Enable Application Credentials as authentication method

Users can create Application Credentials to allow their applications to authenticate to Keystone. Users can delegate a subset of their role assignments on a project to an application credential, granting the application the same or restricted authorization to a project. With application credentials, applications authenticate with the application credential ID and a secret string which is not the user’s password.

Enabling Application Credential on the Keystone

Since the Queens release, OpenStack Keystone suports Application credential for allow applications to authenticate to Keystone.

1. Login to the Keystone unit and as root edit Keystone configuration file:

   /etc/keystone/keystone.conf
   

2. In the [auth] sections add application_credential in methods as shown in the example below:

   ...
   
   [auth]
   methods = external,password,token,oauth1,application_credential
   
   ...
   

3. Restart the apache service:

   $ sudo service apache2 restart
   

Enabling application credentials creation from the Horizon dashboard

Since the Rocky release, OpenStack Horizon Dashboard supports Application Credential creation and managing.

Administrator users can manage application credentials both via CLI and via dashboard. Enabling also normal Member users to access the tab Create Application Credentials on the Horizon dashboard requires the following steps.

OpenStack enforces RBAC through the policy.json file of each service. The Horizon dashboard unit keeps a local copy of all these policy files. By default the directory is /usr/share/openstack-dashboard/openstack_dashboard/conf but it can be change it using the POLICY_FILE_PATH variable in the file local_settings.py. So, you have just to copy the Keystone configuration file /etc/keystone/policy.json to the policy file for Keystone in the Horizon dashboard units, that is /etc/identity/keystonev3_policy.json.