Hey, Theoretically that's a valid approach, but that won't work for application credentials due to the mentioned bug report in keystone [1]. Also, keep in mind trusts, especially if you're running Magnum. We had to mess up with the keystone database and update the role UUID for application credentials and trusts where _member_ was assigned. And flush cache (memcached in our case) after doing that. [1] https://bugs.launchpad.net/keystone/+bug/2030061 вт, 14 нояб. 2023 г. в 19:45, Christian Stelter <refugee@last-refuge.net>:
Hi!
As someone who hasn't yet delved very deeply into keystone and the policies of the individual OpenStack services, I wondered whether setting member as the implied role for _member_ could pick up all those users who didn't manage to rotate their application credentials before switching to Zed Antelope.
Is this a valid approach or could it cause problems?
Kind regards,
Christian