<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 02/12/2015 10:40 AM, Alexander
      Makarov wrote:<br>
    </div>
    <blockquote
cite="mid:CAKb2=120bR4KJfQRbUm_T3mxxoCw32t4QewYAmN6gt8CkvAH+Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">A trust token cannot be used to get another token:
        <div><a moz-do-not-send="true"
href="https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156">https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156</a><br>
          <div>You have to make your Nova client use the very same trust
            scoped token obtained from authentication using trust
            without trying to authenticate with it one more time.</div>
        </div>
      </div>
    </blockquote>
    <br>
    <br>
    Actually, there have been some recent changes to allow re-delegation
    of Trusts, but for older deployments, you are correct.  I hadn't
    seen anywhere here that he was trying to use a trust token to get
    another token, though.<br>
    <br>
    <blockquote
cite="mid:CAKb2=120bR4KJfQRbUm_T3mxxoCw32t4QewYAmN6gt8CkvAH+Q@mail.gmail.com"
      type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Feb 11, 2015 at 9:10 PM, Adam
          Young <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"><span class="">
                <div>On 02/11/2015 12:16 PM, Nikolay Makhotkin wrote:<br>
                </div>
                <blockquote type="cite">
                  <div dir="ltr">No, I just checked it. Nova receives
                    trust token and raise this error.
                    <div><br>
                    </div>
                    <div>In my script, I see: <br>
                      <br>
                    </div>
                    <div><a moz-do-not-send="true"
                        href="http://paste.openstack.org/show/171452/"
                        target="_blank">http://paste.openstack.org/show/171452/</a><br>
                    </div>
                    <div><br>
                    </div>
                    <div>And as you can see, token from trust differs
                      from direct user's token. <br>
                    </div>
                  </div>
                </blockquote>
                <br>
              </span> The original user needs to have the appropriate
              role to perform the operation on the specified project.  I
              see the admin role is created on the trust. If the trustor
              did not have that role, the trustee would not be able to
              exececute the trust and get a token.  It looks like you
              were able to execute the trust and get a token,  but I
              would like you to confirm that, and not just trust the
              keystone client:  either put debug statements in Keystone
              or call the POST to tokens from curl with the appropriate
              options to get a trust token.  In short, make sure you
              have not fooled yourself.  You can also look in the token
              table inside Keystone to see the data for the trust token,
              or validate the token  via curl to see the data in it.  In
              all cases, there should be an OS-TRUST stanza in the token
              data.<br>
              <br>
              <br>
              If it is still failing, there might be some issue on the
              Policy side.  I have been assuming that you are running
              with the default policy for Nova. <br>
              <br>
              <a moz-do-not-send="true"
href="http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json"
                target="_blank">http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json</a><br>
              <br>
              I'm not sure which rule matches for list servers (Nova
              developer input would be appreciated)  but I'm guessing it
              is executing the rule <br>
              <code><font face="sans-serif"><br>
                  "admin_or_owner": "is_admin:True or
                  project_id:%(project_id)s",<br>
                  <br>
                  Since that is the default. I am guessing that the
                  project_id in question comes from the token here, as
                  that seems to be common, but if not, it might be that
                  the two values are mismatched. Perhaps there Proejct
                  ID value from the client env var is sent, and matches
                  what the trustor normally works as, not the project in
                  question.  If these two values don't match, then, yes,
                  the rule would fail.</font><br>
              </code>
              <div>
                <div class="h5"><br>
                  <br>
                  <br>
                  <blockquote type="cite">
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Wed, Feb 11, 2015 at
                        7:55 PM, Adam Young <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:ayoung@redhat.com"
                            target="_blank">ayoung@redhat.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <div>
                              <div>
                                <div>On 02/11/2015 10:52 AM, Nikolay
                                  Makhotkin wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">Hi !
                                    <div><br>
                                    </div>
                                    <div>I investigated trust's use
                                      cases and encountered the problem:
                                      When I use auth_token obtained
                                      from keystoneclient using trust, I
                                      get <b>403</b> Forbidden error:  <b>You
                                        are not authorized to perform
                                        the requested action.</b></div>
                                    <div><br>
                                    </div>
                                    <div>Steps to reproduce: </div>
                                    <div><br>
                                    </div>
                                    <div>- Import v3 keystoneclient
                                      (used keystone and keystoneclient
                                      from master, tried also to use
                                      stable/icehouse)</div>
                                    <div>- Import v3 novaclient<br>
                                      - initialize the keystoneclient:</div>
                                    <div> <font face="monospace,
                                        monospace"> keystone =
                                        keystoneclient.Client(username=username,
                                        password=password,
                                        tenant_name=tenant_name,
                                        auth_url=auth_url)</font></div>
                                    <div><font face="monospace,
                                        monospace"><br>
                                      </font></div>
                                    <div><font face="arial, helvetica,
                                        sans-serif">- create a trust:</font></div>
                                    <div><font face="monospace,
                                        monospace">  trust =
                                        keystone.trusts.create(</font>
                                      <div
                                        style="font-family:monospace,monospace"> 
                                          keystone.user_id,</div>
                                      <div
                                        style="font-family:monospace,monospace"> 
                                          keystone.user_id,</div>
                                      <div
                                        style="font-family:monospace,monospace"> 
                                          impersonation=True,</div>
                                      <div
                                        style="font-family:monospace,monospace"> 
                                          role_names=['admin'],</div>
                                      <div
                                        style="font-family:monospace,monospace"> 
                                          project=keystone.project_id</div>
                                      <div
                                        style="font-family:monospace,monospace"> 
                                        )</div>
                                      <div
                                        style="font-family:monospace,monospace"><br>
                                      </div>
                                      <div><font face="arial, helvetica,
                                          sans-serif">- initialize new
                                          keystoneclient:</font></div>
                                      <div
                                        style="font-family:monospace,monospace">
                                        <div>  client_from_trust =
                                          keystoneclient.Client(</div>
                                        <div>    username=username,
                                          password=password,</div>
                                        <div>    trust_id=<a
                                            moz-do-not-send="true"
                                            href="http://trust.id"
                                            target="_blank">trust.id</a>,
                                          auth_url=auth_url,</div>
                                        <div>  )</div>
                                      </div>
                                      <div
                                        style="font-family:monospace,monospace"><br>
                                      </div>
                                      <div><font face="arial, helvetica,
                                          sans-serif">- create nova
                                          client using new token from
                                          new client:</font></div>
                                      <div
                                        style="font-family:monospace,monospace">
                                        <div>  nova = novaclient.Client(</div>
                                        <div>   
                                          auth_token=client_from_trust.auth_token,</div>
                                        <div>    auth_url=auth_url_v2,</div>
                                        <div>   
                                          project_id=from_trust.project_id,</div>
                                        <div>    service_type='compute',</div>
                                        <div>    username=None,</div>
                                        <div>    api_key=None</div>
                                        <div>  )</div>
                                      </div>
                                      <div
                                        style="font-family:monospace,monospace"><br>
                                      </div>
                                      <div><font face="arial, helvetica,
                                          sans-serif">- do simple
                                          request to nova:</font></div>
                                      <div>  <font face="monospace,
                                          monospace">nova.servers.list()</font><br>
                                      </div>
                                      <div><font face="monospace,
                                          monospace"><br>
                                        </font></div>
                                      <div><font face="arial, helvetica,
                                          sans-serif">- get the error
                                          described above.</font></div>
                                      <div><font face="arial, helvetica,
                                          sans-serif"><br>
                                        </font></div>
                                      <div><font face="arial, helvetica,
                                          sans-serif"><br>
                                          Maybe I misunderstood
                                          something but what is wrong? I
                                          supposed I just can work with
                                          nova like it was initialized
                                          using direct token.</font></div>
                                    </div>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                            From what you wrote here it should work, but
                            since Heat has been doing stuff like this
                            for a while, I'm pretty sure it is your
                            setup and not a fundamental problem.<br>
                            <br>
                            I'd take a look at what is going back and
                            forth on the wire and make sure the right
                            token is being sent to Nova.  If it is the
                            original users token and not the trust
                            token, then you would see that error.<span><font
                                color="#888888"><br>
                                <br>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div>
                                      <div><br>
                                      </div>
                                      -- <br>
                                      <div>
                                        <div dir="ltr">
                                          <div><font>Best Regards,</font></div>
                                          <div><font>Nikolay</font></div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                  <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
                                </blockquote>
                                <br>
                              </font></span></div>
                          <br>
__________________________________________________________________________<br>
                          OpenStack Development Mailing List (not for
                          usage questions)<br>
                          Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
                            target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
                          <a moz-do-not-send="true"
                            href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                            target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>
                        <div dir="ltr">
                          <div><font>Best Regards,</font></div>
                          <div><font>Nikolay</font></div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
__________________________________________________________________________<br>
            OpenStack Development Mailing List (not for usage questions)<br>
            Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
              target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
            <a moz-do-not-send="true"
              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
              target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr"><font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Kind Regards,</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Alexander Makarov,</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Senoir Software Developer,</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Mirantis, Inc.</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">35b/3, Vorontsovskaya St., 109147, Moscow,
              Russia</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Tel.: +7 (495) 640-49-04</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Tel.: +7 (926) 204-50-60</font><br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <br
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
            <font
              style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
              color="#000000">Skype: MAKAPOB.AJIEKCAHDP</font><br>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>