Hi all, Rafael, thanks for the notes! That's a great initiative. Although it looks like it has stalled in the review phase...? (I'm new to interpreting the development workflow for OpenStack.) To all: does anybody else have input on how they solved this issue? Tx, Ryan On Thu, Nov 25, 2021 at 6:21 PM Rafael Weingärtner < rafaelweingartner@gmail.com> wrote:
Hello Ryan, We actually faced a similar situation and we extended Keystone to support the concept of Project bound credentials, which means, credentials that are owned by a project and not by a user. Therefore, the credentials are shared by all users of a project.
The spec is the following: https://review.opendev.org/c/openstack/keystone-specs/+/766725
We have it already running in PROD for over 6 months now, and it is also integrated with RadosGW<>Keystone authentication.
On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon@gmail.com> wrote:
Hello all,
Relatively new to OpenStack.
To my understanding, application credentials are bound to users. Is there a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive thought on a possible solution is that if a group has access to a Project, a "generic" user account that everybody has access to could be used for the application credentials. (The use case here is to not bind an app cred to an individual who might leave the organization, thus making the app cred secret lost.)
Thanks,
Ryan
-- Rafael Weingärtner