[openstack-dev] [keystone] [nova]

Nikolay Makhotkin nmakhotkin at mirantis.com
Wed Feb 11 17:16:09 UTC 2015 

No, I just checked it. Nova receives trust token and raise this error.

In my script, I see:

http://paste.openstack.org/show/171452/

And as you can see, token from trust differs from direct user's token.

On Wed, Feb 11, 2015 at 7:55 PM, Adam Young <ayoung at redhat.com> wrote:

>  On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote:
>
> Hi !
>
>  I investigated trust's use cases and encountered the problem: When I use
> auth_token obtained from keystoneclient using trust, I get *403*
> Forbidden error:  *You are not authorized to perform the requested
> action.*
>
>  Steps to reproduce:
>
>  - Import v3 keystoneclient (used keystone and keystoneclient from
> master, tried also to use stable/icehouse)
> - Import v3 novaclient
> - initialize the keystoneclient:
>   keystone = keystoneclient.Client(username=username, password=password,
> tenant_name=tenant_name, auth_url=auth_url)
>
>  - create a trust:
>   trust = keystone.trusts.create(
>     keystone.user_id,
>     keystone.user_id,
>     impersonation=True,
>     role_names=['admin'],
>     project=keystone.project_id
>   )
>
>  - initialize new keystoneclient:
>    client_from_trust = keystoneclient.Client(
>     username=username, password=password,
>     trust_id=trust.id, auth_url=auth_url,
>   )
>
>  - create nova client using new token from new client:
>    nova = novaclient.Client(
>     auth_token=client_from_trust.auth_token,
>     auth_url=auth_url_v2,
>     project_id=from_trust.project_id,
>     service_type='compute',
>     username=None,
>     api_key=None
>   )
>
>  - do simple request to nova:
>   nova.servers.list()
>
>  - get the error described above.
>
>
> Maybe I misunderstood something but what is wrong? I supposed I just can
> work with nova like it was initialized using direct token.
>
>
> From what you wrote here it should work, but since Heat has been doing
> stuff like this for a while, I'm pretty sure it is your setup and not a
> fundamental problem.
>
> I'd take a look at what is going back and forth on the wire and make sure
> the right token is being sent to Nova.  If it is the original users token
> and not the trust token, then you would see that error.
>
>
>  --
>  Best Regards,
> Nikolay
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Best Regards,
Nikolay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150211/bdcb7cf0/attachment-0001.html>

More information about the OpenStack-dev mailing list