Public bug reported: If you have a user with a role assigned through group membership to a project, you are able to create an application credential for that project. But you can't use it later.
When you try to use it the authenticate method will throw 401 Unauthorized. Checking a bit the code the issue seems to be in the token_model as it only checks for direct assignments of the user missing all the roles that can be inherited or coming through group membership. https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L409-L421 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1825991 Title: Usage of application credentials through group membership does not work Status in OpenStack Identity (keystone): New Bug description: If you have a user with a role assigned through group membership to a project, you are able to create an application credential for that project. But you can't use it later. When you try to use it the authenticate method will throw 401 Unauthorized. Checking a bit the code the issue seems to be in the token_model as it only checks for direct assignments of the user missing all the roles that can be inherited or coming through group membership. https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L409-L421 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1825991/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
