<div dir="ltr">No, I just checked it. Nova receives trust token and raise this error.<div><br></div><div>In my script, I see: <br><br></div><div><a href="http://paste.openstack.org/show/171452/">http://paste.openstack.org/show/171452/</a><br></div><div><br></div><div>And as you can see, token from trust differs from direct user's token. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 11, 2015 at 7:55 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
    <div>On 02/11/2015 10:52 AM, Nikolay
      Makhotkin wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi !
        <div><br>
        </div>
        <div>I investigated trust's use cases and encountered the
          problem: When I use auth_token obtained from keystoneclient
          using trust, I get <b>403</b> Forbidden error:  <b>You are
            not authorized to perform the requested action.</b></div>
        <div><br>
        </div>
        <div>Steps to reproduce: </div>
        <div><br>
        </div>
        <div>- Import v3 keystoneclient (used keystone and
          keystoneclient from master, tried also to use stable/icehouse)</div>
        <div>- Import v3 novaclient<br>
          - initialize the keystoneclient:</div>
        <div> <font face="monospace, monospace"> keystone =
            keystoneclient.Client(username=username, password=password,
            tenant_name=tenant_name, auth_url=auth_url)</font></div>
        <div><font face="monospace, monospace"><br>
          </font></div>
        <div><font face="arial, helvetica, sans-serif">- create a trust:</font></div>
        <div><font face="monospace, monospace">  trust =
            keystone.trusts.create(</font>
          <div style="font-family:monospace,monospace">   
            keystone.user_id,</div>
          <div style="font-family:monospace,monospace">   
            keystone.user_id,</div>
          <div style="font-family:monospace,monospace">   
            impersonation=True,</div>
          <div style="font-family:monospace,monospace">   
            role_names=['admin'],</div>
          <div style="font-family:monospace,monospace">   
            project=keystone.project_id</div>
          <div style="font-family:monospace,monospace">  )</div>
          <div style="font-family:monospace,monospace"><br>
          </div>
          <div><font face="arial, helvetica, sans-serif">- initialize
              new keystoneclient:</font></div>
          <div style="font-family:monospace,monospace">
            <div>  client_from_trust = keystoneclient.Client(</div>
            <div>    username=username, password=password,</div>
            <div>    trust_id=<a href="http://trust.id" target="_blank">trust.id</a>, auth_url=auth_url,</div>
            <div>  )</div>
          </div>
          <div style="font-family:monospace,monospace"><br>
          </div>
          <div><font face="arial, helvetica, sans-serif">- create nova
              client using new token from new client:</font></div>
          <div style="font-family:monospace,monospace">
            <div>  nova = novaclient.Client(</div>
            <div>    auth_token=client_from_trust.auth_token,</div>
            <div>    auth_url=auth_url_v2,</div>
            <div>    project_id=from_trust.project_id,</div>
            <div>    service_type='compute',</div>
            <div>    username=None,</div>
            <div>    api_key=None</div>
            <div>  )</div>
          </div>
          <div style="font-family:monospace,monospace"><br>
          </div>
          <div><font face="arial, helvetica, sans-serif">- do simple
              request to nova:</font></div>
          <div>  <font face="monospace, monospace">nova.servers.list()</font><br>
          </div>
          <div><font face="monospace, monospace"><br>
            </font></div>
          <div><font face="arial, helvetica, sans-serif">- get the error
              described above.</font></div>
          <div><font face="arial, helvetica, sans-serif"><br>
            </font></div>
          <div><font face="arial, helvetica, sans-serif"><br>
              Maybe I misunderstood something but what is wrong? I
              supposed I just can work with nova like it was initialized
              using direct token.</font></div>
        </div>
      </div>
    </blockquote>
    <br></div></div>
    From what you wrote here it should work, but since Heat has been
    doing stuff like this for a while, I'm pretty sure it is your setup
    and not a fundamental problem.<br>
    <br>
    I'd take a look at what is going back and forth on the wire and make
    sure the right token is being sent to Nova.  If it is the original
    users token and not the trust token, then you would see that error.<span class="HOEnZb"><font color="#888888"><br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div><br>
          </div>
          -- <br>
          <div>
            <div dir="ltr">
              <div><font>Best Regards,</font></div>
              <div><font>Nikolay</font></div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </font></span></div>

<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><font>Best Regards,</font></div><div><font>Nikolay</font></div></div></div>
</div>