)]}'
{"id":"openstack%2Fkeystone~986498","triplet_id":"openstack%2Fkeystone~stable%2F2026.1~I1a9dc4e37f0d2e63c9edb5de7eb5fd3b37ca77ce","project":"openstack/keystone","branch":"stable/2026.1","attention_set":{},"removed_from_attention_set":{"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2026-05-06 12:38:37.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I1a9dc4e37f0d2e63c9edb5de7eb5fd3b37ca77ce","subject":"Block app credential token rescoping","status":"MERGED","created":"2026-04-28 08:41:16.000000000","updated":"2026-05-06 12:40:10.000000000","submitted":"2026-05-06 12:38:37.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"986498","cherry_pick_of_change":982171,"cherry_pick_of_patch_set":3,"meta_rev_id":"d1fcbe09eb74216edcd091e532e6af34cdcb03a6","_number":986498,"virtual_id_number":986498,"owner":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"value":0,"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"tag":"autogenerated:zuul:gate","value":2,"date":"2026-05-06 12:38:37.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":2,"date":"2026-05-06 08:48:29.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"all":[{"value":1,"date":"2026-05-06 08:48:29.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"CC":[{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"}],"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-04-28 08:41:16.000000000","updated_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"reviewer":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"state":"CC"},{"updated":"2026-04-28 10:01:14.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-05-06 08:48:29.000000000","updated_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"}],"messages":[{"id":"aaf7d122d378e3ab21ff888579c0c766c3b9f51b","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-28 08:41:16.000000000","message":"Patch Set 1: Cherry Picked from branch master.","accounts_in_message":[],"_revision_number":1},{"id":"c85f46636c4b5fd2ab6781d53a277efcaa068d0a","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-28 10:01:14.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/973d29d114704b43925c33aca32090b8\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/f4102c81a5374a0e83b14154c3d65d84 : SUCCESS in 16m 30s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/077ea4e58fbd499a8949ecb8ae446382 : SUCCESS in 5m 57s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/447122ed3e9f45d88b2b1a76e824d1a8 : SUCCESS in 10m 36s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/897f76fcf30b4477b1a12aacb0353c05 : SUCCESS in 9m 22s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/82f1c9dd820d46ef9bb436e04a4bf9d3 : SUCCESS in 14m 06s\n- grenade https://zuul.opendev.org/t/openstack/build/d3e5c5b92e9349b68806a40e10e2b3ce : SUCCESS in 1h 13m 36s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/9c19ba1ff49741b1834925e93332df8f : SUCCESS in 1h 09m 17s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/25f4064101ae4f61a1ea93b377538b8c : SUCCESS in 11m 11s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/3d2f24c81d3e48f2b7f22ca17ece6d25 : SUCCESS in 30m 15s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/49aa46bc487143afa4f2f9d36025603a : FAILURE in 11m 38s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/4007ad519526450c8fa56d26b31bc3d1 : FAILURE in 25m 17s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/68c147cff38749d9971bdb5ed324b983 : SUCCESS in 18m 00s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/0679b4db7ce943a38848a71c39a36b9f : SUCCESS in 32m 07s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/1877d82d1642430dbcf1bfbdb53b8bdd : SUCCESS in 42m 08s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/844e7d4a2f8c4d8288ed17ce423ff7c8 : SUCCESS in 1h 09m 44s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/bc70dc679cb6439ea4ec5e1f49a00aaa : FAILURE in 41m 13s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/1d940a2a4b624ea98b103b81690f1d9c : SUCCESS in 4m 16s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"2bea57b00b5246312f4f97cd57acf5cbef0bc90e","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-05-06 08:48:29.000000000","message":"Patch Set 1: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":1},{"id":"a292dc9850a62b70fe7c22250dd47cd93b49d28d","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 08:49:27.000000000","message":"Patch Set 1: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":1},{"id":"b90e8932f7ba94d95805d952c074ba1c858ab2d9","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 12:38:37.000000000","message":"Patch Set 1: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/66f97ecc4dba40fbbb32264ad4c1dc42\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/14f4a982ce8441dda56afef049dc2b9e : SUCCESS in 5m 46s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/8fb1354b8dee4e52bee6d38e5b44b058 : SUCCESS in 11m 00s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/5259e4fb41a14a9781c01145dd98e2ef : SUCCESS in 11m 49s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/98c586075104479ebb9fc7434bbe751e : SUCCESS in 7m 44s\n- grenade https://zuul.opendev.org/t/openstack/build/1a3eefededd940779a6f557b95da6339 : SUCCESS in 1h 09m 59s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/09dba1f197534159a741673abf49ec1c : SUCCESS in 1h 40m 17s\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/879c066f279145e29b25291e49a541c4 : SUCCESS in 19m 23s\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/26da7f02dbbb457993a7aa8c9e4cc784 : SUCCESS in 30m 22s\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/2581efd627564422b8717d2661a41ef2 : SUCCESS in 31m 42s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/8883bc1deb4e41268dfb9aa584095df5 : FAILURE in 41m 12s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"0d435215104c412c2ffa4a163b78e657af76c1cc","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 12:38:37.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":1},{"id":"d1fcbe09eb74216edcd091e532e6af34cdcb03a6","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 12:40:10.000000000","message":"Patch Set 1:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/4a35b8a699d94bc5b6bf6afde4aebb6d\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/9cfc6ced1bf341cfb102444f236f4225 : SUCCESS in 1m 04s","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"88b5d90203900e3785321723d382ad84000a6aaa","revisions":{"88b5d90203900e3785321723d382ad84000a6aaa":{"kind":"REWORK","_number":1,"created":"2026-04-28 08:41:16.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/98/986498/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/98/986498/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/98/986498/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/98/986498/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/98/986498/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/98/986498/1"}}},"commit":{"parents":[{"commit":"4ec1f8a0120548da213d45e6f98712c6eb52ac0d","subject":"Block restricted app creds from creating EC2 credentials via /credentials","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/4ec1f8a0120548da213d45e6f98712c6eb52ac0d"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-03-19 22:27:59.000000000","tz":60},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-04-28 08:41:16.000000000","tz":0},"subject":"Block app credential token rescoping","message":"Block app credential token rescoping\n\nApplication credential tokens could be rescoped to system scope\nvia token-from-token auth, bypassing the intended scope binding.\nThe check only blocked project and domain scope but not system,\nallowing escalation to full system-admin privileges.\n\nCheck for any requested scope rather than enumerating individual\nscope types.\n\nCloses-Bug: 2144966\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I1a9dc4e37f0d2e63c9edb5de7eb5fd3b37ca77ce\n(cherry picked from commit 836f6b98648ee713c368a803eabe01a66f161372)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/88b5d90203900e3785321723d382ad84000a6aaa"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/88b5d90203900e3785321723d382ad84000a6aaa"}]},"branch":"refs/heads/stable/2026.1","conflicts":{"ours":"4ec1f8a0120548da213d45e6f98712c6eb52ac0d","theirs":"836f6b98648ee713c368a803eabe01a66f161372","contains_conflicts":false}}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}