
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">On 02/11/2015 10:52 AM, Nikolay

      Makhotkin wrote:<br>

    </div>

    <blockquote

cite="mid:CACarOJZU8mJyeUu-6LxdLr1AfqhsJiucGtF2uehsGLn-vY4KRQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">Hi !

        <div><br>

        </div>

        <div>I investigated trust's use cases and encountered the

          problem: When I use auth_token obtained from keystoneclient

          using trust, I get <b>403</b> Forbidden error:  <b>You are

            not authorized to perform the requested action.</b></div>

        <div><br>

        </div>

        <div>Steps to reproduce: </div>

        <div><br>

        </div>

        <div>- Import v3 keystoneclient (used keystone and

          keystoneclient from master, tried also to use stable/icehouse)</div>

        <div>- Import v3 novaclient<br>

          - initialize the keystoneclient:</div>

        <div> <font face="monospace, monospace"> keystone =

            keystoneclient.Client(username=username, password=password,

            tenant_name=tenant_name, auth_url=auth_url)</font></div>

        <div><font face="monospace, monospace"><br>

          </font></div>

        <div><font face="arial, helvetica, sans-serif">- create a trust:</font></div>

        <div><font face="monospace, monospace">  trust =

            keystone.trusts.create(</font>

          <div style="font-family:monospace,monospace">   

            keystone.user_id,</div>

          <div style="font-family:monospace,monospace">   

            keystone.user_id,</div>

          <div style="font-family:monospace,monospace">   

            impersonation=True,</div>

          <div style="font-family:monospace,monospace">   

            role_names=['admin'],</div>

          <div style="font-family:monospace,monospace">   

            project=keystone.project_id</div>

          <div style="font-family:monospace,monospace">  )</div>

          <div style="font-family:monospace,monospace"><br>

          </div>

          <div><font face="arial, helvetica, sans-serif">- initialize

              new keystoneclient:</font></div>

          <div style="font-family:monospace,monospace">

            <div>  client_from_trust = keystoneclient.Client(</div>

            <div>    username=username, password=password,</div>

            <div>    trust_id=<a moz-do-not-send="true"

                href="http://trust.id">trust.id</a>, auth_url=auth_url,</div>

            <div>  )</div>

          </div>

          <div style="font-family:monospace,monospace"><br>

          </div>

          <div><font face="arial, helvetica, sans-serif">- create nova

              client using new token from new client:</font></div>

          <div style="font-family:monospace,monospace">

            <div>  nova = novaclient.Client(</div>

            <div>    auth_token=client_from_trust.auth_token,</div>

            <div>    auth_url=auth_url_v2,</div>

            <div>    project_id=from_trust.project_id,</div>

            <div>    service_type='compute',</div>

            <div>    username=None,</div>

            <div>    api_key=None</div>

            <div>  )</div>

          </div>

          <div style="font-family:monospace,monospace"><br>

          </div>

          <div><font face="arial, helvetica, sans-serif">- do simple

              request to nova:</font></div>

          <div>  <font face="monospace, monospace">nova.servers.list()</font><br>

          </div>

          <div><font face="monospace, monospace"><br>

            </font></div>

          <div><font face="arial, helvetica, sans-serif">- get the error

              described above.</font></div>

          <div><font face="arial, helvetica, sans-serif"><br>

            </font></div>

          <div><font face="arial, helvetica, sans-serif"><br>

              Maybe I misunderstood something but what is wrong? I

              supposed I just can work with nova like it was initialized

              using direct token.</font></div>

        </div>

      </div>

    </blockquote>

    <br>

    From what you wrote here it should work, but since Heat has been

    doing stuff like this for a while, I'm pretty sure it is your setup

    and not a fundamental problem.<br>

    <br>

    I'd take a look at what is going back and forth on the wire and make

    sure the right token is being sent to Nova.  If it is the original

    users token and not the trust token, then you would see that error.<br>

    <br>

    <blockquote

cite="mid:CACarOJZU8mJyeUu-6LxdLr1AfqhsJiucGtF2uehsGLn-vY4KRQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div>

          <div><br>

          </div>

          -- <br>

          <div class="gmail_signature">

            <div dir="ltr">

              <div><font>Best Regards,</font></div>

              <div><font>Nikolay</font></div>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>