OpenStack Credentials: support Keystone application credentials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Keystone has support for application credentials as of Queens (for API, CLI and dashboard support was added in Rocky). It is quite useful for clouds integrated with user directories via LDAP or with identity federation & SSO enabled where it is not possible or meaningful to use credentials of a user in a company-wide user directory.
https:/
https:/
Juju does not support this at the time of writing.
https:/
* This feature allows a user to create a credential via Keystone with some of its role assignments delegated to a credential (a "Member" project role is usually delegated);
* Expiration date is possible to configure for a credential but is optional;
* Unrestricted credentials can be optionally created to create new credentials;
* There is no API to change an expiration time of an existing credential if it is set.
Example openrc:
export OS_AUTH_URL=https:/
export OS_APPLICATION_
export OS_REGION_
export OS_APPLICATION_
export OS_IDENTITY_
export OS_AUTH_
export OS_INTERFACE=
export OS_CACERT=
Example API client usage:
>>> from keystoneauth1.
>>> from keystoneauth1 import session
>>> from keystoneclient.v3 import client
>>> auth = v3.token.
>>> sess = session.
>>> keystone = client.
>>> app_cred = keystone.
>>> app_cred
Yes, we should support it.
I am going through the gap analysis - what authenticate mechanisms Juju supports for each cloud and what mechanisms the clouds themselves support.
I'll add it to our wishist for prioritization.