<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/11/2015 10:52 AM, Nikolay
Makhotkin wrote:<br>
</div>
<blockquote
cite="mid:CACarOJZU8mJyeUu-6LxdLr1AfqhsJiucGtF2uehsGLn-vY4KRQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi !
<div><br>
</div>
<div>I investigated trust's use cases and encountered the
problem: When I use auth_token obtained from keystoneclient
using trust, I get <b>403</b> Forbidden error: <b>You are
not authorized to perform the requested action.</b></div>
<div><br>
</div>
<div>Steps to reproduce: </div>
<div><br>
</div>
<div>- Import v3 keystoneclient (used keystone and
keystoneclient from master, tried also to use stable/icehouse)</div>
<div>- Import v3 novaclient<br>
- initialize the keystoneclient:</div>
<div> <font face="monospace, monospace"> keystone =
keystoneclient.Client(username=username, password=password,
tenant_name=tenant_name, auth_url=auth_url)</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">- create a trust:</font></div>
<div><font face="monospace, monospace"> trust =
keystone.trusts.create(</font>
<div style="font-family:monospace,monospace">
keystone.user_id,</div>
<div style="font-family:monospace,monospace">
keystone.user_id,</div>
<div style="font-family:monospace,monospace">
impersonation=True,</div>
<div style="font-family:monospace,monospace">
role_names=['admin'],</div>
<div style="font-family:monospace,monospace">
project=keystone.project_id</div>
<div style="font-family:monospace,monospace"> )</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica, sans-serif">- initialize
new keystoneclient:</font></div>
<div style="font-family:monospace,monospace">
<div> client_from_trust = keystoneclient.Client(</div>
<div> username=username, password=password,</div>
<div> trust_id=<a moz-do-not-send="true"
href="http://trust.id">trust.id</a>, auth_url=auth_url,</div>
<div> )</div>
</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica, sans-serif">- create nova
client using new token from new client:</font></div>
<div style="font-family:monospace,monospace">
<div> nova = novaclient.Client(</div>
<div> auth_token=client_from_trust.auth_token,</div>
<div> auth_url=auth_url_v2,</div>
<div> project_id=from_trust.project_id,</div>
<div> service_type='compute',</div>
<div> username=None,</div>
<div> api_key=None</div>
<div> )</div>
</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica, sans-serif">- do simple
request to nova:</font></div>
<div> <font face="monospace, monospace">nova.servers.list()</font><br>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">- get the error
described above.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
Maybe I misunderstood something but what is wrong? I
supposed I just can work with nova like it was initialized
using direct token.</font></div>
</div>
</div>
</blockquote>
<br>
From what you wrote here it should work, but since Heat has been
doing stuff like this for a while, I'm pretty sure it is your setup
and not a fundamental problem.<br>
<br>
I'd take a look at what is going back and forth on the wire and make
sure the right token is being sent to Nova. If it is the original
users token and not the trust token, then you would see that error.<br>
<br>
<blockquote
cite="mid:CACarOJZU8mJyeUu-6LxdLr1AfqhsJiucGtF2uehsGLn-vY4KRQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div><font>Best Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>