Project-scoped app creds - Best practice
Rafael Weingärtner
rafaelweingartner at gmail.com
Thu Nov 25 23:20:28 UTC 2021
Hello Ryan,
We actually faced a similar situation and we extended Keystone to support
the concept of Project bound credentials, which means, credentials that are
owned by a project and not by a user. Therefore, the credentials are shared
by all users of a project.
The spec is the following:
https://review.opendev.org/c/openstack/keystone-specs/+/766725
We have it already running in PROD for over 6 months now, and it is also
integrated with RadosGW<>Keystone authentication.
On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon at gmail.com> wrote:
> Hello all,
>
> Relatively new to OpenStack.
>
> To my understanding, application credentials are bound to users. Is there
> a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive
> thought on a possible solution is that if a group has access to a Project,
> a "generic" user account that everybody has access to could be used for the
> application credentials. (The use case here is to not bind an app cred to
> an individual who might leave the organization, thus making the app cred
> secret lost.)
>
> Thanks,
>
> Ryan
>
--
Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211125/a0db406c/attachment.htm>
More information about the openstack-discuss
mailing list