[openstack-dev] [keystone][nova] Persistent application credentials
Zane Bitter
zbitter at redhat.com
Tue Jul 18 15:18:02 UTC 2017
On 18/07/17 10:55, Lance Bragstad wrote:
>>
>> Would Keystone folks be happy to allow persistent credentials once
>> we have a way to hand out only the minimum required privileges?
>>
>>
>> If I'm understanding correctly, this would make application
>> credentials dependent on several cycles of policy work. Right?
>
> I think having the ability to communicate deprecations though
> oslo.policy would help here. We could use it to move towards better
> default roles, which requires being able to set minimum privileges.
>
> Using the current workflow requires operators to define the minimum
> privileges for whatever is using the application credential, and work
> that into their policy. Is that the intended workflow that we want to
> put on the users and operators of application credentials?
The plan is to add an authorisation mechanism that is user-controlled
and independent of the (operator-controlled) policy. The beginnings of
this were included in earlier drafts of the spec, but were removed in
patch set 19 in favour of leaving them for a future spec:
https://review.openstack.org/#/c/450415/18..19/specs/keystone/pike/application-credentials.rst
- ZB
More information about the OpenStack-dev
mailing list