Bug 1125091

Summary: [RFE][keystone]: Enable filtering of credentials by user_id
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, nkinder, ukalifon, yeylon
Target Milestone: Upstream M3Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/filter-credentials-by-user
Whiteboard: upstream_milestone_juno-3 upstream_definition_new upstream_status_implemented
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description RHOS Integration 2014-07-31 04:04:02 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/filter-credentials-by-user.

Description:

A credentials entity has a user_id attribute.  Currently the lack of a filter of user_id means that we cannot use the keystone policy file to enable users to have access to (only) their credentials.  This can be solved by adding such a filter.

Specification URL (additional information):

None
Comment 1 Udi Kalifon 2014-10-26 10:21:27 UTC 
When trying to read the full specification of this blueprinf, I encounter a "not allowed"...

1) QE needs to get documentation on the syntax and workings of credentials. Currently, all the credentials we try to write ourselves in the policy file don't work as expected.
2) What are possible use cases of credentials that filter by user id?
3) What are all the other possible filters that are supported?
Comment 2 Nathan Kinder 2014-10-27 20:56:03 UTC 
(In reply to Udi from comment #1)
> When trying to read the full specification of this blueprinf, I encounter a
> "not allowed"...
> 
> 1) QE needs to get documentation on the syntax and workings of credentials.

See the existing Identity API documentation on the credentials calls:

  http://developer.openstack.org/api-ref-identity-v3.html#credentials-v3

If you connect to keystone using v3 with python-openstackclient, you also have the following commands that exercise the credentials APIs:

- credential create
- credential delete
- credential list
- credential set
- credential show
 
> Currently, all the credentials we try to write ourselves in the policy file
> don't work as expected.

This isn't directly a policy fix, though a policy example was provided:

  https://review.openstack.org/#/c/113232/7/etc/policy.v3cloudsample.json

This policy change will allow a regular user to list all of their own credentials (assuming they use hte new user_id parameter to the list credentials call).

> 2) What are possible use cases of credentials that filter by user id?

When listing credentials that are stored as an admin user, I may only want to see the credentials stored by a particular user instead of every credential in the entire database.  As a regular user, I may want to list all of my credneitials that I stored.  That's what this feature allows.  Previously, the list credentials call only listed all credentials in the database, which means that the user had no way to list their own credentials since the operation had to be restricted to admin users to prevent one user from viewing anothers credentials.

> 3) What are all the other possible filters that are supported?

The API docs show the details.  You can retrieve a single credential by it's id, list all credentials, or list all credentials for a specified user (which is this new feature).