<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Wed, Sep 4, 2013 at 5:45 AM, Steven Hardy <span dir="ltr"><<a href="mailto:shardy@redhat.com" target="_blank">shardy@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">On Wed, Sep 04, 2013 at 09:49:48AM +0100, Steven Hardy wrote:<br>

> This final step is the problematic step - atm (unless I'm making a mistake,<br>
> which as previously proven is entirely possible! ;) it seems that it's<br>
> impossible for anyone except the trustor to delete the trust, even if we<br>
> impersonate the trustor.<br>
<br>
</div>Ok, apologies, after further testing, it appears I made a mistake and you<br>
*can* delete the trust by impersonating the user.<br></blockquote><div><br></div><div>No worries! I was going to say, I couldn't think of a reason to explicitly deny the behavior.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<br>
The reason for the confusion is there's an odd issue when authenticating<br>
the client using a trust_id.  If (and only if) the trust has<br>
impersonation=True, you *must* specify the endpoint when initialising the<br>
client, otherwise we do not get a token, we get a 401.</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<br>
So I misinterpreted the authentication failure as a 401 on delete, because<br>
I'd copied some code and changed impersonate from False to True, which<br>
changes the required arguments when consuming the trust.  Seems like a bug?<br></blockquote><div><br class="">That definitely sounds like a bug (in keystoneclient?)<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<br>
I've created a gist containing an example which demonstrates the problem:<br>
<br>
<a href="https://gist.github.com/hardys/6435299" target="_blank">https://gist.github.com/hardys/6435299</a><br>
<br></blockquote><div><br></div><div>You shouldn't have to specify auth_url and endpoint together, ever... so something here is probably a bug on the client side:</div><div><br></div><div>  <a href="https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L55-L56">https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L55-L56</a><br>
</div><div><br></div><div>I also find it odd that you're specifying a project redundantly... given that the trust already specifies a project:</div><div><br></div><div>  <a href="https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L45">https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L45</a><br>
</div><div><br></div><div>You shouldn't have to specify one here:</div><div><br></div><div>  <a href="https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L54">https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L54</a></div>
<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I'm not sure if the bug is that the authenticate works without the endpoint<br>
when impersonate=False, or that is doesn't when impersonate=True.<br>
<br>
Thanks!<br>
<div class=""><div class="h5"><br>
Steve<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>-Dolph
</div></div>