Application credential API doesn't use default roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Guang Yee |
Bug Description
In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should.
For example, system administrators should be able to clean up application credentials regardless of users, but system members or readers should only be able to list or get application credentials. Users who are not system users should only be able to manage their application credentials.
[0] http://
[1] http://
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
description: | updated |
tags: | added: default-roles policy |
Changed in keystone: | |
milestone: | none → stein-rc1 |
Changed in keystone: | |
milestone: | stein-rc1 → none |
Fix proposed to branch: master /review. opendev. org/670926
Review: https:/