Project-scoped app creds - Best practice
rafaelweingartner at gmail.com
Thu Nov 25 23:20:28 UTC 2021
We actually faced a similar situation and we extended Keystone to support
the concept of Project bound credentials, which means, credentials that are
owned by a project and not by a user. Therefore, the credentials are shared
by all users of a project.
The spec is the following:
We have it already running in PROD for over 6 months now, and it is also
integrated with RadosGW<>Keystone authentication.
On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon at gmail.com> wrote:
> Hello all,
> Relatively new to OpenStack.
> To my understanding, application credentials are bound to users. Is there
> a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive
> thought on a possible solution is that if a group has access to a Project,
> a "generic" user account that everybody has access to could be used for the
> application credentials. (The use case here is to not bind an app cred to
> an individual who might leave the organization, thus making the app cred
> secret lost.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss