Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/filter-credentials-by-user.
A credentials entity has a user_id attribute. Currently the lack of a filter of user_id means that we cannot use the keystone policy file to enable users to have access to (only) their credentials. This can be solved by adding such a filter.
Specification URL (additional information):
When trying to read the full specification of this blueprinf, I encounter a "not allowed"...
1) QE needs to get documentation on the syntax and workings of credentials. Currently, all the credentials we try to write ourselves in the policy file don't work as expected.
2) What are possible use cases of credentials that filter by user id?
3) What are all the other possible filters that are supported?
(In reply to Udi from comment #1)
> When trying to read the full specification of this blueprinf, I encounter a
> "not allowed"...
> 1) QE needs to get documentation on the syntax and workings of credentials.
See the existing Identity API documentation on the credentials calls:
If you connect to keystone using v3 with python-openstackclient, you also have the following commands that exercise the credentials APIs:
- credential create
- credential delete
- credential list
- credential set
- credential show
> Currently, all the credentials we try to write ourselves in the policy file
> don't work as expected.
This isn't directly a policy fix, though a policy example was provided:
This policy change will allow a regular user to list all of their own credentials (assuming they use hte new user_id parameter to the list credentials call).
> 2) What are possible use cases of credentials that filter by user id?
When listing credentials that are stored as an admin user, I may only want to see the credentials stored by a particular user instead of every credential in the entire database. As a regular user, I may want to list all of my credneitials that I stored. That's what this feature allows. Previously, the list credentials call only listed all credentials in the database, which means that the user had no way to list their own credentials since the operation had to be restricted to admin users to prevent one user from viewing anothers credentials.
> 3) What are all the other possible filters that are supported?
The API docs show the details. You can retrieve a single credential by it's id, list all credentials, or list all credentials for a specified user (which is this new feature).