)]}'
{"id":"openstack%2Fkeystone~985921","triplet_id":"openstack%2Fkeystone~stable%2F2025.2~Idb192a2fd370fc26c7d76788e9ad1856483d3239","project":"openstack/keystone","branch":"stable/2025.2","attention_set":{},"removed_from_attention_set":{"37598":{"account":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"last_update":"2026-05-06 10:50:30.000000000","reason":"Change was submitted"},"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2026-05-06 10:50:30.000000000","reason":"Change was submitted"},"7414":{"account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"last_update":"2026-05-06 10:50:30.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"Idb192a2fd370fc26c7d76788e9ad1856483d3239","subject":"Block restricted app creds from creating EC2 credentials via /credentials","status":"MERGED","created":"2026-04-23 07:49:07.000000000","updated":"2026-05-06 10:51:31.000000000","submitted":"2026-05-06 10:50:30.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"985921","cherry_pick_of_change":985920,"cherry_pick_of_patch_set":1,"meta_rev_id":"5dce8381f59be116d22c209f4af43375f4d30232","_number":985921,"virtual_id_number":985921,"owner":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-05-06 10:50:30.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":2,"date":"2026-04-24 10:46:02.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":1,"date":"2026-05-06 08:47:29.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"reviewers":{"CC":[{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"}],"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-04-23 07:49:07.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"state":"CC"},{"updated":"2026-04-23 09:44:16.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-04-24 10:46:02.000000000","updated_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-04-24 14:02:36.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"},{"updated":"2026-04-24 14:02:36.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"}],"messages":[{"id":"c900184f2d24969bf1138cfec481de3041ef006f","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:49:07.000000000","message":"Patch Set 1: Cherry Picked from branch stable/2026.1.","accounts_in_message":[],"_revision_number":1},{"id":"60e52d4d7d3f554c4770a3bfc098786b6c7fcf87","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-04-23 07:54:39.000000000","message":"Patch Set 2: Patch Set 1 was rebased","accounts_in_message":[],"_revision_number":2},{"id":"ddb40a4abb1585ded70b9fb91e316e88994036d1","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-23 09:44:16.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/9b081eac8f3248d78172cbff5fca3174\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/46f5ad1717574258b8c77d2596eb8891 : SUCCESS in 19m 09s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/8c63f86a284042c3b50f7285734cff2a : SUCCESS in 5m 54s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/7710f3f0d3414ba1bd222dd399970152 : SUCCESS in 12m 50s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/43eb97362aa14292a6e889e3761a716c : SUCCESS in 12m 54s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/1aac86eda89546139c99f2ef5cad1327 : SUCCESS in 14m 09s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/301b49e39c4c4f968af8591031dfcca3 : SUCCESS in 13m 16s\n- grenade https://zuul.opendev.org/t/openstack/build/0d5a7048ded5445986f7065fdb3c9c22 : SUCCESS in 56m 39s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/9036042778c94dd5afff56349025332c : SUCCESS in 1h 44m 51s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/dab80fdbc2d34708ac26de053f472898 : SUCCESS in 19m 06s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/32e48434bdf84f828b294a12dcb7ae72 : SUCCESS in 29m 53s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/e4d5c248016e465ca6ae07baacc6faa8 : FAILURE in 20m 22s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/9a8c1838cd2a4669b1dd09337cf65171 : FAILURE in 24m 48s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/3b84b68f807c4e078a085592cb93af96 : SUCCESS in 29m 32s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/8a5f435397e84502a4aa33942d6d517b : SUCCESS in 36m 01s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/149a7397383d46a49cf446a0bdbbd2d3 : SUCCESS in 19m 07s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/2a159a0d45ab45fc95f864c01457691d : SUCCESS in 58m 54s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/9c38724e59a14938a76df21e195d2105 : FAILURE in 43m 35s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/faa069049af84681b22f69dc729c9ed8 : FAILURE in 8m 21s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"d4a8556b47581291331abf1216852d46cb2313dd","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-04-24 10:46:02.000000000","message":"Patch Set 2: Code-Review+2","accounts_in_message":[],"_revision_number":2},{"id":"95a6be1e8f4bb6c9a40cde855950c73af2dd8fa5","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-05-06 08:47:29.000000000","message":"Patch Set 2: Workflow+1","accounts_in_message":[],"_revision_number":2},{"id":"2fb84d42c18dd414be020bf77f8a06e104c161af","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 08:49:03.000000000","message":"Patch Set 2: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":2},{"id":"1f878005ebcd15c43641b38a2b029c4e5edf311c","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 10:50:30.000000000","message":"Patch Set 2: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/f9a1f42980c740fc80ff5cc688c7f3d0\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/5535830898084a0aa3a1763726d9c40a : SUCCESS in 6m 38s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/6d2f53dff94b4422b902608ca1ea5a9a : SUCCESS in 7m 19s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/5582e5e1e8f84584a8515663a7ab3f29 : SUCCESS in 15m 28s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/cbaff9b1e286463e820878d4d65e3220 : SUCCESS in 9m 04s\n- grenade https://zuul.opendev.org/t/openstack/build/0ebe601fe77b4d2abd453a775ef6a002 : SUCCESS in 1h 06m 33s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/1e6d686023954e048396edc50e9120f8 : SUCCESS in 1h 55m 47s\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/735e4d989c0c4b8583b2b5bfd3c5de30 : SUCCESS in 30m 58s\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/0dfbbc34d7934c5593a521db3add6eb0 : SUCCESS in 21m 45s\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/ced99f7e36474940b0d30dea74cb6f22 : SUCCESS in 39m 57s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/55aabd0f47514d99b5c7196900260efb : FAILURE in 16m 56s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"4fe709dcba8e53efac1cbe554404968cfeeaa06a","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 10:50:30.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":2},{"id":"5dce8381f59be116d22c209f4af43375f4d30232","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 10:51:31.000000000","message":"Patch Set 2:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/89de44a0cf9340fd919d4af79dba4791\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/6ff00c14436745a48d2184c843648120 : SUCCESS in 48s","accounts_in_message":[],"_revision_number":2}],"current_revision_number":2,"current_revision":"5dedd4d8ad2cebec8506abda47402cd9d36321f7","revisions":{"d722bc50302242e37b291fa177c85e60e2408da2":{"kind":"REWORK","_number":1,"created":"2026-04-23 07:49:07.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/21/985921/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/21/985921/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/985921/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/985921/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/985921/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/21/985921/1"}}},"commit":{"parents":[{"commit":"24b0e1190b04701614659a74d5a5b644902a77b8","subject":"Prevent unauthorized EC2 credential creation and deletion","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/24b0e1190b04701614659a74d5a5b644902a77b8"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:45:15.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:49:07.000000000","tz":0},"subject":"Block restricted app creds from creating EC2 credentials via /credentials","message":"Block restricted app creds from creating EC2 credentials via /credentials\n\nThe POST /v3/credentials endpoint accepted EC2 credential creation\nfrom restricted application credential tokens, bypassing the guard\non the dedicated OS-EC2 endpoint. Add the same unrestricted\napplication credential check to the generic credentials API for\nEC2-type credentials, and update the existing test to use an\nunrestricted application credential.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: Idb192a2fd370fc26c7d76788e9ad1856483d3239\n(cherry picked from commit d6a3dc511057d6ac25bd2d75776a4233c5608684)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/d722bc50302242e37b291fa177c85e60e2408da2"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/d722bc50302242e37b291fa177c85e60e2408da2"}]},"branch":"refs/heads/stable/2025.2","conflicts":{"ours":"24b0e1190b04701614659a74d5a5b644902a77b8","theirs":"1e9e4ece2e142620ef5d00b876de3ce7ea5c206f","contains_conflicts":false}},"5dedd4d8ad2cebec8506abda47402cd9d36321f7":{"kind":"TRIVIAL_REBASE","_number":2,"created":"2026-04-23 07:54:39.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/21/985921/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/21/985921/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/985921/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/985921/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/21/985921/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/21/985921/2"}}},"commit":{"parents":[{"commit":"ad8b17c7f2039ce03877fe6bd0465d5852ca578f","subject":"Add tests for restricted app cred guard","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/ad8b17c7f2039ce03877fe6bd0465d5852ca578f"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-07 21:45:15.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-04-23 07:54:39.000000000","tz":0},"subject":"Block restricted app creds from creating EC2 credentials via /credentials","message":"Block restricted app creds from creating EC2 credentials via /credentials\n\nThe POST /v3/credentials endpoint accepted EC2 credential creation\nfrom restricted application credential tokens, bypassing the guard\non the dedicated OS-EC2 endpoint. Add the same unrestricted\napplication credential check to the generic credentials API for\nEC2-type credentials, and update the existing test to use an\nunrestricted application credential.\n\nRelated-Bug: #2142138\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: Idb192a2fd370fc26c7d76788e9ad1856483d3239\n(cherry picked from commit d6a3dc511057d6ac25bd2d75776a4233c5608684)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5dedd4d8ad2cebec8506abda47402cd9d36321f7"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5dedd4d8ad2cebec8506abda47402cd9d36321f7"}]},"branch":"refs/heads/stable/2025.2","description":"Rebase","conflicts":{"ours":"d722bc50302242e37b291fa177c85e60e2408da2","theirs":"ad8b17c7f2039ce03877fe6bd0465d5852ca578f","contains_conflicts":false}}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}