email address hidden>
Date: Mon Feb 3 13:17:34 2014 -0800

    allow create credential with the system admin token

    We are looking up trust_id during create credential, which means caller must
    use a Keystone-issued token. This is unrealistic as create credential are
    often done as part of bootstrap, using the static system admin token.
    Furthermore, deployments which using external authorization will break as it
    may not have a token_id in the request context.

    For the above reasons, we'll skip trust_id lookup if the request token_id is
    either absent or it is the static system admin token.

    closes bug 1275145
    closes bug 1263804

    Change-Id: I6cda3c5f36c9754ab84e28ff9a9289887d6c9b77

As 1242597 was backported to Havana and Grizzly, are there plans to backport this fix as well? Alternatively, what's the recommended workaround for those releases?