[openstack-dev] [keystone][nova] Persistent application credentials
zbitter at redhat.com
Tue Jul 18 15:18:02 UTC 2017
On 18/07/17 10:55, Lance Bragstad wrote:
>> Would Keystone folks be happy to allow persistent credentials once
>> we have a way to hand out only the minimum required privileges?
>> If I'm understanding correctly, this would make application
>> credentials dependent on several cycles of policy work. Right?
> I think having the ability to communicate deprecations though
> oslo.policy would help here. We could use it to move towards better
> default roles, which requires being able to set minimum privileges.
> Using the current workflow requires operators to define the minimum
> privileges for whatever is using the application credential, and work
> that into their policy. Is that the intended workflow that we want to
> put on the users and operators of application credentials?
The plan is to add an authorisation mechanism that is user-controlled
and independent of the (operator-controlled) policy. The beginnings of
this were included in earlier drafts of the spec, but were removed in
patch set 19 in favour of leaving them for a future spec:
More information about the OpenStack-dev