Comment 0 for bug 1818725

Lance Bragstad (lbragstad) wrote :

In Rocky, keystone implemented support to ensure at least three default roles were available [0]. The application credentials API doesn't incorporate these defaults into its default policies [1], but it should.

For example, system users should be able to manage any application credential, regardless of the user. Users who are not system users should only be able to manage their application credentials.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/application_credential.py?id=6e3f1f6e46787ed4542609c935c13cb85e91d7fc