<div dir="ltr">A trust token cannot be used to get another token:<div><a href="https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156">https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156</a><br><div>You have to make your Nova client use the very same trust scoped token obtained from authentication using trust without trying to authenticate with it one more time.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 11, 2015 at 9:10 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 02/11/2015 12:16 PM, Nikolay
Makhotkin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">No, I just checked it. Nova receives trust token
and raise this error.
<div><br>
</div>
<div>In my script, I see: <br>
<br>
</div>
<div><a href="http://paste.openstack.org/show/171452/" target="_blank">http://paste.openstack.org/show/171452/</a><br>
</div>
<div><br>
</div>
<div>And as you can see, token from trust differs from direct
user's token. <br>
</div>
</div>
</blockquote>
<br></span>
The original user needs to have the appropriate role to perform the
operation on the specified project. I see the admin role is created
on the trust. If the trustor did not have that role, the trustee
would not be able to exececute the trust and get a token. It looks
like you were able to execute the trust and get a token, but I
would like you to confirm that, and not just trust the keystone
client: either put debug statements in Keystone or call the POST to
tokens from curl with the appropriate options to get a trust token.
In short, make sure you have not fooled yourself. You can also look
in the token table inside Keystone to see the data for the trust
token, or validate the token via curl to see the data in it. In
all cases, there should be an OS-TRUST stanza in the token data.<br>
<br>
<br>
If it is still failing, there might be some issue on the Policy
side. I have been assuming that you are running with the default
policy for Nova. <br>
<br>
<a href="http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json" target="_blank">http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json</a><br>
<br>
I'm not sure which rule matches for list servers (Nova developer
input would be appreciated) but I'm guessing it is executing the
rule <br>
<code><font face="sans-serif"><br>
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",<br>
<br>
Since that is the default. I am guessing that the project_id in
question comes from the token here, as that seems to be common,
but if not, it might be that the two values are mismatched.
Perhaps there Proejct ID value from the client env var is sent,
and matches what the trustor normally works as, not the project
in question. If these two values don't match, then, yes, the
rule would fail.</font><br>
</code><div><div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 11, 2015 at 7:55 PM, Adam
Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi !
<div><br>
</div>
<div>I investigated trust's use cases and
encountered the problem: When I use auth_token
obtained from keystoneclient using trust, I get
<b>403</b> Forbidden error: <b>You are not
authorized to perform the requested action.</b></div>
<div><br>
</div>
<div>Steps to reproduce: </div>
<div><br>
</div>
<div>- Import v3 keystoneclient (used keystone and
keystoneclient from master, tried also to use
stable/icehouse)</div>
<div>- Import v3 novaclient<br>
- initialize the keystoneclient:</div>
<div> <font face="monospace, monospace"> keystone
= keystoneclient.Client(username=username,
password=password, tenant_name=tenant_name,
auth_url=auth_url)</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">-
create a trust:</font></div>
<div><font face="monospace, monospace"> trust =
keystone.trusts.create(</font>
<div style="font-family:monospace,monospace">
keystone.user_id,</div>
<div style="font-family:monospace,monospace">
keystone.user_id,</div>
<div style="font-family:monospace,monospace">
impersonation=True,</div>
<div style="font-family:monospace,monospace">
role_names=['admin'],</div>
<div style="font-family:monospace,monospace">
project=keystone.project_id</div>
<div style="font-family:monospace,monospace"> )</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica, sans-serif">-
initialize new keystoneclient:</font></div>
<div style="font-family:monospace,monospace">
<div> client_from_trust =
keystoneclient.Client(</div>
<div> username=username, password=password,</div>
<div> trust_id=<a href="http://trust.id" target="_blank">trust.id</a>,
auth_url=auth_url,</div>
<div> )</div>
</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica, sans-serif">-
create nova client using new token from new
client:</font></div>
<div style="font-family:monospace,monospace">
<div> nova = novaclient.Client(</div>
<div>
auth_token=client_from_trust.auth_token,</div>
<div> auth_url=auth_url_v2,</div>
<div> project_id=from_trust.project_id,</div>
<div> service_type='compute',</div>
<div> username=None,</div>
<div> api_key=None</div>
<div> )</div>
</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica, sans-serif">-
do simple request to nova:</font></div>
<div> <font face="monospace, monospace">nova.servers.list()</font><br>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">-
get the error described above.</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif"><br>
Maybe I misunderstood something but what is
wrong? I supposed I just can work with nova
like it was initialized using direct token.</font></div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
From what you wrote here it should work, but since Heat
has been doing stuff like this for a while, I'm pretty
sure it is your setup and not a fundamental problem.<br>
<br>
I'd take a look at what is going back and forth on the
wire and make sure the right token is being sent to Nova.
If it is the original users token and not the trust token,
then you would see that error.<span><font color="#888888"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div><font>Best Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</font></span></div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<div style="width:100%;min-height:100%;overflow:hidden"><u></u></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div><font>Best Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Kind Regards,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Alexander Makarov,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Senoir Software Developer,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Mirantis, Inc.</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">35b/3, Vorontsovskaya St., 109147, Moscow, Russia</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (495) 640-49-04</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (926) 204-50-60</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Skype: MAKAPOB.AJIEKCAHDP</font><br></div></div>
</div>