Application credentials can't be used with group-only role assignments

Bug #1773967 reported by Colleen Murphy on 2018-05-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Vishakha Agarwal

Bug Description

If a user only has a role assignment on a project via a group membership, the user can create an application credential for the project but it cannot be used. If someone tries to use it, the debug logs will report:

 User <uuid> has no access to project <uuid>

We need to ensure that any application credential that is created can be used so long as it is not expired and the user exists and has access to the project they created the application credential for. If we decide that application credentials should not be valid for users who have no explicit role assignments on projects, then we should prevent it from being created and provide a useful message to the user.

This is probably related to https://bugs.launchpad.net/keystone/+bug/1589993

Changed in keystone:
status: New → Confirmed
importance: Undecided → High
Rajat Sharma (tajar29) on 2018-06-07
Changed in keystone:
assignee: nobody → Rajat Sharma (tajar29)
Adam Young (ayoung) wrote :

Look at the trust code, as it solves this problem. Trusts and App Creds should use common code.

Changed in keystone:
assignee: Rajat Sharma (tajar29) → Vishakha Agarwal (vishakha.agarwal)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers