)]}'
{"id":"openstack%2Fkeystone~985920","triplet_id":"openstack%2Fkeystone~stable%2F2026.1~Idb192a2fd370fc26c7d76788e9ad1856483d3239","project":"openstack/keystone","branch":"stable/2026.1","attention_set":{},"removed_from_attention_set":{"37598":{"account":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"last_update":"2026-04-27 15:12:59.000000000","reason":"Change was submitted"},"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2026-04-27 11:51:12.000000000","reason":"\u003cGERRIT_ACCOUNT_14250\u003e replied on the change","reason_account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},"7414":{"account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"last_update":"2026-04-27 15:12:59.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"Idb192a2fd370fc26c7d76788e9ad1856483d3239","subject":"Block restricted app creds from creating EC2 credentials via /credentials","status":"MERGED","created":"2026-04-23 07:48:43.000000000","updated":"2026-04-27 15:14:34.000000000","submitted":"2026-04-27 15:12:59.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"985920","cherry_pick_of_change":983655,"cherry_pick_of_patch_set":2,"meta_rev_id":"3ded55b177252300d359f8fd4d97b6a13a1a174c","_number":985920,"virtual_id_number":985920,"owner":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-04-27 15:12:59.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2026-04-27 11:48:58.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":2,"date":"2026-04-27 11:51:12.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":1,"date":"2026-04-27 11:51:12.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"reviewers":{"CC":[{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"}],"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-04-23 07:48:43.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"state":"CC"},{"updated":"2026-04-23 09:28:48.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-04-24 10:45:57.000000000","updated_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-04-24 14:02:17.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"},{"updated":"2026-04-24 14:02:17.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"}],"messages":[{"id":"68072e9550a2e16aedaf65eb3b75ed0fffd2d551","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:48:43.000000000","message":"Patch Set 1: Cherry Picked from branch master.","accounts_in_message":[],"_revision_number":1},{"id":"ffa5a1a273266063f2fd434a3a7f667eec9d47b4","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:53:01.000000000","message":"Patch Set 2: Patch Set 1 was rebased","accounts_in_message":[],"_revision_number":2},{"id":"bb508e0944070a178028e74c5046019091d3bbe2","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-23 09:28:48.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/5b8fc11a51094f95ab4f121d5e8aab97\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/e0d767d65e0b455c9d60f3f3d4d2dd82 : SUCCESS in 19m 37s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/841bb7eafbd043a4a35143175cf7f9f8 : SUCCESS in 5m 25s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/85d7c145d10046358145cad9ec9ee909 : SUCCESS in 11m 33s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/8a4604133be1429fb513e4254a5a737c : SUCCESS in 11m 05s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/6b4b78c85f47407e815511c50f8d1170 : SUCCESS in 14m 05s\n- grenade https://zuul.opendev.org/t/openstack/build/7a05832670fa495c96cec44c118b1b8b : SUCCESS in 31m 16s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/9bf6e924976243498940f1b927adf2af : SUCCESS in 1h 33m 20s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/849a930775374125ac92c562bb426dea : SUCCESS in 17m 20s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/3a1f647536f84a1298da32d87190581d : SUCCESS in 15m 58s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/67f80cd9bd3049d2a072d522d7e8f232 : FAILURE in 8m 19s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/e46bf881be544999a3e73a36a5e071ae : FAILURE in 20m 38s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/c6961a12b1aa4fe4bbe49fa166686d4e : SUCCESS in 29m 54s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/ebf8eadd0b2a4bf0901ae5478441e60b : SUCCESS in 22m 53s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/a4409369291a4cf4abe5bcfef8928b57 : SUCCESS in 22m 08s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/c27b67a2b3bd4b239ceddfcb3dc7ab3e : SUCCESS in 1h 00m 33s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/4b03eb34f2c84c08bdc9438120ea506b : FAILURE in 21m 40s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/efe3244620d84f0fb0879f90747c9974 : SUCCESS in 8m 22s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"62b3a9fe5386e24ec944f640ab096c84f99311b9","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-04-24 10:45:57.000000000","message":"Patch Set 2: Code-Review+2","accounts_in_message":[],"_revision_number":2},{"id":"7058f289caf8e0bf0be0965cf7d7118e7d5e1990","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-27 11:48:58.000000000","message":"Patch Set 3: Cherry Picked from branch master.\n\nCopied Votes:\n* Code-Review+2 (copy condition: \"**changekind:TRIVIAL_REBASE** OR is:MIN\")\n\nOutdated Votes:\n* Verified+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":3},{"id":"cae0c345e2e5a5845895b4cf2854e0aae5f1c94a","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-27 11:51:12.000000000","message":"Patch Set 3: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":3},{"id":"f637ae08f6b289e32f9a6933e9b02f9e2d9f23d1","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-27 13:16:23.000000000","message":"Patch Set 3: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/3deb620d253b4578897f2a0be7c54283\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/55089e6c44a848ab803b204ef677c524 : SUCCESS in 12m 50s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/e3719f5a6c2047fc87e6f8ec4a396a20 : SUCCESS in 4m 54s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/76b85dc6826847ee8869972ea425705b : SUCCESS in 8m 38s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/417fec3dea30413ab2d62962de8a606a : SUCCESS in 13m 56s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/238c3d727e534f5e9fcf2ef216e93764 : SUCCESS in 6m 43s\n- grenade https://zuul.opendev.org/t/openstack/build/7d9217aa62ec4cc78766e8a84d91923a : SUCCESS in 1h 01m 40s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/14dc18a16d6147eea038831179a0ef06 : SUCCESS in 1h 25m 40s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/6487e88239df45569d55ff6e20c7d00d : SUCCESS in 14m 47s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/ae7a344eccb8459e81d9ea11d277d84e : SUCCESS in 34m 26s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/6e49998d3e984e5baad73ea2bdd0b4f3 : FAILURE in 17m 56s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/fe1675ba07464db2b16abd2525127a0f : FAILURE in 20m 12s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/3bb7d1f8f371451aa89a0045c6d71212 : SUCCESS in 31m 04s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/88e19e61bf5e44ad8931272de333edd6 : SUCCESS in 15m 01s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/6a8cc9f482004d34bc2613ceaddf4e5f : SUCCESS in 43m 25s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/0c7aad6a6fb4452aa988489eeb248795 : SUCCESS in 1h 05m 45s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/6f895c00dd03455d8cc5faf36f18f5f9 : FAILURE in 39m 14s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/eec5abc8f11b43218f477f48243d3759 : SUCCESS in 7m 08s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"aeda5e1077250010e49330351c7e9e8bf5317dd8","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-27 13:16:53.000000000","message":"Patch Set 3: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":3},{"id":"419bf357f85bac8ee6d5501c99edc47691161117","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-27 15:12:59.000000000","message":"Patch Set 3: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/88361625168a40ad8613d9287e1f332f\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/5578489ee6c649979f81eb9c6ecc1a63 : SUCCESS in 4m 43s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/b23bd3c530174895a8647d88cb244ba4 : SUCCESS in 11m 37s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/bc1bd068ac354fcf9080bca47ba8fb54 : SUCCESS in 9m 06s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/e5c4ac85dbab462f8a14b76a4e6cdf54 : SUCCESS in 14m 19s\n- grenade https://zuul.opendev.org/t/openstack/build/605bb85a95414b9fb9c3c39354ec5549 : SUCCESS in 1h 05m 53s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/5c94b2c1668f4438908207c9adac0776 : SUCCESS in 1h 51m 21s\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/38542a7c22a949e390239b29c3182287 : SUCCESS in 35m 03s\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/9ef0defe65dd4d52a2151662ee0dd889 : SUCCESS in 15m 26s\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/ebcaf635681646db9e2a2bb3113c4c61 : SUCCESS in 1h 00m 58s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/451a8c86f4834277b996621fd5a0af69 : FAILURE in 26m 28s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"1b47140e9d1dee0de4ac8f33be7cf44ee97eebc6","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-27 15:12:59.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":3},{"id":"3ded55b177252300d359f8fd4d97b6a13a1a174c","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-27 15:14:34.000000000","message":"Patch Set 3:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/d98faa7ae7e848818ffc2d93bda096e7\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/ce724fc949724503803a32237b693110 : SUCCESS in 1m 05s","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"4ec1f8a0120548da213d45e6f98712c6eb52ac0d","revisions":{"1e9e4ece2e142620ef5d00b876de3ce7ea5c206f":{"kind":"REWORK","_number":1,"created":"2026-04-23 07:48:43.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/20/985920/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/20/985920/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/20/985920/1"}}},"commit":{"parents":[{"commit":"5d5ae3aea3b90fd7fa4eaf3d3b918418db138b2e","subject":"Prevent unauthorized EC2 credential creation and deletion","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5d5ae3aea3b90fd7fa4eaf3d3b918418db138b2e"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:45:15.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:48:43.000000000","tz":0},"subject":"Block restricted app creds from creating EC2 credentials via /credentials","message":"Block restricted app creds from creating EC2 credentials via /credentials\n\nThe POST /v3/credentials endpoint accepted EC2 credential creation\nfrom restricted application credential tokens, bypassing the guard\non the dedicated OS-EC2 endpoint. Add the same unrestricted\napplication credential check to the generic credentials API for\nEC2-type credentials, and update the existing test to use an\nunrestricted application credential.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: Idb192a2fd370fc26c7d76788e9ad1856483d3239\n(cherry picked from commit d6a3dc511057d6ac25bd2d75776a4233c5608684)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1e9e4ece2e142620ef5d00b876de3ce7ea5c206f"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1e9e4ece2e142620ef5d00b876de3ce7ea5c206f"}]},"branch":"refs/heads/stable/2026.1","conflicts":{"ours":"5d5ae3aea3b90fd7fa4eaf3d3b918418db138b2e","theirs":"d6a3dc511057d6ac25bd2d75776a4233c5608684","contains_conflicts":false}},"ee1e8be2b132f5d8a782af303ebb27d0ec86ccdf":{"kind":"TRIVIAL_REBASE","_number":2,"created":"2026-04-23 07:53:01.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/20/985920/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/20/985920/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/20/985920/2"}}},"commit":{"parents":[{"commit":"8e1cba068e13cd340b3551645dc817cab10b0aa3","subject":"Add tests for restricted app cred guard","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8e1cba068e13cd340b3551645dc817cab10b0aa3"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:45:15.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:53:01.000000000","tz":0},"subject":"Block restricted app creds from creating EC2 credentials via /credentials","message":"Block restricted app creds from creating EC2 credentials via /credentials\n\nThe POST /v3/credentials endpoint accepted EC2 credential creation\nfrom restricted application credential tokens, bypassing the guard\non the dedicated OS-EC2 endpoint. Add the same unrestricted\napplication credential check to the generic credentials API for\nEC2-type credentials, and update the existing test to use an\nunrestricted application credential.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: Idb192a2fd370fc26c7d76788e9ad1856483d3239\n(cherry picked from commit d6a3dc511057d6ac25bd2d75776a4233c5608684)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/ee1e8be2b132f5d8a782af303ebb27d0ec86ccdf"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/ee1e8be2b132f5d8a782af303ebb27d0ec86ccdf"}]},"branch":"refs/heads/stable/2026.1","description":"Rebase","conflicts":{"ours":"1e9e4ece2e142620ef5d00b876de3ce7ea5c206f","theirs":"8e1cba068e13cd340b3551645dc817cab10b0aa3","contains_conflicts":false}},"4ec1f8a0120548da213d45e6f98712c6eb52ac0d":{"kind":"NO_CHANGE","_number":3,"created":"2026-04-27 11:48:58.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/20/985920/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/20/985920/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/20/985920/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/20/985920/3"}}},"commit":{"parents":[{"commit":"8e1cba068e13cd340b3551645dc817cab10b0aa3","subject":"Add tests for restricted app cred guard","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8e1cba068e13cd340b3551645dc817cab10b0aa3"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:45:15.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-04-27 11:48:58.000000000","tz":0},"subject":"Block restricted app creds from creating EC2 credentials via /credentials","message":"Block restricted app creds from creating EC2 credentials via /credentials\n\nThe POST /v3/credentials endpoint accepted EC2 credential creation\nfrom restricted application credential tokens, bypassing the guard\non the dedicated OS-EC2 endpoint. Add the same unrestricted\napplication credential check to the generic credentials API for\nEC2-type credentials, and update the existing test to use an\nunrestricted application credential.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: Idb192a2fd370fc26c7d76788e9ad1856483d3239\n(cherry picked from commit d6a3dc511057d6ac25bd2d75776a4233c5608684)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/4ec1f8a0120548da213d45e6f98712c6eb52ac0d"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/4ec1f8a0120548da213d45e6f98712c6eb52ac0d"}]},"branch":"refs/heads/stable/2026.1","conflicts":{"ours":"8e1cba068e13cd340b3551645dc817cab10b0aa3","theirs":"d6a3dc511057d6ac25bd2d75776a4233c5608684","contains_conflicts":false}}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}