)]}'
{"keystone/api/credentials.py":[{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"8fa7301f5338925881914681eb12cbf03f853a7d","unresolved":false,"context_lines":[{"line_number":85,"context_line":"            # update the blob with the trust_id or app_cred_id, so credentials"},{"line_number":86,"context_line":"            # created with a trust- or app cred-scoped token will result in"},{"line_number":87,"context_line":"            # trust- or app cred-scoped tokens when authentication via"},{"line_number":88,"context_line":"            # ec2tokens happens"},{"line_number":89,"context_line":"            if trust_id is not None:"},{"line_number":90,"context_line":"                blob[\u0027trust_id\u0027] \u003d trust_id"},{"line_number":91,"context_line":"                ref[\u0027blob\u0027] \u003d jsonutils.dumps(blob)"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f493fa4_10716ddf","line":88,"updated":"2020-05-06 18:07:16.000000000","message":"Maybe too late to argue about the design, but I never understood the use case of allowing temporary credentials such as app cred or access token to create create credential blobs. *Owner* should be able to delegate these. Besides, cleaning them up ain\u0027t fun.","commit_id":"37e9907a176dad6843819b1bec4946c3aecc4548"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"9dfdc56e06882591d3fc93cdb7a0a4549e12442b","unresolved":false,"context_lines":[{"line_number":85,"context_line":"            # update the blob with the trust_id or app_cred_id, so credentials"},{"line_number":86,"context_line":"            # created with a trust- or app cred-scoped token will result in"},{"line_number":87,"context_line":"            # trust- or app cred-scoped tokens when authentication via"},{"line_number":88,"context_line":"            # ec2tokens happens"},{"line_number":89,"context_line":"            if trust_id is not None:"},{"line_number":90,"context_line":"                blob[\u0027trust_id\u0027] \u003d trust_id"},{"line_number":91,"context_line":"                ref[\u0027blob\u0027] \u003d jsonutils.dumps(blob)"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f493fa4_8b339013","line":88,"in_reply_to":"1f493fa4_10716ddf","updated":"2020-05-06 18:46:39.000000000","message":"It might have been better to never set trust_id and simply block trust-scoped tokens from creating credentials, but that was a choice made long ago. This at least makes app creds and access tokens consistent with trusts and prevents them from being abused the way they could have been before.","commit_id":"37e9907a176dad6843819b1bec4946c3aecc4548"}]}