)]}'
{"id":"openstack%2Fkeystone~987160","triplet_id":"openstack%2Fkeystone~master~I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1","project":"openstack/keystone","branch":"master","topic":"OSPRH-29644-federated-appcred-policy","attention_set":{"27900":{"account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"last_update":"2026-05-04 22:23:29.000000000","reason":"\u003cGERRIT_ACCOUNT_14250\u003e replied on the change","reason_account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},"7414":{"account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"last_update":"2026-05-04 22:23:29.000000000","reason":"\u003cGERRIT_ACCOUNT_14250\u003e replied on the change","reason_account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}}},"removed_from_attention_set":{},"hashtags":[],"change_id":"I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1","subject":"application_credential: enforce policy for federated users","status":"NEW","created":"2026-05-04 12:20:26.000000000","updated":"2026-05-07 11:46:52.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":3,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"31b346dbe28d50588c0d20ea2ccbc92d9de766d7","_number":987160,"virtual_id_number":987160,"owner":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"actions":{},"labels":{"Verified":{"recommended":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":1,"date":"2026-05-04 23:59:05.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"CC":[{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"}],"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-05-04 12:47:59.000000000","updated_by":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"reviewer":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"state":"CC"},{"updated":"2026-05-04 13:32:34.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"CC"},{"updated":"2026-05-04 14:01:44.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-05-04 22:23:29.000000000","updated_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"},{"updated":"2026-05-04 22:23:29.000000000","updated_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-05-07 11:46:52.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"state":"CC"}],"messages":[{"id":"56f82b6a9bde5fbf9f2d7af3b410e98c05c98f22","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:20:26.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"1f994d077e448be64806e81c3b7c91d51ae0a8f8","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:26:51.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"d1fa399f4f14b28ec54082884d00df0764790891","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:28:04.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"33c57e50310868c22d749f9e06acd3df1dd0205b","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:31:48.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"dfcc12247a156fd3d61ba58c6a1e2f9693dc5dfc","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:36:37.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"3c48f28c36d5f9154fd39639877087a08638f795","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:43:07.000000000","message":"Uploaded patch set 6.","accounts_in_message":[],"_revision_number":6},{"id":"5045b53b1425464450672ebdef1e837d8b6fb0d8","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:48:27.000000000","message":"Uploaded patch set 7.","accounts_in_message":[],"_revision_number":7},{"id":"0f747e501698867c3b33bb496638d82b4c943ca4","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:48:45.000000000","message":"Uploaded patch set 8.","accounts_in_message":[],"_revision_number":8},{"id":"8727b90ed5c6e6f13a26ed54dc9e74b94e1b338e","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 12:50:06.000000000","message":"Uploaded patch set 9.","accounts_in_message":[],"_revision_number":9},{"id":"c8dfc1bc763629f161e97170093d139823a3a4c9","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 13:32:34.000000000","message":"Patch Set 9:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/e6d9861ce0d9450991ddadc3363c56b0\n\n- openstack-tox-py310-arm64 https://zuul.opendev.org/t/openstack/build/93901e91abb6489eb19419dbcbf8b253 : SUCCESS in 15m 24s (non-voting)\n- openstack-tox-py313-arm64 https://zuul.opendev.org/t/openstack/build/9c1cf6f172e547098cbd9b27df4729e6 : SUCCESS in 12m 03s (non-voting)\n- openstack-tox-py314-arm64 https://zuul.opendev.org/t/openstack/build/2ae738b08652449585737951514a5aef : SUCCESS in 18m 09s (non-voting)","accounts_in_message":[],"_revision_number":9},{"id":"20d6d865453fb2685b5c5b08459a33f935682c15","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 14:01:44.000000000","message":"Patch Set 9: Verified-1\n\n(2 comments)\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/f9846c8fece54dc99da30de37c73331f\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/572369ce816e47dbb7f9e7109091423d : SUCCESS in 13m 09s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/9d3e9e5ada5b4ec59ce909f8e581ac78 : FAILURE in 6m 38s\n- openstack-tox-py311 https://zuul.opendev.org/t/openstack/build/409dd2f308d94b98aedd8babe2b4b995 : SUCCESS in 6m 47s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/19f9c0e2f36f47dba6a752bf27a84b3f : SUCCESS in 12m 59s\n- openstack-tox-py314 https://zuul.opendev.org/t/openstack/build/b90baf26912947df95a22e8c442b23ad : SUCCESS in 17m 39s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/544eeec604d2422c85b9568914093275 : SUCCESS in 14m 22s\n- grenade https://zuul.opendev.org/t/openstack/build/0ffc41140a664402a60d1abc3195dff9 : SUCCESS in 1h 07m 21s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/d88c5a0b509b481bbc8cd5e4c1cfe058 : SUCCESS in 53m 14s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/2b1b0a99b44645a98922de6cd009b099 : SUCCESS in 12m 04s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/b01e1de6cc094582b444bbc19059d739 : SUCCESS in 18m 19s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/3c0f1972ab5c4c149e5c3d992e52fbb2 : SUCCESS in 33m 40s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/cbf2629860474247aa3982ff10cd6641 : FAILURE in 19m 24s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/fca48ace22c74f958d3c439b38982993 : FAILURE in 12m 33s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/ba9b0136d3f94a16b9da14b3ccd075ae : SUCCESS in 31m 08s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/ec2e8ea7e654456491a09acafe276d6b : SUCCESS in 16m 59s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/bafdcb5f844340859670887c498b465f : SUCCESS in 25m 50s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/5512c93946014e7986cd4716eec4c326 : SUCCESS in 58m 06s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/fe6baaececae42a19e948cfe084369cf : FAILURE in 39m 35s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/e41c0d06b94342db89359cb591441605 : SUCCESS in 6m 46s (non-voting)","accounts_in_message":[],"_revision_number":9},{"id":"3d3bc5f23302796834d442422775b9691dca2998","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 14:10:32.000000000","message":"Uploaded patch set 10.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":10},{"id":"96073f7698ecb1c273d31a41c7a04894a5dd2f2a","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 15:00:42.000000000","message":"Patch Set 10:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/e86dfdd825e24eb3bea3bea1ad3b9c82\n\n- openstack-tox-py310-arm64 https://zuul.opendev.org/t/openstack/build/07883141fb73487e95e37311134bb8aa : SUCCESS in 15m 49s (non-voting)\n- openstack-tox-py313-arm64 https://zuul.opendev.org/t/openstack/build/2128c1b64275488c94986d274f6cb45e : SUCCESS in 12m 53s (non-voting)\n- openstack-tox-py314-arm64 https://zuul.opendev.org/t/openstack/build/8372cd6ec5b84c379006993b75163896 : SUCCESS in 21m 35s (non-voting)","accounts_in_message":[],"_revision_number":10},{"id":"d28fcaea2935c377af8e7ff83685549a6e192bcd","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 16:31:20.000000000","message":"Patch Set 10: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/9d8ad220e42c436c9ccbae815f6c5bf2\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/c72485835758409e9d4bd367d87f5445 : SUCCESS in 17m 02s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/195ff3cce06c4c8ea86e573f8d54ce5e : FAILURE in 5m 27s\n- openstack-tox-py311 https://zuul.opendev.org/t/openstack/build/a916363bb86e4a7bb59fa84cfb70b4b9 : SUCCESS in 7m 47s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/5b99dc54b141454095baf6e07425e49e : SUCCESS in 11m 45s\n- openstack-tox-py314 https://zuul.opendev.org/t/openstack/build/0fbd1930cdb14e24ab50c7cfe39f0b17 : SUCCESS in 8m 54s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/d5817a6f621748b492d3e290c2dec494 : SUCCESS in 13m 54s\n- grenade https://zuul.opendev.org/t/openstack/build/72e56eda565042e59e827d60220141c9 : SUCCESS in 1h 05m 03s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/84233e9128ea470cbe8656c8b0ead082 : SUCCESS in 2h 13m 25s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/75cd3a0f274447d6a2203ca5abdcd5dc : SUCCESS in 12m 03s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/27199924f2ee4faeab62bdab73f70c7c : SUCCESS in 20m 01s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/a2a2428ee6fc49ebaa7a0b9ba2ba2c75 : SUCCESS in 29m 45s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/9a75b704a77b424ab6eddde855f47d41 : FAILURE in 19m 17s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/b97d22c4e9ef4f3f9ef1352d5f2894a2 : FAILURE in 31m 26s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/7fd50999c8fc41d5ba70383713d8a5e8 : SUCCESS in 32m 47s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/cdaebd38f7fd4a8c86a2bad441a3cd77 : SUCCESS in 24m 57s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/31824efd36434192a859006304f4df0c : SUCCESS in 36m 15s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/4f3c64a0a5ef40529f50507902d41776 : SUCCESS in 58m 10s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/ea7cf784a2f445ef955ab63e3f94fa37 : FAILURE in 39m 27s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/84e0f56005e6415ba18a3587b5e3b03e : SUCCESS in 7m 33s (non-voting)","accounts_in_message":[],"_revision_number":10},{"id":"0e7ecc6e0a4350372589d8aef9591e883fab271f","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 21:43:23.000000000","message":"Uploaded patch set 11.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":11},{"id":"735044ad93a19d810b7c406807da27702101f141","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 22:10:09.000000000","message":"Patch Set 11:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/1e90a3b0232f486890c8f989186ca340\n\n- openstack-tox-py310-arm64 https://zuul.opendev.org/t/openstack/build/b023ace6e3a0460f968e1fe9cbe11437 : SUCCESS in 23m 10s (non-voting)\n- openstack-tox-py313-arm64 https://zuul.opendev.org/t/openstack/build/008224c3a6ee4537847ecd00401189e0 : SUCCESS in 20m 03s (non-voting)\n- openstack-tox-py314-arm64 https://zuul.opendev.org/t/openstack/build/2062431654d645449ebf6d8797288ca6 : SUCCESS in 25m 09s (non-voting)","accounts_in_message":[],"_revision_number":11},{"id":"cdc55dee5e5ab672a827893944fc29970afd3c7b","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 22:14:00.000000000","message":"Uploaded patch set 12.","accounts_in_message":[],"_revision_number":12},{"id":"e19c0c8301432c18c1ba9524926886f0a61d0082","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 22:18:28.000000000","message":"Uploaded patch set 13.","accounts_in_message":[],"_revision_number":13},{"id":"10f157ed8b86255ae3920f4be199e3b09fb76124","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 22:23:29.000000000","message":"Patch Set 11:\n\n(1 comment)\n\nThis change is ready for review.","accounts_in_message":[],"_revision_number":11},{"id":"401f12e40a1b54489ca40302dfb7fe5763daba0a","tag":"autogenerated:gerrit:setReadyForReview","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-05-04 22:23:29.000000000","message":"Set Ready For Review","accounts_in_message":[],"_revision_number":13},{"id":"016289cf137b63a701db15bc77baaf48e20d49a7","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 22:53:41.000000000","message":"Patch Set 13:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/dce4ea458c474205969ecb1bea4b5497\n\n- openstack-tox-py310-arm64 https://zuul.opendev.org/t/openstack/build/03e1b58a4f2249e7a8795fe61d937994 : SUCCESS in 30m 42s (non-voting)\n- openstack-tox-py313-arm64 https://zuul.opendev.org/t/openstack/build/d73a21eb26ca488889415df88da38f42 : SUCCESS in 19m 45s (non-voting)\n- openstack-tox-py314-arm64 https://zuul.opendev.org/t/openstack/build/1c560cdb877546e88f839da0d503f88f : SUCCESS in 32m 42s (non-voting)","accounts_in_message":[],"_revision_number":13},{"id":"6246ab38079c231fd9c26d56dbc6cac9e2123d99","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-04 23:59:05.000000000","message":"Patch Set 13: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/d4e9f0fe7ab646d5b716c19b1c43f324\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/8c30b0db17ba4cfbb3d5512fc3904f5f : SUCCESS in 12m 26s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/6f00af94d53748f9987ceccc1ba78e43 : SUCCESS in 5m 11s\n- openstack-tox-py311 https://zuul.opendev.org/t/openstack/build/118dddc3f59e40928a33010b28f2aab5 : SUCCESS in 11m 38s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/21d694375f52406a9f3980fba5c80466 : SUCCESS in 8m 51s\n- openstack-tox-py314 https://zuul.opendev.org/t/openstack/build/9941b35834d9488c9ce2136194c68cee : SUCCESS in 15m 08s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/6478dd4545f24b2896d8774b85ae6d15 : SUCCESS in 13m 03s\n- grenade https://zuul.opendev.org/t/openstack/build/1fa5203f78954b80bd2baa03114a87db : SUCCESS in 1h 00m 57s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/1bb6e614d757434b8b9e28123fae5a68 : SUCCESS in 1h 39m 39s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/e2258fdd30584167aad68567a6a5c87f : SUCCESS in 13m 11s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/2789dbff0eea4e83b862ab3bb13c74ea : SUCCESS in 17m 25s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/edb674dff9064a588e8412b76ce3095f : SUCCESS in 30m 53s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/8ad1e5bc830d421087eb8d8b785b9fc1 : FAILURE in 19m 00s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/8ea1719b64e744b1b8bab3f2b39b51fe : FAILURE in 27m 19s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/0168e68472bc419db760f734ccc50da1 : SUCCESS in 32m 09s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/52cdefb72f6e405c9eb443f7f31f3f00 : SUCCESS in 19m 18s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/c3d1497bd6914b6c8e2fd4709d301065 : SUCCESS in 17m 47s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/3a6821b481f449b996986859179769a8 : SUCCESS in 30m 58s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/95b09864c9404bb4a968e39a9d774983 : FAILURE in 42m 55s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/8830cef4ec164575a11926cb22bf0451 : SUCCESS in 7m 37s (non-voting)","accounts_in_message":[],"_revision_number":13}],"current_revision_number":13,"current_revision":"8bf8264baa143fbb37dca5500822359d169ad834","revisions":{"1e52c1ec0a9f7c2888abb399eb452b04bbe4c529":{"kind":"REWORK","_number":1,"created":"2026-05-04 12:20:26.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/1"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:20:19.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1e52c1ec0a9f7c2888abb399eb452b04bbe4c529"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1e52c1ec0a9f7c2888abb399eb452b04bbe4c529"}]},"branch":"refs/heads/master"},"219edbc4896609e8754951d86e214e2171dfd630":{"kind":"REWORK","_number":2,"created":"2026-05-04 12:26:51.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/2"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:26:44.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/219edbc4896609e8754951d86e214e2171dfd630"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/219edbc4896609e8754951d86e214e2171dfd630"}]},"branch":"refs/heads/master"},"a21751e24d2ac087a043428504b93a106f10dd6e":{"kind":"REWORK","_number":3,"created":"2026-05-04 12:28:04.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/3"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:27:57.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/a21751e24d2ac087a043428504b93a106f10dd6e"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/a21751e24d2ac087a043428504b93a106f10dd6e"}]},"branch":"refs/heads/master"},"beee80b4cae24bce49a15b254f3d23682d187b2f":{"kind":"REWORK","_number":4,"created":"2026-05-04 12:31:48.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/4"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:31:42.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/beee80b4cae24bce49a15b254f3d23682d187b2f"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/beee80b4cae24bce49a15b254f3d23682d187b2f"}]},"branch":"refs/heads/master"},"4df46784531d8f44b536b440d2dca349bf92bbb7":{"kind":"REWORK","_number":5,"created":"2026-05-04 12:36:37.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/5","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/5","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/5"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:36:34.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/4df46784531d8f44b536b440d2dca349bf92bbb7"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/4df46784531d8f44b536b440d2dca349bf92bbb7"}]},"branch":"refs/heads/master"},"7bf154b043a51afb2561ed0d1de289c334a3f704":{"kind":"REWORK","_number":6,"created":"2026-05-04 12:43:07.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/6","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/6","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/6"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:43:04.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/7bf154b043a51afb2561ed0d1de289c334a3f704"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/7bf154b043a51afb2561ed0d1de289c334a3f704"}]},"branch":"refs/heads/master"},"5910eb649c64381e1a8e9152c1fad243342f1f9e":{"kind":"REWORK","_number":7,"created":"2026-05-04 12:48:27.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/7","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/7","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/7 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/7 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/7 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/7"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:48:24.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5910eb649c64381e1a8e9152c1fad243342f1f9e"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5910eb649c64381e1a8e9152c1fad243342f1f9e"}]},"branch":"refs/heads/master"},"f9f60d52eb3bfa509705dccff014763096319f10":{"kind":"REWORK","_number":8,"created":"2026-05-04 12:48:45.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/8","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/8","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/8 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/8 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/8 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/8"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:48:38.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/f9f60d52eb3bfa509705dccff014763096319f10"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/f9f60d52eb3bfa509705dccff014763096319f10"}]},"branch":"refs/heads/master"},"ec4dd9ceed8e16915a81a9eec7044adf805b5cb7":{"kind":"REWORK","_number":9,"created":"2026-05-04 12:50:06.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/9","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/9","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/9 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/9 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/9 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/9"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:50:03.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/ec4dd9ceed8e16915a81a9eec7044adf805b5cb7"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/ec4dd9ceed8e16915a81a9eec7044adf805b5cb7"}]},"branch":"refs/heads/master"},"b00f75c29192d8f1a2a3ff36507855eadba99701":{"kind":"REWORK","_number":10,"created":"2026-05-04 14:10:32.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/10","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/10","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/10 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/10 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/10 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/10"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 14:07:15.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b00f75c29192d8f1a2a3ff36507855eadba99701"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b00f75c29192d8f1a2a3ff36507855eadba99701"}]},"branch":"refs/heads/master"},"d92795d4b8d838575819d1a9ea4dd4e7ba631619":{"kind":"REWORK","_number":11,"created":"2026-05-04 21:43:23.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/11","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/11","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/11 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/11 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/11 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/11"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 21:43:17.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd three new [application_credential] config options that apply only\nto tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: True)\n    Set to False to block federated users from creating application\n    credentials entirely.\n\n  federated_max_duration_days (default: 30)\n    Maximum lifetime in days. If expires_at is omitted at creation\n    time it is automatically set to now + this value. If the requested\n    expires_at exceeds the maximum, the request is rejected (HTTP 400).\n    Set to 0 to allow unlimited duration (operator opt-in).\n\n  federated_allow_unrestricted (default: False)\n    Set to True to allow federated users to create unrestricted\n    application credentials. Unrestricted credentials can manage other\n    application credentials and trusts, representing a significant\n    privilege escalation risk for long-lived federated credentials.\n\nLocal (SQL) and LDAP users are unaffected. LDAP users are already\nprotected because token validation calls identity_api.get_user() which\nqueries LDAP live on every validation (see LP #2122615).\n\nThe enforcement is applied at POST /v3/users/{user_id}/application_credentials\nvia a new _enforce_federated_app_cred_policy() helper, consistent with\nthe existing _check_unrestricted_application_credential() pattern.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/d92795d4b8d838575819d1a9ea4dd4e7ba631619"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/d92795d4b8d838575819d1a9ea4dd4e7ba631619"}]},"branch":"refs/heads/master"},"aea233e28bbed1c7200098449c9ad8f9edffcc1f":{"kind":"REWORK","_number":12,"created":"2026-05-04 22:14:00.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/12","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/12","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/12 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/12 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/12 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/12"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 22:13:53.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd six new [application_credential] config options. Three apply to\nlocal and LDAP users (defaults preserve historical behaviour):\n\n  enabled (default: True)\n  max_duration_days (default: 0 \u003d unlimited)\n  allow_unrestricted (default: True)\n\nThree apply to tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: False)\n    Federated users cannot create application credentials by default.\n    This is a deliberate secure default: there is no mechanism for\n    Keystone to learn of upstream IdP account revocation, so\n    federated application credentials can outlive the user\u0027s IdP\n    session. Operators who want to allow federated app creds must\n    opt-in by setting this to True and configuring a max duration.\n\n  federated_max_duration_days (default: 0)\n    Maximum lifetime in days. Must be a positive integer when\n    federated_enabled \u003d True; Keystone refuses to start otherwise.\n    If expires_at is omitted at creation time it is automatically\n    set to now + this value. If the requested expires_at exceeds the\n    maximum, the request is rejected (HTTP 400).\n\n  federated_allow_unrestricted (default: False)\n    Unrestricted credentials can manage other application credentials\n    and trusts, representing a significant privilege escalation risk\n    for long-lived federated credentials.\n\nStartup validation in keystone/server/__init__.py refuses to start\nif federated_enabled\u003dTrue and federated_max_duration_days\u003d0, since\nthat combination would allow unlimited-lifetime federated app creds.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/aea233e28bbed1c7200098449c9ad8f9edffcc1f"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/aea233e28bbed1c7200098449c9ad8f9edffcc1f"}]},"branch":"refs/heads/master"},"8bf8264baa143fbb37dca5500822359d169ad834":{"kind":"REWORK","_number":13,"created":"2026-05-04 22:18:28.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/60/987160/13","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/60/987160/13","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/13 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/13 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/60/987160/13 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/60/987160/13"}}},"commit":{"parents":[{"commit":"b6fd80996b882890a51f3e2aab41d952d7ff68ae","subject":"Enforce app cred project boundary on EC2 credential paths","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b6fd80996b882890a51f3e2aab41d952d7ff68ae"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 12:17:34.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-05-04 22:18:18.000000000","tz":120},"subject":"application_credential: enforce policy for federated users","message":"application_credential: enforce policy for federated users\n\nApplication credentials created by federated users can outlive the\nupstream IdP session lifetime. When a user is disabled at the IdP,\ntheir Keystone shadow user is not immediately updated, so application\ncredentials remain valid until they expire or are manually revoked.\n\nAdd six new [application_credential] config options. Three apply to\nlocal and LDAP users (defaults preserve historical behaviour):\n\n  enabled (default: True)\n  max_duration_days (default: 0 \u003d unlimited)\n  allow_unrestricted (default: True)\n\nThree apply to tokens issued via federation (token.is_federated):\n\n  federated_enabled (default: False)\n    Federated users cannot create application credentials by default.\n    This is a deliberate secure default: there is no mechanism for\n    Keystone to learn of upstream IdP account revocation, so\n    federated application credentials can outlive the user\u0027s IdP\n    session. Operators who want to allow federated app creds must\n    opt-in by setting federated_enabled \u003d True.\n\n  federated_max_duration_days (default: 0 \u003d no Keystone-enforced limit)\n    Maximum lifetime in days. When set to a positive integer,\n    expires_at is automatically set to now + this value if omitted at\n    creation time, and requests that exceed the maximum are rejected\n    (HTTP 400). A value of 0 disables Keystone-side enforcement;\n    operators may rely on external expiry mechanisms in that case.\n\n  federated_allow_unrestricted (default: False)\n    Unrestricted credentials can manage other application credentials\n    and trusts, representing a significant privilege escalation risk\n    for long-lived federated credentials.\n\nPartial-Bug: #2129010\nAssisted-by: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I6e78a243dbb935b5d63d8d2a395fbef9b2c40ae1\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8bf8264baa143fbb37dca5500822359d169ad834"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/8bf8264baa143fbb37dca5500822359d169ad834"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY"},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}