<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/12/2015 10:40 AM, Alexander
Makarov wrote:<br>
</div>
<blockquote
cite="mid:CAKb2=120bR4KJfQRbUm_T3mxxoCw32t4QewYAmN6gt8CkvAH+Q@mail.gmail.com"
type="cite">
<div dir="ltr">A trust token cannot be used to get another token:
<div><a moz-do-not-send="true"
href="https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156">https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156</a><br>
<div>You have to make your Nova client use the very same trust
scoped token obtained from authentication using trust
without trying to authenticate with it one more time.</div>
</div>
</div>
</blockquote>
<br>
<br>
Actually, there have been some recent changes to allow re-delegation
of Trusts, but for older deployments, you are correct. I hadn't
seen anywhere here that he was trying to use a trust token to get
another token, though.<br>
<br>
<blockquote
cite="mid:CAKb2=120bR4KJfQRbUm_T3mxxoCw32t4QewYAmN6gt8CkvAH+Q@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 11, 2015 at 9:10 PM, Adam
Young <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 02/11/2015 12:16 PM, Nikolay Makhotkin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">No, I just checked it. Nova receives
trust token and raise this error.
<div><br>
</div>
<div>In my script, I see: <br>
<br>
</div>
<div><a moz-do-not-send="true"
href="http://paste.openstack.org/show/171452/"
target="_blank">http://paste.openstack.org/show/171452/</a><br>
</div>
<div><br>
</div>
<div>And as you can see, token from trust differs
from direct user's token. <br>
</div>
</div>
</blockquote>
<br>
</span> The original user needs to have the appropriate
role to perform the operation on the specified project. I
see the admin role is created on the trust. If the trustor
did not have that role, the trustee would not be able to
exececute the trust and get a token. It looks like you
were able to execute the trust and get a token, but I
would like you to confirm that, and not just trust the
keystone client: either put debug statements in Keystone
or call the POST to tokens from curl with the appropriate
options to get a trust token. In short, make sure you
have not fooled yourself. You can also look in the token
table inside Keystone to see the data for the trust token,
or validate the token via curl to see the data in it. In
all cases, there should be an OS-TRUST stanza in the token
data.<br>
<br>
<br>
If it is still failing, there might be some issue on the
Policy side. I have been assuming that you are running
with the default policy for Nova. <br>
<br>
<a moz-do-not-send="true"
href="http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json"
target="_blank">http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json</a><br>
<br>
I'm not sure which rule matches for list servers (Nova
developer input would be appreciated) but I'm guessing it
is executing the rule <br>
<code><font face="sans-serif"><br>
"admin_or_owner": "is_admin:True or
project_id:%(project_id)s",<br>
<br>
Since that is the default. I am guessing that the
project_id in question comes from the token here, as
that seems to be common, but if not, it might be that
the two values are mismatched. Perhaps there Proejct
ID value from the client env var is sent, and matches
what the trustor normally works as, not the project in
question. If these two values don't match, then, yes,
the rule would fail.</font><br>
</code>
<div>
<div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 11, 2015 at
7:55 PM, Adam Young <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com"
target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 02/11/2015 10:52 AM, Nikolay
Makhotkin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi !
<div><br>
</div>
<div>I investigated trust's use
cases and encountered the problem:
When I use auth_token obtained
from keystoneclient using trust, I
get <b>403</b> Forbidden error: <b>You
are not authorized to perform
the requested action.</b></div>
<div><br>
</div>
<div>Steps to reproduce: </div>
<div><br>
</div>
<div>- Import v3 keystoneclient
(used keystone and keystoneclient
from master, tried also to use
stable/icehouse)</div>
<div>- Import v3 novaclient<br>
- initialize the keystoneclient:</div>
<div> <font face="monospace,
monospace"> keystone =
keystoneclient.Client(username=username,
password=password,
tenant_name=tenant_name,
auth_url=auth_url)</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">- create a trust:</font></div>
<div><font face="monospace,
monospace"> trust =
keystone.trusts.create(</font>
<div
style="font-family:monospace,monospace">
keystone.user_id,</div>
<div
style="font-family:monospace,monospace">
keystone.user_id,</div>
<div
style="font-family:monospace,monospace">
impersonation=True,</div>
<div
style="font-family:monospace,monospace">
role_names=['admin'],</div>
<div
style="font-family:monospace,monospace">
project=keystone.project_id</div>
<div
style="font-family:monospace,monospace">
)</div>
<div
style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica,
sans-serif">- initialize new
keystoneclient:</font></div>
<div
style="font-family:monospace,monospace">
<div> client_from_trust =
keystoneclient.Client(</div>
<div> username=username,
password=password,</div>
<div> trust_id=<a
moz-do-not-send="true"
href="http://trust.id"
target="_blank">trust.id</a>,
auth_url=auth_url,</div>
<div> )</div>
</div>
<div
style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica,
sans-serif">- create nova
client using new token from
new client:</font></div>
<div
style="font-family:monospace,monospace">
<div> nova = novaclient.Client(</div>
<div>
auth_token=client_from_trust.auth_token,</div>
<div> auth_url=auth_url_v2,</div>
<div>
project_id=from_trust.project_id,</div>
<div> service_type='compute',</div>
<div> username=None,</div>
<div> api_key=None</div>
<div> )</div>
</div>
<div
style="font-family:monospace,monospace"><br>
</div>
<div><font face="arial, helvetica,
sans-serif">- do simple
request to nova:</font></div>
<div> <font face="monospace,
monospace">nova.servers.list()</font><br>
</div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">- get the error
described above.</font></div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif"><br>
Maybe I misunderstood
something but what is wrong? I
supposed I just can work with
nova like it was initialized
using direct token.</font></div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
From what you wrote here it should work, but
since Heat has been doing stuff like this
for a while, I'm pretty sure it is your
setup and not a fundamental problem.<br>
<br>
I'd take a look at what is going back and
forth on the wire and make sure the right
token is being sent to Nova. If it is the
original users token and not the trust
token, then you would see that error.<span><font
color="#888888"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div><font>Best Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</font></span></div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for
usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div><font>Best Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr"><font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Kind Regards,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Alexander Makarov,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Senoir Software Developer,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Mirantis, Inc.</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">35b/3, Vorontsovskaya St., 109147, Moscow,
Russia</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Tel.: +7 (495) 640-49-04</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Tel.: +7 (926) 204-50-60</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Skype: MAKAPOB.AJIEKCAHDP</font><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>