[openstack-dev] [keystone][nova] Persistent application credentials

Zane Bitter zbitter at redhat.com
Tue Jul 18 15:18:02 UTC 2017

On 18/07/17 10:55, Lance Bragstad wrote:
>>     Would Keystone folks be happy to allow persistent credentials once
>>     we have a way to hand out only the minimum required privileges?
>> If I'm understanding correctly, this would make application 
>> credentials dependent on several cycles of policy work. Right?
> I think having the ability to communicate deprecations though 
> oslo.policy would help here. We could use it to move towards better 
> default roles, which requires being able to set minimum privileges.
> Using the current workflow requires operators to define the minimum 
> privileges for whatever is using the application credential, and work 
> that into their policy. Is that the intended workflow that we want to 
> put on the users and operators of application credentials?

The plan is to add an authorisation mechanism that is user-controlled 
and independent of the (operator-controlled) policy. The beginnings of 
this were included in earlier drafts of the spec, but were removed in 
patch set 19 in favour of leaving them for a future spec:


- ZB

More information about the OpenStack-dev mailing list