Application credentials can't be used with group-only role assignments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Jose Castro Leon | ||
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If a user only has a role assignment on a project via a group membership, the user can create an application credential for the project but it cannot be used. If someone tries to use it, the debug logs will report:
User <uuid> has no access to project <uuid>
We need to ensure that any application credential that is created can be used so long as it is not expired and the user exists and has access to the project they created the application credential for. If we decide that application credentials should not be valid for users who have no explicit role assignments on projects, then we should prevent it from being created and provide a useful message to the user.
This is probably related to https:/
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Rajat Sharma (tajar29) |
Changed in keystone: | |
assignee: | Rajat Sharma (tajar29) → Vishakha Agarwal (vishakha.agarwal) |
Changed in keystone: | |
assignee: | Vishakha Agarwal (vishakha.agarwal) → Jose Castro Leon (jose-castro-leon) |
status: | Confirmed → In Progress |
Changed in keystone: | |
assignee: | Gauvain Pocentek (gpocentek) → nobody |
Changed in keystone: | |
assignee: | nobody → Colleen Murphy (krinkle) |
Changed in keystone: | |
assignee: | Colleen Murphy (krinkle) → Jose Castro Leon (jose-castro-leon) |
Changed in keystone (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in cloud-archive: | |
status: | New → Fix Released |
Look at the trust code, as it solves this problem. Trusts and App Creds should use common code.