[openstack-dev] [keystone] [nova]

Adam Young ayoung at redhat.com
Wed Feb 11 16:55:53 UTC 2015 

On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote:
> Hi !
>
> I investigated trust's use cases and encountered the problem: When I 
> use auth_token obtained from keystoneclient using trust, I get *403* 
> Forbidden error: *You are not authorized to perform the requested action.*
>
> Steps to reproduce:
>
> - Import v3 keystoneclient (used keystone and keystoneclient from 
> master, tried also to use stable/icehouse)
> - Import v3 novaclient
> - initialize the keystoneclient:
>  keystone = keystoneclient.Client(username=username, 
> password=password, tenant_name=tenant_name, auth_url=auth_url)
>
> - create a trust:
>   trust = keystone.trusts.create(
> keystone.user_id,
> keystone.user_id,
> impersonation=True,
> role_names=['admin'],
> project=keystone.project_id
>   )
>
> - initialize new keystoneclient:
>   client_from_trust = keystoneclient.Client(
>     username=username, password=password,
>     trust_id=trust.id <http://trust.id>, auth_url=auth_url,
>   )
>
> - create nova client using new token from new client:
>   nova = novaclient.Client(
>     auth_token=client_from_trust.auth_token,
>     auth_url=auth_url_v2,
>     project_id=from_trust.project_id,
>     service_type='compute',
>     username=None,
>     api_key=None
>   )
>
> - do simple request to nova:
> nova.servers.list()
>
> - get the error described above.
>
>
> Maybe I misunderstood something but what is wrong? I supposed I just 
> can work with nova like it was initialized using direct token.

 From what you wrote here it should work, but since Heat has been doing 
stuff like this for a while, I'm pretty sure it is your setup and not a 
fundamental problem.

I'd take a look at what is going back and forth on the wire and make 
sure the right token is being sent to Nova.  If it is the original users 
token and not the trust token, then you would see that error.

>
> -- 
> Best Regards,
> Nikolay
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150211/d7b43e54/attachment.html>

More information about the OpenStack-dev mailing list