)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"f623b1b18650804ef3cb037668eb1279eb44c54f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b60f5e6f_4bcb66e9","updated":"2025-10-20 12:26:13.000000000","message":"My understanding has been that i can also create appcreds with system scope. Am i wrong?","commit_id":"13944f5d604b249a9c1961ee711a855928f522cc"},{"author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"change_message_id":"01a737f3327308826a6f995de362d781d7f08a27","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"811bdfaf_d4d906fc","updated":"2026-04-13 21:26:22.000000000","message":"This is good, but there must be unit tests","commit_id":"13944f5d604b249a9c1961ee711a855928f522cc"},{"author":{"_account_id":9542,"name":"Pavlo Shchelokovskyy","email":"pshchelokovskyy@mirantis.com","username":"pshchelo"},"change_message_id":"5f24dde99870daf08e5fcfba2ee531d179ffdb6f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d67449df_47183515","in_reply_to":"a74a3e27_85e519fa","updated":"2025-10-20 17:02:26.000000000","message":"Oh, yes, and the largest giveaway maybe is that there\u0027s no domain id or system scope field to store the scope for appcreds in DB. \nThat strongly implies that auth with appcreds is not and never was possible with domain or system scope, Keystone has no way to record for which specific domain or system the appcreds are valid (even if there\u0027s only one, `all`, system for now).","commit_id":"13944f5d604b249a9c1961ee711a855928f522cc"},{"author":{"_account_id":9542,"name":"Pavlo Shchelokovskyy","email":"pshchelokovskyy@mirantis.com","username":"pshchelo"},"change_message_id":"95b71dc5a910e6d387cd8ce44715a35e1bc341d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a74a3e27_85e519fa","in_reply_to":"b60f5e6f_4bcb66e9","updated":"2025-10-20 16:55:43.000000000","message":"TBH I don\u0027t know what the original intent was. \n\nBut right now, if one enables scope enforcing in policies (already default in oslo.policy btw), you can only create appcreds with project scope\nhttps://opendev.org/openstack/keystone/src/branch/stable/2025.2/keystone/common/policies/application_credential.py#L72\n\nand response validation also requires project_id to be a string (not `None`)\nhttps://opendev.org/openstack/keystone/src/branch/stable/2025.2/keystone/application_credential/schema.py#L158\n\nOn the other hand, the project_id is nullable in DB schema\nhttps://opendev.org/openstack/keystone/src/branch/stable/2025.2/keystone/application_credential/backends/sql.py#L45\n\nSo like 2 vs 1 that project id is a must 😊 although this is indeed confusing.","commit_id":"13944f5d604b249a9c1961ee711a855928f522cc"},{"author":{"_account_id":9542,"name":"Pavlo Shchelokovskyy","email":"pshchelokovskyy@mirantis.com","username":"pshchelo"},"change_message_id":"9dae8d19916ccacbb0b8dbf5eec8f9391994c6f2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f723fe5c_ff4a06fb","in_reply_to":"d67449df_47183515","updated":"2025-10-20 17:07:46.000000000","message":"correction, there is a \u0027system\u0027 field indeed. looks like there was a plan to extend it to system scope, but it got nowhere I guess\nhttps://opendev.org/openstack/keystone/commit/d94d9c566f5fc686f14a3e463ed79230509c7c05","commit_id":"13944f5d604b249a9c1961ee711a855928f522cc"}]}