Application credentials do not take account of implied roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Douglas Mendizábal |
Bug Description
Keystone 2023.1 a72ec5d
We have recently added an implied role linking our original '_member_' role to the Keystone default 'member' role. This works well for standard user accounts, but where application credentials were originally created with the '_member_' role, they are unable to do things which require 'member' or 'reader' permission. I assume the same would be true in a fresh deployment if an application credential was created with the 'member' role, in that it would be prevented from doing things which require 'reader' permission.
It appears this issue was originally alluded to in https:/
I've compared logs seen in services such as Nova which show a full complement of roles when a full user attempts actions (_member_, member and reader), but when an application credential created by that user is used this list shows just '_member_'. Similarly having added some debug logging around https:/
As we wouldn't expect average users to have knowledge of which roles implied which others so that they could apply a full list when creating application credentials, I assume this isn't expected behaviour?
Changed in keystone: | |
assignee: | nobody → Douglas Mendizábal (dougmendizabal) |
Related fix proposed to branch: master /review. opendev. org/c/openstack /keystone/ +/893737
Review: https:/