Keystone both allows and prevents creation of third party app credentials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
In Progress
|
Undecided
|
Unassigned |
Bug Description
When creating an app credential (e.g. via POST to /v3/users/
The default keystone policy prevents this (via rule:owner) and only permits a user to alter their own creds. This is probably the right default policy, and weird deploys (like me) should be able to add an exception to that policy (e.g. admin_or_owner) as needed.
Adding a policy exception isn't possible, though, because in addition to the policy check there's an explicit check in the code:
if self.oslo_
action = _('Cannot create an application credential for another '
raise ks_exception.
That explicit check shouldn't be there. The policy check is adequate to prevent what we want to prevent, and the explicit code check renders useless the <user> argument supported by the API.
So, either the <user> arg should be marked as deprecated, or the context check should be removed from the code. I prefer the latter, since it supports my weird use case.
[0] My weird use case: I'm mapping ldap service users from ldap into keystone. Because they're service users, no one will ever log in as those users directly so they don't have passwords. I nonetheless want those service users to do one or two select things, so I need to grant them credentials via a privileged account even though it's impossible to authenticate as the service user directly.
Fix proposed to branch: master /review. opendev. org/c/openstack /keystone/ +/918697
Review: https:/