)]}'
{"specs/keystone/stein/refreshable-app-creds.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c76a352da08565b7e157597d4f33a51b90c61b40","unresolved":false,"context_lines":[{"line_number":50,"context_line":"Do nothing and not allow application credentials for federated users."},{"line_number":51,"context_line":"Currently, the only way to have application credentials, or trusts for"},{"line_number":52,"context_line":"federated users is to effectively grant them the role, rather than"},{"line_number":53,"context_line":"be mapped to it via group membership."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Security Impact"},{"line_number":56,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_e5baa409","line":53,"updated":"2018-10-08 19:09:25.000000000","message":"Since the problem description is targeted to federated users, I\u0027d be fine omitting this as a viable alternative since doing nothing isn\u0027t really a solution.","commit_id":"c92377039f52306d80f535fbf6dbc57fd7257004"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c76a352da08565b7e157597d4f33a51b90c61b40","unresolved":false,"context_lines":[{"line_number":59,"context_line":"get notified when a users permissions are revoked, there will be a lag"},{"line_number":60,"context_line":"between when a user has their permissions revoked and their application"},{"line_number":61,"context_line":"credentials expire. During that time they will be able to log in, but"},{"line_number":62,"context_line":"unable to renew the application credential."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Notifications Impact"},{"line_number":65,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_054b2028","line":62,"updated":"2018-10-08 19:09:25.000000000","message":"The application will also be able to continue assuming authorization granted by the groups until the application credential expires.\n\nOperators can work around this by manually revoking the application credential. Users can work around this by setting relatively short expiration windows on their application credentials.","commit_id":"c92377039f52306d80f535fbf6dbc57fd7257004"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c76a352da08565b7e157597d4f33a51b90c61b40","unresolved":false,"context_lines":[{"line_number":64,"context_line":"Notifications Impact"},{"line_number":65,"context_line":"--------------------"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"A notification will be emitted when an application credential is renewed,"},{"line_number":68,"context_line":"or when an attempt to renew an application credential fails."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Other End User Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_c55e88e7","line":67,"range":{"start_line":67,"start_character":65,"end_line":67,"end_character":72},"updated":"2018-10-08 19:09:25.000000000","message":"nit: refreshed*\n\nWe seem to be using renewed and refreshed interchangeably. Do we want to settle on one?","commit_id":"c92377039f52306d80f535fbf6dbc57fd7257004"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c76a352da08565b7e157597d4f33a51b90c61b40","unresolved":false,"context_lines":[{"line_number":80,"context_line":"Other Deployer Impact"},{"line_number":81,"context_line":"---------------------"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":" * New configuration option for `expiration_time`."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_25f41cd0","line":83,"range":{"start_line":83,"start_character":33,"end_line":83,"end_character":48},"updated":"2018-10-08 19:09:25.000000000","message":"Application credentials already have an attribute called `expires_at`. Does setting this new configuration option always enforce the setting of expires_at on new application credentials?\n\nFood for thought, but what if we just treated this as a boolean. For example `keystone.conf [application_credential] enforce_refresh \u003d True` which requires users to always have expires_at populated in their application credentials?\n\nThis could be problematic for inter-op between deployments though.","commit_id":"c92377039f52306d80f535fbf6dbc57fd7257004"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c76a352da08565b7e157597d4f33a51b90c61b40","unresolved":false,"context_lines":[{"line_number":82,"context_line":""},{"line_number":83,"context_line":" * New configuration option for `expiration_time`."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Developer Impact"},{"line_number":87,"context_line":"----------------"},{"line_number":88,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_256f3c94","line":85,"updated":"2018-10-08 19:09:25.000000000","message":"nit: extra newline","commit_id":"c92377039f52306d80f535fbf6dbc57fd7257004"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c76a352da08565b7e157597d4f33a51b90c61b40","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"None"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Implementation"},{"line_number":93,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":94,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_456a7882","line":91,"updated":"2018-10-08 19:09:25.000000000","message":"nit: extra new line","commit_id":"c92377039f52306d80f535fbf6dbc57fd7257004"}],"specs/keystone/stein/renewable-app-creds.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"837ec0fee68f4cb9d644fd648757b69511d247f8","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bp renewable-app-creds \u003chttps://blueprints.launchpad.net/keystone/+spec/renewable-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Allow creation of applications credentials (AppCreds) based on the"},{"line_number":15,"context_line":"authorization of mapped group assignments. The application credentials will"},{"line_number":16,"context_line":"require the user who created the application credential to log in with the"},{"line_number":17,"context_line":"same authorization in the external identity provider, in order to renew it."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_8c2170b5","line":14,"range":{"start_line":14,"start_character":44,"end_line":14,"end_character":52},"updated":"2018-12-04 20:11:53.000000000","message":"This is new to me. We don\u0027t really use this convention anywhere else in keystone for documenting resources.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bp renewable-app-creds \u003chttps://blueprints.launchpad.net/keystone/+spec/renewable-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Allow creation of applications credentials (AppCreds) based on the"},{"line_number":15,"context_line":"authorization of mapped group assignments. The application credentials will"},{"line_number":16,"context_line":"require the user who created the application credential to log in with the"},{"line_number":17,"context_line":"same authorization in the external identity provider, in order to renew it."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_f540998c","line":14,"range":{"start_line":14,"start_character":44,"end_line":14,"end_character":52},"in_reply_to":"3f79a3b5_7a61e30e","updated":"2018-12-07 19:13:59.000000000","message":"++ please don\u0027t use \"AppCreds\" where application credentials will work.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"45283b66c050eadf1b4675c6d333fba2b6257631","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bp renewable-app-creds \u003chttps://blueprints.launchpad.net/keystone/+spec/renewable-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Allow creation of applications credentials (AppCreds) based on the"},{"line_number":15,"context_line":"authorization of mapped group assignments. The application credentials will"},{"line_number":16,"context_line":"require the user who created the application credential to log in with the"},{"line_number":17,"context_line":"same authorization in the external identity provider, in order to renew it."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_7a61e30e","line":14,"range":{"start_line":14,"start_character":44,"end_line":14,"end_character":52},"in_reply_to":"3f79a3b5_8c2170b5","updated":"2018-12-07 10:35:18.000000000","message":"I\u0027d prefer to continue referring to them officially in the long form, \"application credentials\". We use \"app creds\" when discussing them casually but we don\u0027t need to note that in this document.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"55204f71c8b02aef4a937d9b8e37353d822a52eb","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bp renewable-app-creds \u003chttps://blueprints.launchpad.net/keystone/+spec/renewable-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Allow creation of applications credentials (AppCreds) based on the"},{"line_number":15,"context_line":"authorization of mapped group assignments. The application credentials will"},{"line_number":16,"context_line":"require the user who created the application credential to log in with the"},{"line_number":17,"context_line":"same authorization in the external identity provider, in order to renew it."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_d061eba4","line":14,"range":{"start_line":14,"start_character":44,"end_line":14,"end_character":52},"in_reply_to":"3f79a3b5_f540998c","updated":"2018-12-07 19:27:47.000000000","message":"Ack. Will revise.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"837ec0fee68f4cb9d644fd648757b69511d247f8","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_cc176857","line":31,"updated":"2018-12-04 20:11:53.000000000","message":"We have a bug that describes this. We should link to it [0].\n\n[0] https://bugs.launchpad.net/keystone/+bug/1589993","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"f6601c3f3d412b2a6b0bc6cf1906b7ad78514ec6","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_3a16d2f4","line":31,"in_reply_to":"3f79a3b5_1449778b","updated":"2018-12-10 23:33:10.000000000","message":"I went through the docs, and it seems to explicitly say that \"Assignments are actually created for the user which is unlike the ephemeral group memberships.\" So it\u0027s at least well documented.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"55204f71c8b02aef4a937d9b8e37353d822a52eb","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_b08c6f2d","line":31,"in_reply_to":"3f79a3b5_50fddb03","updated":"2018-12-07 19:27:47.000000000","message":"Actually, I think autoprovisioned role assignments are not ephemeral https://github.com/openstack/keystone/blob/b25a655793db0859f9c3e77a013fa26346ec8435/keystone/auth/plugins/mapped.py#L173-L176","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c9d77e72e60fdbe5e71e32f55d3aeb4e5f3dfc8d","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_1449778b","line":31,"in_reply_to":"3f79a3b5_65a91fd9","updated":"2018-12-10 14:48:20.000000000","message":"\u003e Okay, so refreshable application credentials would not be needed\n \u003e *at all* if autoprovisioning is used? Meaning federated users, who\n \u003e are persisted to keystone as shadow users, would always be able to\n \u003e use their application credentials even when they are removed from\n \u003e the IdP backend?\n \u003e \n \u003e It seems to me like we should be moving both types of federated\n \u003e authorizations in the same direction, not constructing a special\n \u003e case for one type. So either:\n \u003e \n \u003e 1. group membership should be persisted in keystone somehow,\n \u003e regardless of the user\u0027s use of app creds or trusts\n\n\nThis specific solution has come up several times in the past and several upstream developers pushed back on it (shadow users and mappings were under active development). Because the implementation never forced the assignments to be refreshed short of having an operator script it or do it manually. IIRC, the first implementations proposing this cropped up before the Atlanta PTG timeframe. Historical context [0].\n\n[0] https://review.openstack.org/#/c/415545/\n\n\n \u003e \n \u003e or 2. autoprovisioned role assignments should also expire at some\n \u003e point and must be refreshed in the same way we\u0027re proposing in this\n \u003e spec\n \u003e \n \u003e It seems to me that #1 would be easier to implement and wouldn\u0027t\n \u003e require this spec at all, but #2 is more secure, in fact it seems\n \u003e like a security gap if #2 isn\u0027t covered already.\n \u003e \n \u003e Am I way off?\n\nPretty sure you just summarized about 3.5 years of discussion on the topic...","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3fe60a61566e3f7a04ed2bd1830ce96880d9bb88","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_65a91fd9","line":31,"in_reply_to":"3f79a3b5_b08c6f2d","updated":"2018-12-10 10:25:48.000000000","message":"Okay, so refreshable application credentials would not be needed *at all* if autoprovisioning is used? Meaning federated users, who are persisted to keystone as shadow users, would always be able to use their application credentials even when they are removed from the IdP backend?\n\nIt seems to me like we should be moving both types of federated authorizations in the same direction, not constructing a special case for one type. So either:\n\n1. group membership should be persisted in keystone somehow, regardless of the user\u0027s use of app creds or trusts\n\nor 2. autoprovisioned role assignments should also expire at some point and must be refreshed in the same way we\u0027re proposing in this spec\n\nIt seems to me that #1 would be easier to implement and wouldn\u0027t require this spec at all, but #2 is more secure, in fact it seems like a security gap if #2 isn\u0027t covered already.\n\nAm I way off?","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"45283b66c050eadf1b4675c6d333fba2b6257631","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_fa4df393","line":31,"in_reply_to":"3f79a3b5_cc176857","updated":"2018-12-07 10:35:18.000000000","message":"I thought this was just a bug in the implementation, not the core reason for making application credentials refreshable. What about autoprovisioned role assignments? Those are similarly ephemeral and need to be addressed in this spec, no?","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership permanent, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_50fddb03","line":31,"in_reply_to":"3f79a3b5_fa4df393","updated":"2018-12-07 19:13:59.000000000","message":"@Colleen, autoprovisioned roles (if expected to be concrete) are different than roles conveyed by the IDP in my mind. We *could* treat them separately. Autoprovisioning implies concrete definitions. Please let me know if this doesn\u0027t map to your understanding. I am happy to revise what I\u0027m assuming and make autoprovision(ed) similar to ephemeral/replacement for ephemeral. Which case this spec needs to encompass that.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"837ec0fee68f4cb9d644fd648757b69511d247f8","unresolved":false,"context_lines":[{"line_number":57,"context_line":"The validity time of the application credential will be dependent on the"},{"line_number":58,"context_line":"identity provider which the AppCred was last renewed from. When setting up"},{"line_number":59,"context_line":"and identity provider in keystone, the cloud admin will be able to configure"},{"line_number":60,"context_line":"this setting on a per-idp basis."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Implementation"},{"line_number":63,"context_line":"~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_0c0fa038","line":60,"updated":"2018-12-04 20:11:53.000000000","message":"So, all users from a single identity provider will have the same TTL across the board?","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":57,"context_line":"The validity time of the application credential will be dependent on the"},{"line_number":58,"context_line":"identity provider which the AppCred was last renewed from. When setting up"},{"line_number":59,"context_line":"and identity provider in keystone, the cloud admin will be able to configure"},{"line_number":60,"context_line":"this setting on a per-idp basis."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Implementation"},{"line_number":63,"context_line":"~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_d0100b50","line":60,"in_reply_to":"3f79a3b5_0c0fa038","updated":"2018-12-07 19:13:59.000000000","message":"Correct. The IDP conveys the refresh time. This allows for the IDP to change policy and affect everyone. It keeps us from having to look at all app creds if the TTL changes.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"45283b66c050eadf1b4675c6d333fba2b6257631","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"To renew an AppCred, the user will issue a `POST` request to the"},{"line_number":66,"context_line":"`/v3/users/{user_id}/application_credentials/{application_credential_id}/renew`"},{"line_number":67,"context_line":"endpoint."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"The application credential model will be extended to include the fields"},{"line_number":70,"context_line":"`last_renewed` which will store the time of the last renew, and"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_dd0271b9","line":67,"updated":"2018-12-07 10:35:18.000000000","message":"Could we instead just have it be implicitly renewed when the users requests a token using their normal user credentials?","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"55204f71c8b02aef4a937d9b8e37353d822a52eb","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"To renew an AppCred, the user will issue a `POST` request to the"},{"line_number":66,"context_line":"`/v3/users/{user_id}/application_credentials/{application_credential_id}/renew`"},{"line_number":67,"context_line":"endpoint."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"The application credential model will be extended to include the fields"},{"line_number":70,"context_line":"`last_renewed` which will store the time of the last renew, and"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_10f1a3df","line":67,"in_reply_to":"3f79a3b5_b0254faf","updated":"2018-12-07 19:27:47.000000000","message":"That sounds like a great idea. Will revise.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"To renew an AppCred, the user will issue a `POST` request to the"},{"line_number":66,"context_line":"`/v3/users/{user_id}/application_credentials/{application_credential_id}/renew`"},{"line_number":67,"context_line":"endpoint."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"The application credential model will be extended to include the fields"},{"line_number":70,"context_line":"`last_renewed` which will store the time of the last renew, and"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_b0254faf","line":67,"in_reply_to":"3f79a3b5_dd0271b9","updated":"2018-12-07 19:13:59.000000000","message":"I would like this as well. With that said, if it is not easily possible, we can defer and add this as a future feature.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"837ec0fee68f4cb9d644fd648757b69511d247f8","unresolved":false,"context_lines":[{"line_number":72,"context_line":"user was logging in from when last renewing the AppCred."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":75,"context_line":"`credential_ttl`. This will be the default, for existing identity provider"},{"line_number":76,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the AppCred"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_ac054c18","line":75,"range":{"start_line":75,"start_character":1,"end_line":75,"end_character":11},"updated":"2018-12-04 20:11:53.000000000","message":"While application credentials are the only things consuming this initially, I wonder if we should generalize it a bit more. You could technically consume this with trusts, too (even though we probably won\u0027t at least initially).","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5947d68b3a56913a41a91d99ec57b9df2f1bb3b7","unresolved":false,"context_lines":[{"line_number":72,"context_line":"user was logging in from when last renewing the AppCred."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":75,"context_line":"`credential_ttl`. This will be the default, for existing identity provider"},{"line_number":76,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the AppCred"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_9026136a","line":75,"range":{"start_line":75,"start_character":1,"end_line":75,"end_character":11},"in_reply_to":"3f79a3b5_70501709","updated":"2018-12-07 19:19:29.000000000","message":"Yeah - I agree on the point about trusts. I just wondered if we could make the name more generic.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":72,"context_line":"user was logging in from when last renewing the AppCred."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":75,"context_line":"`credential_ttl`. This will be the default, for existing identity provider"},{"line_number":76,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the AppCred"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_70501709","line":75,"range":{"start_line":75,"start_character":1,"end_line":75,"end_character":11},"in_reply_to":"3f79a3b5_ac054c18","updated":"2018-12-07 19:13:59.000000000","message":"I would like to cease expanding trusts and push folks utilizing trusts towards application credentials as the \"way forward\"...","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3fe60a61566e3f7a04ed2bd1830ce96880d9bb88","unresolved":false,"context_lines":[{"line_number":76,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the AppCred"},{"line_number":79,"context_line":"will become inactive and the user will be unable to use it for authenticating."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"When creating an application credential `last_renewed` will be set equal to"},{"line_number":82,"context_line":"creation time."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_45b50319","line":79,"updated":"2018-12-10 10:25:48.000000000","message":"\"become inactive\" \u003d\u003d \"disabled\", not \"deleted\" right? They should be able to refresh it after they realize it\u0027s stopped working","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"f6601c3f3d412b2a6b0bc6cf1906b7ad78514ec6","unresolved":false,"context_lines":[{"line_number":76,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the AppCred"},{"line_number":79,"context_line":"will become inactive and the user will be unable to use it for authenticating."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"When creating an application credential `last_renewed` will be set equal to"},{"line_number":82,"context_line":"creation time."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_ba0182b6","line":79,"in_reply_to":"3f79a3b5_45b50319","updated":"2018-12-10 23:33:10.000000000","message":"correct","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"45283b66c050eadf1b4675c6d333fba2b6257631","unresolved":false,"context_lines":[{"line_number":90,"context_line":"ephemeral roles (that expire) and concrete roles (that don\u0027t expire) in the"},{"line_number":91,"context_line":"AppCred, and only inactivate the ephemeral roles past validity time of the"},{"line_number":92,"context_line":"AppCred. This would allow the users to log in indefinitely even if the"},{"line_number":93,"context_line":"user has been disabled entirely in the external identity provider."},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"Another model would have been to store roles on a per-idp basis, however"},{"line_number":96,"context_line":"since a user authenticates through one identity provider, and therefore will"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_7d78fd2c","line":93,"updated":"2018-12-07 10:35:18.000000000","message":"I think it makes sense to use the same roles property, since we already implicitly use the roles property to populate all the roles when the user creates an application credential without explicitly assigning roles. I just want to make sure that the behavior is correct when the user *does* make explicit use of the roles property: if the user still has those explicit roles, even if they have lost some other roles or gained additional roles, the application credential should still work.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"45283b66c050eadf1b4675c6d333fba2b6257631","unresolved":false,"context_lines":[{"line_number":103,"context_line":"Since Keystone doesn\u0027t have access to the external identity provider to"},{"line_number":104,"context_line":"get notified when a users permissions are revoked, there will be a lag"},{"line_number":105,"context_line":"between when a user has their permissions revoked and their application"},{"line_number":106,"context_line":"credentials expire. During that time they will be able to log in, but"},{"line_number":107,"context_line":"unable to renew the application credential."},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"Notifications Impact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_3d1da577","line":106,"range":{"start_line":106,"start_character":58,"end_line":106,"end_character":65},"updated":"2018-12-07 10:35:18.000000000","message":"For clarity, I think you mean \"use the application credential\", not \"log in\"","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":100,"context_line":"Security Impact"},{"line_number":101,"context_line":"---------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Since Keystone doesn\u0027t have access to the external identity provider to"},{"line_number":104,"context_line":"get notified when a users permissions are revoked, there will be a lag"},{"line_number":105,"context_line":"between when a user has their permissions revoked and their application"},{"line_number":106,"context_line":"credentials expire. During that time they will be able to log in, but"},{"line_number":107,"context_line":"unable to renew the application credential."},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"Notifications Impact"},{"line_number":110,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_d0ac8bed","line":107,"range":{"start_line":103,"start_character":0,"end_line":107,"end_character":43},"updated":"2018-12-07 19:13:59.000000000","message":"I\u0027m not clear on what happens with the concrete role assignments (if they exist) for a federated login (IIRC we can do that now). If the application cred only uses the concrete roles, does this app cred still get forced to have a TTL? IF we cannot do the concrete roles today, we can just state that future looking case, if only concrete roles are used keystone will not force the idp TTL.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"55204f71c8b02aef4a937d9b8e37353d822a52eb","unresolved":false,"context_lines":[{"line_number":100,"context_line":"Security Impact"},{"line_number":101,"context_line":"---------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Since Keystone doesn\u0027t have access to the external identity provider to"},{"line_number":104,"context_line":"get notified when a users permissions are revoked, there will be a lag"},{"line_number":105,"context_line":"between when a user has their permissions revoked and their application"},{"line_number":106,"context_line":"credentials expire. During that time they will be able to log in, but"},{"line_number":107,"context_line":"unable to renew the application credential."},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"Notifications Impact"},{"line_number":110,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_f0e187fb","line":107,"range":{"start_line":103,"start_character":0,"end_line":107,"end_character":43},"in_reply_to":"3f79a3b5_d0ac8bed","updated":"2018-12-07 19:27:47.000000000","message":"I was thinking to force all applications credentials created through a federated user to have a TTL even if the only have concrete roles. My thinking is that if the user gets *disabled* in the external IdP and they still have an app cred, they will be able to use that indefinitely until the expiration time which is user set. Also, autoprovisioning actually creates concrete role assignments if I remember correctly, so a user that gets autoprovisioned a project through the mappings, will have access to it indefinitely.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"837ec0fee68f4cb9d644fd648757b69511d247f8","unresolved":false,"context_lines":[{"line_number":120,"context_line":"Performance Impact"},{"line_number":121,"context_line":"------------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"No performance impact."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Other Deployer Impact"},{"line_number":126,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_920ae61c","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":22},"updated":"2018-12-04 20:11:53.000000000","message":"I can see keystone sustaining additional load to refresh application credentials.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":120,"context_line":"Performance Impact"},{"line_number":121,"context_line":"------------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"No performance impact."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Other Deployer Impact"},{"line_number":126,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_1090c396","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":22},"in_reply_to":"3f79a3b5_920ae61c","updated":"2018-12-07 19:13:59.000000000","message":"IF it is done as Colleen and I want, it would add extra load. If it is \"on-demand\" refresh, explicitly by the user... I think the performance impact is probably minimal-to-non-existent.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":125,"context_line":"Other Deployer Impact"},{"line_number":126,"context_line":"---------------------"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":" * New configuration option for `default_idp_credential_ttl`."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_b0cf8fb0","line":128,"range":{"start_line":128,"start_character":1,"end_line":128,"end_character":61},"updated":"2018-12-07 19:13:59.000000000","message":"Is this something we want configurable, or do we just set a relatively sane opinionated default and let the per-idp overrides happen? What config group does this go into?","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"55204f71c8b02aef4a937d9b8e37353d822a52eb","unresolved":false,"context_lines":[{"line_number":125,"context_line":"Other Deployer Impact"},{"line_number":126,"context_line":"---------------------"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":" * New configuration option for `default_idp_credential_ttl`."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_b09eaf65","line":128,"range":{"start_line":128,"start_character":1,"end_line":128,"end_character":61},"in_reply_to":"3f79a3b5_b0cf8fb0","updated":"2018-12-07 19:27:47.000000000","message":"Good  question. It\u0027s either going to federation or application credentials group. I don\u0027t feel particularly strongly about either. I also don\u0027t feel strongly about configurable or set in code.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"68e19af281bdd5a86feae74a24be68837b4aaa8a","unresolved":false,"context_lines":[{"line_number":143,"context_line":"Primary assignee:"},{"line_number":144,"context_line":"  knikolla"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Other contributors:"},{"line_number":147,"context_line":"  \u003claunchpad-id or None\u003e"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"Work Items"},{"line_number":150,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f79a3b5_10be8300","line":147,"range":{"start_line":146,"start_character":0,"end_line":147,"end_character":24},"updated":"2018-12-07 19:13:59.000000000","message":"Remove boilerplate.","commit_id":"e8bba52f6ed10b851525176c1cf453c0fee9a1df"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"564d3cf0c8f8966137312feffd1a2d965e8081b1","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership concrete, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes. Likewise, when using auto-provisioning, the"},{"line_number":32,"context_line":"role assignment on the auto-provisioned project is done concretely."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"The problem has been reported and discussed as `bug 1589993"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9fdfeff1_790aee26","line":31,"range":{"start_line":31,"start_character":27,"end_line":31,"end_character":35},"updated":"2019-01-22 15:35:43.000000000","message":"slightly confusing to use \"Likewise\" since it\u0027s actually the opposite case of the previous sentence.","commit_id":"919b3f4f02ceed1e1d44ac8b2e9a2369883a407d"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1d214fabacc32295addb1536b5afb8dc9355073b","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"We cannot make either the role or the group membership concrete, because that"},{"line_number":30,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":31,"context_line":"identity provider changes. Likewise, when using auto-provisioning, the"},{"line_number":32,"context_line":"role assignment on the auto-provisioned project is done concretely."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"The problem has been reported and discussed as `bug 1589993"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9fdfeff1_24c5035c","line":31,"range":{"start_line":31,"start_character":27,"end_line":31,"end_character":35},"in_reply_to":"9fdfeff1_790aee26","updated":"2019-01-23 17:19:48.000000000","message":"Agreed, this can be cleaned up in a followup. I think a new paragraph and dropping \"likewise\" would be sufficient to clarify... another option:\n\n    \"Alternatively, ...\"","commit_id":"919b3f4f02ceed1e1d44ac8b2e9a2369883a407d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"564d3cf0c8f8966137312feffd1a2d965e8081b1","unresolved":false,"context_lines":[{"line_number":53,"context_line":"The application credential will become inactive after a set period of time"},{"line_number":54,"context_line":"(detailed below.) To renew or reactivate the application credential, the user"},{"line_number":55,"context_line":"must make a request to renew it."},{"line_number":56,"context_line":"When performing the renew request, the user must present a token that expands"},{"line_number":57,"context_line":"to all the roles that the application credential had, otherwise"},{"line_number":58,"context_line":"renew will fail."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"If the user has additional roles, they will not be added to the application"},{"line_number":61,"context_line":"credential."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9fdfeff1_3d28d184","line":58,"range":{"start_line":56,"start_character":59,"end_line":58,"end_character":16},"updated":"2019-01-22 15:35:43.000000000","message":"This would also need to exclude tokens created using the v3applicationcredential auth method which would also contain those same roles.","commit_id":"919b3f4f02ceed1e1d44ac8b2e9a2369883a407d"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1d214fabacc32295addb1536b5afb8dc9355073b","unresolved":false,"context_lines":[{"line_number":53,"context_line":"The application credential will become inactive after a set period of time"},{"line_number":54,"context_line":"(detailed below.) To renew or reactivate the application credential, the user"},{"line_number":55,"context_line":"must make a request to renew it."},{"line_number":56,"context_line":"When performing the renew request, the user must present a token that expands"},{"line_number":57,"context_line":"to all the roles that the application credential had, otherwise"},{"line_number":58,"context_line":"renew will fail."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"If the user has additional roles, they will not be added to the application"},{"line_number":61,"context_line":"credential."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9fdfeff1_4495a73f","line":58,"range":{"start_line":56,"start_character":59,"end_line":58,"end_character":16},"in_reply_to":"9fdfeff1_3d28d184","updated":"2019-01-23 17:19:48.000000000","message":"Good point.","commit_id":"919b3f4f02ceed1e1d44ac8b2e9a2369883a407d"}],"specs/keystone/train/expiring-group-memberships.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"096302800fa5c85ad9184283d834e97556181cfc","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Expiring group memberships will only be used for user group memberships"},{"line_number":53,"context_line":"through the mapping driver and not through other drivers or backends."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"The user will be allowed to create application credentials. The user however,"},{"line_number":56,"context_line":"will not be able to use application credentials, trusts, or other mechanisms"},{"line_number":57,"context_line":"of authorization which depend on the expired group memberships."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The longevity of the membership will be dependent on the identity provider by"},{"line_number":60,"context_line":"which the user authenticates with. When setting up an identity provider in"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9fb8cfa7_c17a7db8","line":57,"range":{"start_line":55,"start_character":60,"end_line":57,"end_character":63},"updated":"2019-06-11 20:28:38.000000000","message":"This sentence is unclear, it reads as though the problem statement is not being solved - but do you just mean that these resources can\u0027t be used after the expiry?","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"c49f77b671c2ef3d0a7966dc382408e876152132","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Expiring group memberships will only be used for user group memberships"},{"line_number":53,"context_line":"through the mapping driver and not through other drivers or backends."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"The user will be allowed to create application credentials. The user however,"},{"line_number":56,"context_line":"will not be able to use application credentials, trusts, or other mechanisms"},{"line_number":57,"context_line":"of authorization which depend on the expired group memberships."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The longevity of the membership will be dependent on the identity provider by"},{"line_number":60,"context_line":"which the user authenticates with. When setting up an identity provider in"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_68a282fe","line":57,"range":{"start_line":55,"start_character":60,"end_line":57,"end_character":63},"in_reply_to":"7faddb67_453a0fcc","updated":"2019-07-16 15:56:12.000000000","message":"Done","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3d121d2f0be6dc6cba765895f98ea9604cb4594","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Expiring group memberships will only be used for user group memberships"},{"line_number":53,"context_line":"through the mapping driver and not through other drivers or backends."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"The user will be allowed to create application credentials. The user however,"},{"line_number":56,"context_line":"will not be able to use application credentials, trusts, or other mechanisms"},{"line_number":57,"context_line":"of authorization which depend on the expired group memberships."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The longevity of the membership will be dependent on the identity provider by"},{"line_number":60,"context_line":"which the user authenticates with. When setting up an identity provider in"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_453a0fcc","line":57,"range":{"start_line":55,"start_character":60,"end_line":57,"end_character":63},"in_reply_to":"9fb8cfa7_c17a7db8","updated":"2019-07-16 15:04:21.000000000","message":"Yes, after expiry. I will reword the sentence.","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"096302800fa5c85ad9184283d834e97556181cfc","unresolved":false,"context_lines":[{"line_number":79,"context_line":"    idp_id \u003d sql.Column(sql.String(64),"},{"line_number":80,"context_line":"                        sql.ForeignKey(\u0027identity_provider.id\u0027),"},{"line_number":81,"context_line":"                        primary_key\u003dTrue)"},{"line_number":82,"context_line":"    last_verified \u003d (sql.Date, nullable\u003dFalse)"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"`last_verified` which will store the time of the last authentication of the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9fb8cfa7_e10ea139","line":82,"updated":"2019-06-11 20:28:38.000000000","message":"Could we just add new columns to the existing UserGroupMembership model?","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3d121d2f0be6dc6cba765895f98ea9604cb4594","unresolved":false,"context_lines":[{"line_number":79,"context_line":"    idp_id \u003d sql.Column(sql.String(64),"},{"line_number":80,"context_line":"                        sql.ForeignKey(\u0027identity_provider.id\u0027),"},{"line_number":81,"context_line":"                        primary_key\u003dTrue)"},{"line_number":82,"context_line":"    last_verified \u003d (sql.Date, nullable\u003dFalse)"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"`last_verified` which will store the time of the last authentication of the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_259913c3","line":82,"in_reply_to":"9fb8cfa7_e10ea139","updated":"2019-07-16 15:04:21.000000000","message":"We could, but idp_id and last_verified would not apply to normal user group membership rows. It just felt cleaner like this.","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"096302800fa5c85ad9184283d834e97556181cfc","unresolved":false,"context_lines":[{"line_number":88,"context_line":"through the identity provider."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":91,"context_line":"`require_login_time`. This will be the default, for existing identity provider"},{"line_number":92,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"If `current_time \u003e last_active + require_login_time` then the group membership"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9fb8cfa7_e5530c16","line":91,"range":{"start_line":91,"start_character":1,"end_line":91,"end_character":19},"updated":"2019-06-11 20:28:38.000000000","message":"Why not `ttl`?","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"c49f77b671c2ef3d0a7966dc382408e876152132","unresolved":false,"context_lines":[{"line_number":88,"context_line":"through the identity provider."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":91,"context_line":"`require_login_time`. This will be the default, for existing identity provider"},{"line_number":92,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"If `current_time \u003e last_active + require_login_time` then the group membership"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_88801e48","line":91,"range":{"start_line":91,"start_character":1,"end_line":91,"end_character":19},"in_reply_to":"7faddb67_85f567ef","updated":"2019-07-16 15:56:12.000000000","message":"Done","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3d121d2f0be6dc6cba765895f98ea9604cb4594","unresolved":false,"context_lines":[{"line_number":88,"context_line":"through the identity provider."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":91,"context_line":"`require_login_time`. This will be the default, for existing identity provider"},{"line_number":92,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"If `current_time \u003e last_active + require_login_time` then the group membership"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_85f567ef","line":91,"range":{"start_line":91,"start_character":1,"end_line":91,"end_character":19},"in_reply_to":"9fb8cfa7_e5530c16","updated":"2019-07-16 15:04:21.000000000","message":"Am open to renaming it back to ttl. Was just a personal choice.","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"096302800fa5c85ad9184283d834e97556181cfc","unresolved":false,"context_lines":[{"line_number":101,"context_line":"------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Instead of expiring the group membership, expire (disable) the entire user."},{"line_number":104,"context_line":"This would result in the same end-effect if user\u0027s can only come from one"},{"line_number":105,"context_line":"identity provider. This however would prevent further plans for \"linked"},{"line_number":106,"context_line":"accounts\" and user\u0027s having different levels of access based on their method"},{"line_number":107,"context_line":"of authentication."}],"source_content_type":"text/x-rst","patch_set":9,"id":"9fb8cfa7_653f1cb4","line":104,"range":{"start_line":104,"start_character":44,"end_line":104,"end_character":50},"updated":"2019-06-11 20:28:38.000000000","message":"typo? user\u0027s what?","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"c49f77b671c2ef3d0a7966dc382408e876152132","unresolved":false,"context_lines":[{"line_number":101,"context_line":"------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Instead of expiring the group membership, expire (disable) the entire user."},{"line_number":104,"context_line":"This would result in the same end-effect if user\u0027s can only come from one"},{"line_number":105,"context_line":"identity provider. This however would prevent further plans for \"linked"},{"line_number":106,"context_line":"accounts\" and user\u0027s having different levels of access based on their method"},{"line_number":107,"context_line":"of authentication."}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_e88e7277","line":104,"range":{"start_line":104,"start_character":44,"end_line":104,"end_character":50},"in_reply_to":"7faddb67_e5e3fb32","updated":"2019-07-16 15:56:12.000000000","message":"Done","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3d121d2f0be6dc6cba765895f98ea9604cb4594","unresolved":false,"context_lines":[{"line_number":101,"context_line":"------------"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Instead of expiring the group membership, expire (disable) the entire user."},{"line_number":104,"context_line":"This would result in the same end-effect if user\u0027s can only come from one"},{"line_number":105,"context_line":"identity provider. This however would prevent further plans for \"linked"},{"line_number":106,"context_line":"accounts\" and user\u0027s having different levels of access based on their method"},{"line_number":107,"context_line":"of authentication."}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_e5e3fb32","line":104,"range":{"start_line":104,"start_character":44,"end_line":104,"end_character":50},"in_reply_to":"9fb8cfa7_653f1cb4","updated":"2019-07-16 15:04:21.000000000","message":"nice catch, i mean users","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"096302800fa5c85ad9184283d834e97556181cfc","unresolved":false,"context_lines":[{"line_number":109,"context_line":"Another alternative is to persist the group membership and role assignments in"},{"line_number":110,"context_line":"the application credential, and not add them to the user itself. Then, force"},{"line_number":111,"context_line":"the expiry and renewal on the application credential object. This was the"},{"line_number":112,"context_line":"initial proposal prior to discussions with the keystone team and other"},{"line_number":113,"context_line":"stakeholders."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9fb8cfa7_a572f4ab","line":112,"range":{"start_line":112,"start_character":26,"end_line":112,"end_character":37},"updated":"2019-06-11 20:28:38.000000000","message":"This is vague, better to clarify why this isn\u0027t the best approach.","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3d121d2f0be6dc6cba765895f98ea9604cb4594","unresolved":false,"context_lines":[{"line_number":109,"context_line":"Another alternative is to persist the group membership and role assignments in"},{"line_number":110,"context_line":"the application credential, and not add them to the user itself. Then, force"},{"line_number":111,"context_line":"the expiry and renewal on the application credential object. This was the"},{"line_number":112,"context_line":"initial proposal prior to discussions with the keystone team and other"},{"line_number":113,"context_line":"stakeholders."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_c5d83f7c","line":112,"range":{"start_line":112,"start_character":26,"end_line":112,"end_character":37},"in_reply_to":"9fb8cfa7_a572f4ab","updated":"2019-07-16 15:04:21.000000000","message":"Will update with more context.","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"096302800fa5c85ad9184283d834e97556181cfc","unresolved":false,"context_lines":[{"line_number":124,"context_line":"Notifications Impact"},{"line_number":125,"context_line":"--------------------"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"A notification will be emitted when a user is disabled,"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Other End User Impact"},{"line_number":130,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9fb8cfa7_456bf8b5","line":127,"range":{"start_line":127,"start_character":54,"end_line":127,"end_character":55},"updated":"2019-06-11 20:28:38.000000000","message":"typo? Or missing the end of the thought?","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"c49f77b671c2ef3d0a7966dc382408e876152132","unresolved":false,"context_lines":[{"line_number":124,"context_line":"Notifications Impact"},{"line_number":125,"context_line":"--------------------"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"A notification will be emitted when a user is disabled,"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Other End User Impact"},{"line_number":130,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_284c8a40","line":127,"range":{"start_line":127,"start_character":54,"end_line":127,"end_character":55},"in_reply_to":"7faddb67_05bad708","updated":"2019-07-16 15:56:12.000000000","message":"Done","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"b3d121d2f0be6dc6cba765895f98ea9604cb4594","unresolved":false,"context_lines":[{"line_number":124,"context_line":"Notifications Impact"},{"line_number":125,"context_line":"--------------------"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"A notification will be emitted when a user is disabled,"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Other End User Impact"},{"line_number":130,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7faddb67_05bad708","line":127,"range":{"start_line":127,"start_character":54,"end_line":127,"end_character":55},"in_reply_to":"9fb8cfa7_456bf8b5","updated":"2019-07-16 15:04:21.000000000","message":"I forgot to update this from the previous revision. Will update.","commit_id":"c00e97b95b47ff496d34990f903f31741ef62b9d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"2097f3c381d4c60b0d6f4fab38a2848c56921b01","unresolved":false,"context_lines":[{"line_number":91,"context_line":"`authorization_ttl`. This will be the default, for existing identity provider"},{"line_number":92,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"If `current_time \u003e last_active + authorization_ttl` then the group membership"},{"line_number":95,"context_line":"will expire and the user will be unable to use authorization dependent on it."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"The `/v3/users/{user_id}/groups` API will be extended to returns expiring"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7faddb67_34114353","line":94,"range":{"start_line":94,"start_character":19,"end_line":94,"end_character":30},"updated":"2019-07-16 19:35:25.000000000","message":"last_verified","commit_id":"11885fcd929420ef4b4a6524765392296cdba8ab"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"2097f3c381d4c60b0d6f4fab38a2848c56921b01","unresolved":false,"context_lines":[{"line_number":109,"context_line":"Another alternative is to persist the group membership and role assignments in"},{"line_number":110,"context_line":"the application credential, and not add them to the user itself. Then, force"},{"line_number":111,"context_line":"the expiry and renewal on the application credential object. This was the"},{"line_number":112,"context_line":"initial proposal prior to discussions with the keystone team and other"},{"line_number":113,"context_line":"stakeholders."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7faddb67_39237ebf","line":112,"range":{"start_line":112,"start_character":26,"end_line":112,"end_character":37},"updated":"2019-07-16 19:35:25.000000000","message":"This is still not clarified","commit_id":"11885fcd929420ef4b4a6524765392296cdba8ab"}],"specs/keystone/train/expiring-users.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"6c313a7f8abcb2f17a4521ae82b933445bb6e573","unresolved":false,"context_lines":[{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Currently, federated users that receive their role assignments as part of"},{"line_number":23,"context_line":"mapping to a group, cannot create trusts or application credentials. Creation"},{"line_number":24,"context_line":"will fail saying that the user doesn\u0027t have the role. That is because that"},{"line_number":25,"context_line":"role assignment is only valid for the duration of their token, and not"},{"line_number":26,"context_line":"permanently added to the user."}],"source_content_type":"text/x-rst","patch_set":8,"id":"9fb8cfa7_dbd98583","line":23,"range":{"start_line":23,"start_character":20,"end_line":23,"end_character":67},"updated":"2019-06-04 17:04:56.000000000","message":"They can create them, they just cannot use them.","commit_id":"9394ac1a22a104494e865703e0ad7be83fa7b00b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"6c313a7f8abcb2f17a4521ae82b933445bb6e573","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Currently, federated users that receive their role assignments as part of"},{"line_number":23,"context_line":"mapping to a group, cannot create trusts or application credentials. Creation"},{"line_number":24,"context_line":"will fail saying that the user doesn\u0027t have the role. That is because that"},{"line_number":25,"context_line":"role assignment is only valid for the duration of their token, and not"},{"line_number":26,"context_line":"permanently added to the user."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"We cannot make either the role or the group membership concrete, because that"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9fb8cfa7_3b3781b3","line":25,"range":{"start_line":24,"start_character":54,"end_line":25,"end_character":61},"updated":"2019-06-04 17:04:56.000000000","message":"This is misleading, if this was true then for the default life of the token things would work just fine.","commit_id":"9394ac1a22a104494e865703e0ad7be83fa7b00b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"6c313a7f8abcb2f17a4521ae82b933445bb6e573","unresolved":false,"context_lines":[{"line_number":27,"context_line":""},{"line_number":28,"context_line":"We cannot make either the role or the group membership concrete, because that"},{"line_number":29,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":30,"context_line":"identity provider changes. Likewise, when using auto-provisioning, the role"},{"line_number":31,"context_line":"assignment on the auto-provisioned project is done concretely."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"The problem has been reported and discussed as `bug 1589993"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9fb8cfa7_fb59e9fd","line":30,"range":{"start_line":30,"start_character":27,"end_line":30,"end_character":35},"updated":"2019-06-04 17:04:56.000000000","message":"Confusing use of this word, the rest of the sentence is the opposite of likewise.","commit_id":"9394ac1a22a104494e865703e0ad7be83fa7b00b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"6c313a7f8abcb2f17a4521ae82b933445bb6e573","unresolved":false,"context_lines":[{"line_number":28,"context_line":"We cannot make either the role or the group membership concrete, because that"},{"line_number":29,"context_line":"user would then have those permissions even if their state in the external"},{"line_number":30,"context_line":"identity provider changes. Likewise, when using auto-provisioning, the role"},{"line_number":31,"context_line":"assignment on the auto-provisioned project is done concretely."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"The problem has been reported and discussed as `bug 1589993"},{"line_number":34,"context_line":"\u003chttps://bugs.launchpad.net/keystone/+bug/1589993\u003e`_."}],"source_content_type":"text/x-rst","patch_set":8,"id":"9fb8cfa7_5b0a75d2","line":31,"updated":"2019-06-04 17:04:56.000000000","message":"Would be good to add why it\u0027s okay for auto-provisioned concrete role assignments to stay the same, I keep having to work through it in my mind to convince myself.","commit_id":"9394ac1a22a104494e865703e0ad7be83fa7b00b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"6c313a7f8abcb2f17a4521ae82b933445bb6e573","unresolved":false,"context_lines":[{"line_number":34,"context_line":"\u003chttps://bugs.launchpad.net/keystone/+bug/1589993\u003e`_."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Additionally, federated users are often leftover in the database even long"},{"line_number":37,"context_line":"after they last authenticated."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":8,"id":"9fb8cfa7_fb0ec9e3","line":37,"updated":"2019-06-04 17:04:56.000000000","message":"You mean shadow users? Why is this a problem/relevant?","commit_id":"9394ac1a22a104494e865703e0ad7be83fa7b00b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"6c313a7f8abcb2f17a4521ae82b933445bb6e573","unresolved":false,"context_lines":[{"line_number":83,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"If `current_time \u003e last_idp_login + require_login_time` then the user will"},{"line_number":86,"context_line":"become disable. This will make it not possible for them to authenticate using"},{"line_number":87,"context_line":"application credentials, if they have created them. The user will become"},{"line_number":88,"context_line":"reenabled after authenticating through the identity provider."},{"line_number":89,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"9fb8cfa7_dbf66590","line":86,"range":{"start_line":86,"start_character":7,"end_line":86,"end_character":14},"updated":"2019-06-04 17:04:56.000000000","message":"disabled","commit_id":"9394ac1a22a104494e865703e0ad7be83fa7b00b"}],"specs/keystone/train/renewable-app-creds.rst":[{"author":{"_account_id":16465,"name":"Kristi Nikolla","email":"knikolla@bu.edu","username":"knikolla"},"change_message_id":"2d364295294a608be7d7a508e0b829b7d9a91cd5","unresolved":false,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The application credential model will be extended to include the fields"},{"line_number":75,"context_line":"`last_renewed` which will store the time of the last renew, and"},{"line_number":76,"context_line":"`identity_provider`, which will refer to the identity provider where the"},{"line_number":77,"context_line":"user was logging in from when last renewing the application credential."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Likewise, the identity provider model will be extended to include a new field"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5fc1f717_095ae1f0","line":76,"range":{"start_line":76,"start_character":0,"end_line":76,"end_character":19},"updated":"2019-04-09 18:16:46.000000000","message":"Do we want this to be a foreign key?","commit_id":"8b2f80d958278e4cfd6842556ba0941b4173a1ef"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"adf372779d09f05c5215de2ba6b8cce65042846a","unresolved":false,"context_lines":[{"line_number":57,"context_line":"to all the roles that the application credential had, otherwise"},{"line_number":58,"context_line":"renew will fail."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"If the user has additional roles, they will not be added to the application"},{"line_number":61,"context_line":"credential."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"The validity time of the application credential will be dependent on the"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ffb9cba7_2f65f4b5","line":60,"range":{"start_line":60,"start_character":16,"end_line":60,"end_character":32},"updated":"2019-04-23 23:49:18.000000000","message":"As in, if they gained new roles since they created the application credential?","commit_id":"bc8e26d7b65e7ad61c1c08d3b55f7e09ce069bc5"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"adf372779d09f05c5215de2ba6b8cce65042846a","unresolved":false,"context_lines":[{"line_number":77,"context_line":"user was logging in from when last renewing the application credential."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":80,"context_line":"`credential_ttl`. This will be the default, for existing identity provider"},{"line_number":81,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the application"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ffb9cba7_6f6a0c81","line":80,"range":{"start_line":80,"start_character":1,"end_line":80,"end_character":15},"updated":"2019-04-23 23:49:18.000000000","message":"Maybe we want to call it application_credential_ttl to avoid confusing it with the /v3/credentials sense of the word?","commit_id":"bc8e26d7b65e7ad61c1c08d3b55f7e09ce069bc5"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"0f16a89d2be3a4f1384afe4b3af5ecb96cc82775","unresolved":false,"context_lines":[{"line_number":77,"context_line":"user was logging in from when last renewing the application credential."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Likewise, the identity provider model will be extended to include a new field"},{"line_number":80,"context_line":"`credential_ttl`. This will be the default, for existing identity provider"},{"line_number":81,"context_line":"or when creating new identity providers when a custom one is not specified."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"If `current_time \u003e last_renewed + credential_ttl` then the application"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ffb9cba7_ded63a28","line":80,"range":{"start_line":80,"start_character":1,"end_line":80,"end_character":15},"in_reply_to":"ffb9cba7_6f6a0c81","updated":"2019-04-24 16:02:25.000000000","message":"++","commit_id":"bc8e26d7b65e7ad61c1c08d3b55f7e09ce069bc5"}]}