<div dir="ltr">A trust token cannot be used to get another token:<div><a href="https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156">https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156</a><br><div>You have to make your Nova client use the very same trust scoped token obtained from authentication using trust without trying to authenticate with it one more time.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 11, 2015 at 9:10 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><span class="">
    <div>On 02/11/2015 12:16 PM, Nikolay
      Makhotkin wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">No, I just checked it. Nova receives trust token
        and raise this error.
        <div><br>
        </div>
        <div>In my script, I see: <br>
          <br>
        </div>
        <div><a href="http://paste.openstack.org/show/171452/" target="_blank">http://paste.openstack.org/show/171452/</a><br>
        </div>
        <div><br>
        </div>
        <div>And as you can see, token from trust differs from direct
          user's token. <br>
        </div>
      </div>
    </blockquote>
    <br></span>
    The original user needs to have the appropriate role to perform the
    operation on the specified project.  I see the admin role is created
    on the trust. If the trustor did not have that role, the trustee
    would not be able to exececute the trust and get a token.  It looks
    like you were able to execute the trust and get a token,  but I
    would like you to confirm that, and not just trust the keystone
    client:  either put debug statements in Keystone or call the POST to
    tokens from curl with the appropriate options to get a trust token. 
    In short, make sure you have not fooled yourself.  You can also look
    in the token table inside Keystone to see the data for the trust
    token, or validate the token  via curl to see the data in it.  In
    all cases, there should be an OS-TRUST stanza in the token data.<br>
    <br>
    <br>
    If it is still failing, there might be some issue on the Policy
    side.  I have been assuming that you are running with the default
    policy for Nova. <br>
    <br>
<a href="http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json" target="_blank">http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json</a><br>
    <br>
    I'm not sure which rule matches for list servers (Nova developer
    input would be appreciated)  but I'm guessing it is executing the
    rule <br>
    <code><font face="sans-serif"><br>
        "admin_or_owner": "is_admin:True or project_id:%(project_id)s",<br>
        <br>
        Since that is the default. I am guessing that the project_id in
        question comes from the token here, as that seems to be common,
        but if not, it might be that the two values are mismatched.
        Perhaps there Proejct ID value from the client env var is sent,
        and matches what the trustor normally works as, not the project
        in question.  If these two values don't match, then, yes, the
        rule would fail.</font><br>
    </code><div><div class="h5"><br>
    <br>
    <br>
    <blockquote type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Feb 11, 2015 at 7:55 PM, Adam
          Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>
                <div>
                  <div>On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hi !
                      <div><br>
                      </div>
                      <div>I investigated trust's use cases and
                        encountered the problem: When I use auth_token
                        obtained from keystoneclient using trust, I get
                        <b>403</b> Forbidden error:  <b>You are not
                          authorized to perform the requested action.</b></div>
                      <div><br>
                      </div>
                      <div>Steps to reproduce: </div>
                      <div><br>
                      </div>
                      <div>- Import v3 keystoneclient (used keystone and
                        keystoneclient from master, tried also to use
                        stable/icehouse)</div>
                      <div>- Import v3 novaclient<br>
                        - initialize the keystoneclient:</div>
                      <div> <font face="monospace, monospace"> keystone
                          = keystoneclient.Client(username=username,
                          password=password, tenant_name=tenant_name,
                          auth_url=auth_url)</font></div>
                      <div><font face="monospace, monospace"><br>
                        </font></div>
                      <div><font face="arial, helvetica, sans-serif">-
                          create a trust:</font></div>
                      <div><font face="monospace, monospace">  trust =
                          keystone.trusts.create(</font>
                        <div style="font-family:monospace,monospace">   
                          keystone.user_id,</div>
                        <div style="font-family:monospace,monospace">   
                          keystone.user_id,</div>
                        <div style="font-family:monospace,monospace">   
                          impersonation=True,</div>
                        <div style="font-family:monospace,monospace">   
                          role_names=['admin'],</div>
                        <div style="font-family:monospace,monospace">   
                          project=keystone.project_id</div>
                        <div style="font-family:monospace,monospace">  )</div>
                        <div style="font-family:monospace,monospace"><br>
                        </div>
                        <div><font face="arial, helvetica, sans-serif">-
                            initialize new keystoneclient:</font></div>
                        <div style="font-family:monospace,monospace">
                          <div>  client_from_trust =
                            keystoneclient.Client(</div>
                          <div>    username=username, password=password,</div>
                          <div>    trust_id=<a href="http://trust.id" target="_blank">trust.id</a>,
                            auth_url=auth_url,</div>
                          <div>  )</div>
                        </div>
                        <div style="font-family:monospace,monospace"><br>
                        </div>
                        <div><font face="arial, helvetica, sans-serif">-
                            create nova client using new token from new
                            client:</font></div>
                        <div style="font-family:monospace,monospace">
                          <div>  nova = novaclient.Client(</div>
                          <div>   
                            auth_token=client_from_trust.auth_token,</div>
                          <div>    auth_url=auth_url_v2,</div>
                          <div>    project_id=from_trust.project_id,</div>
                          <div>    service_type='compute',</div>
                          <div>    username=None,</div>
                          <div>    api_key=None</div>
                          <div>  )</div>
                        </div>
                        <div style="font-family:monospace,monospace"><br>
                        </div>
                        <div><font face="arial, helvetica, sans-serif">-
                            do simple request to nova:</font></div>
                        <div>  <font face="monospace, monospace">nova.servers.list()</font><br>
                        </div>
                        <div><font face="monospace, monospace"><br>
                          </font></div>
                        <div><font face="arial, helvetica, sans-serif">-
                            get the error described above.</font></div>
                        <div><font face="arial, helvetica, sans-serif"><br>
                          </font></div>
                        <div><font face="arial, helvetica, sans-serif"><br>
                            Maybe I misunderstood something but what is
                            wrong? I supposed I just can work with nova
                            like it was initialized using direct token.</font></div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
              From what you wrote here it should work, but since Heat
              has been doing stuff like this for a while, I'm pretty
              sure it is your setup and not a fundamental problem.<br>
              <br>
              I'd take a look at what is going back and forth on the
              wire and make sure the right token is being sent to Nova. 
              If it is the original users token and not the trust token,
              then you would see that error.<span><font color="#888888"><br>
                  <br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>
                        <div><br>
                        </div>
                        -- <br>
                        <div>
                          <div dir="ltr">
                            <div><font>Best Regards,</font></div>
                            <div><font>Nikolay</font></div>
                          </div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
                  </blockquote>
                  <br>
                </font></span></div>
            <br>
__________________________________________________________________________<br>
            OpenStack Development Mailing List (not for usage questions)<br>
            Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
            <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
            <div style="width:100%;min-height:100%;overflow:hidden"><u></u></div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div>
          <div dir="ltr">
            <div><font>Best Regards,</font></div>
            <div><font>Nikolay</font></div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Kind Regards,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Alexander Makarov,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Senoir Software Developer,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Mirantis, Inc.</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">35b/3, Vorontsovskaya St., 109147, Moscow, Russia</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (495) 640-49-04</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (926) 204-50-60</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Skype: MAKAPOB.AJIEKCAHDP</font><br></div></div>
</div>