[openstack-dev] [keystone][heat] Question re deleting trusts via trust token

Dolph Mathews dolph.mathews at gmail.com
Wed Sep 4 13:58:47 UTC 2013 

On Wed, Sep 4, 2013 at 5:45 AM, Steven Hardy <shardy at redhat.com> wrote:

> On Wed, Sep 04, 2013 at 09:49:48AM +0100, Steven Hardy wrote:
> > This final step is the problematic step - atm (unless I'm making a
> mistake,
> > which as previously proven is entirely possible! ;) it seems that it's
> > impossible for anyone except the trustor to delete the trust, even if we
> > impersonate the trustor.
>
> Ok, apologies, after further testing, it appears I made a mistake and you
> *can* delete the trust by impersonating the user.
>

No worries! I was going to say, I couldn't think of a reason to explicitly
deny the behavior.


>
> The reason for the confusion is there's an odd issue when authenticating
> the client using a trust_id.  If (and only if) the trust has
> impersonation=True, you *must* specify the endpoint when initialising the
> client, otherwise we do not get a token, we get a 401.


> So I misinterpreted the authentication failure as a 401 on delete, because
> I'd copied some code and changed impersonate from False to True, which
> changes the required arguments when consuming the trust.  Seems like a bug?
>

That definitely sounds like a bug (in keystoneclient?)


>
> I've created a gist containing an example which demonstrates the problem:
>
> https://gist.github.com/hardys/6435299
>
>
You shouldn't have to specify auth_url and endpoint together, ever... so
something here is probably a bug on the client side:

  https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L55-L56

I also find it odd that you're specifying a project redundantly... given
that the trust already specifies a project:

  https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L45

You shouldn't have to specify one here:

  https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L54

I'm not sure if the bug is that the authenticate works without the endpoint
> when impersonate=False, or that is doesn't when impersonate=True.
>
> Thanks!
>
> Steve
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130904/a853e030/attachment.html>

More information about the OpenStack-dev mailing list