Bug 1125091 - [RFE][keystone]: Enable filtering of credentials by user_id
Summary: [RFE][keystone]: Enable filtering of credentials by user_id
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: RFEs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Upstream M3
: ---
Assignee: RHOS Maint
QA Contact:
URL: https://blueprints.launchpad.net/keys...
Whiteboard: upstream_milestone_juno-3 upstream_de...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 04:04 UTC by RHOS Integration
Modified: 2015-03-19 17:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description RHOS Integration 2014-07-31 04:04:02 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/filter-credentials-by-user.

Description:

A credentials entity has a user_id attribute.  Currently the lack of a filter of user_id means that we cannot use the keystone policy file to enable users to have access to (only) their credentials.  This can be solved by adding such a filter.

Specification URL (additional information):

None

Comment 1 Udi 2014-10-26 10:21:27 UTC
When trying to read the full specification of this blueprinf, I encounter a "not allowed"...

1) QE needs to get documentation on the syntax and workings of credentials. Currently, all the credentials we try to write ourselves in the policy file don't work as expected.
2) What are possible use cases of credentials that filter by user id?
3) What are all the other possible filters that are supported?

Comment 2 Nathan Kinder 2014-10-27 20:56:03 UTC
(In reply to Udi from comment #1)
> When trying to read the full specification of this blueprinf, I encounter a
> "not allowed"...
> 
> 1) QE needs to get documentation on the syntax and workings of credentials.

See the existing Identity API documentation on the credentials calls:

  http://developer.openstack.org/api-ref-identity-v3.html#credentials-v3

If you connect to keystone using v3 with python-openstackclient, you also have the following commands that exercise the credentials APIs:

- credential create
- credential delete
- credential list
- credential set
- credential show
 
> Currently, all the credentials we try to write ourselves in the policy file
> don't work as expected.

This isn't directly a policy fix, though a policy example was provided:

  https://review.openstack.org/#/c/113232/7/etc/policy.v3cloudsample.json

This policy change will allow a regular user to list all of their own credentials (assuming they use hte new user_id parameter to the list credentials call).

> 2) What are possible use cases of credentials that filter by user id?

When listing credentials that are stored as an admin user, I may only want to see the credentials stored by a particular user instead of every credential in the entire database.  As a regular user, I may want to list all of my credneitials that I stored.  That's what this feature allows.  Previously, the list credentials call only listed all credentials in the database, which means that the user had no way to list their own credentials since the operation had to be restricted to admin users to prevent one user from viewing anothers credentials.

> 3) What are all the other possible filters that are supported?

The API docs show the details.  You can retrieve a single credential by it's id, list all credentials, or list all credentials for a specified user (which is this new feature).


Note You need to log in before you can comment on or make changes to this bug.