Project-scoped app creds - Best practice

Ryan Bannon ryan.bannon at gmail.com
Fri Nov 26 17:17:58 UTC 2021


Hi all,

Rafael, thanks for the notes! That's a great initiative. Although it looks
like it has stalled in the review phase...? (I'm new to interpreting the
development workflow for OpenStack.)

To all: does anybody else have input on how they solved this issue?

Tx,

Ryan

On Thu, Nov 25, 2021 at 6:21 PM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:

> Hello Ryan,
> We actually faced a similar situation and we extended Keystone to support
> the concept of Project bound credentials, which means, credentials that are
> owned by a project and not by a user. Therefore, the credentials are shared
> by all users of a project.
>
> The spec is the following:
> https://review.opendev.org/c/openstack/keystone-specs/+/766725
>
> We have it already running in PROD for over 6 months now, and it is also
> integrated with RadosGW<>Keystone authentication.
>
> On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon at gmail.com> wrote:
>
>> Hello all,
>>
>> Relatively new to OpenStack.
>>
>> To my understanding, application credentials are bound to users. Is there
>> a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive
>> thought on a possible solution is that if a group has access to a Project,
>> a "generic" user account that everybody has access to could be used for the
>> application credentials. (The use case here is to not bind an app cred to
>> an individual who might leave the organization, thus making the app cred
>> secret lost.)
>>
>> Thanks,
>>
>> Ryan
>>
>
>
> --
> Rafael Weingärtner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211126/393eb4bf/attachment.htm>


More information about the openstack-discuss mailing list