<div dir="ltr"><a href="https://blueprints.launchpad.net/keystone/+spec/trust-scoped-re-authentication">https://blueprints.launchpad.net/keystone/+spec/trust-scoped-re-authentication</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 16, 2015 at 7:57 PM, Alexander Makarov <span dir="ltr"><<a href="mailto:amakarov@mirantis.com" target="_blank">amakarov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">We could soften this limitation a little by returning token client tries to authenticate with.<div>I think we need to discuss it in community.</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Mon, Feb 16, 2015 at 6:47 PM, Steven Hardy <span dir="ltr"><<a href="mailto:shardy@redhat.com" target="_blank">shardy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Mon, Feb 16, 2015 at 09:02:01PM +0600, Renat Akhmerov wrote:<br>
> Yeah, clarification from keystone folks would be really helpful.<br>
</span>> If Nikolaya**s info is correct (I believe it is) then I actually dona**t<br>
<span>> understand why trusts are needed at all, they seem to be useless. My<br>
> assumption is that they can be used only if we send requests directly to<br>
> OpenStack services (w/o using clients) with trust scoped token included in<br>
</span>> headers, that might work although I didna**t checked that yet myself.<br>
<span>> So please help us understand which one of my following assumptions is<br>
> correct?<br>
</span>> 1. We dona**t understand what trusts are.<br>
> 2. We use them in a wrong way. (If yes, then whata**s the correct usage?)<br>
<br>
One or both of these seems likely, possibly combined with bugs in the<br>
clients where they try to get a new token instead of using the one you<br>
provide (this is a common pattern in the shell case, as the token is<br>
re-requested to get a service catalog).<br>
<br>
This provides some (heat specific) information which may help somewhat:<br>
<br>
<a href="http://hardysteven.blogspot.co.uk/2014/04/heat-auth-model-updates-part-1-trusts.html" target="_blank">http://hardysteven.blogspot.co.uk/2014/04/heat-auth-model-updates-part-1-trusts.html</a><br>
<br>
> 3. Trust mechanism itself is in development and cana**t be used at this<br>
> point.<br>
<br>
IME trusts work fine, Heat has been using them since Havana with few<br>
problems.<br>
<br>
> 4. OpenStack clients need to be changed in some way to somehow bypass<br>
> this keystone limitation?<br>
<br>
AFAICS it's not a keystone limitation, the behavior you're seeing is<br>
expected, and the 403 mentioned by Nikolay is just trusts working as<br>
designed.<br>
<br>
The key thing from a client perspective is:<br>
<br>
1. If you pass a trust-scoped token into the client, you must not request<br>
another token, normally this means you must provide an endpoint as you<br>
can't run the normal auth code which retrieves the service catalog.<br>
<br>
2. If you could pass a trust ID in, with a non-trust-scoped token, or<br>
username/password, the above limitation is removed, but AFAIK none of the<br>
CLI interfaces support a trust ID yet.<br>
<br>
3. If you're using a trust scoped token, you cannot create another trust<br>
(unless you've enabled chained delegation, which only landed recently in<br>
keystone). This means, for example, that you can't create a heat stack<br>
with a trust scoped token (when heat is configured to use trusts), unless<br>
you use chained delegation, because we create a trust internally.<br>
<br>
When you understand these constraints, it's definitely possible to create a<br>
trust and use it for requests to other services, for example, here's how<br>
you could use a trust-scoped token to call heat:<br>
<br>
heat --os-auth-token <trust-scoped-token> --os-no-client-auth<br>
--heat-url <a href="http://192.168.0.4:8004/v1/" target="_blank">http://192.168.0.4:8004/v1/</a><project-id> stack-list<br>
<br>
The pattern heat uses internally to work with trusts is:<br>
<br>
1. Use a trust_id and service user credentials to get a trust scoped token<br>
2. Pass the trust-scoped token into python clients for other projects,<br>
using the endpoint obtained during (1)<br>
<br>
This works fine, what you can't do is pass the trust scoped token in<br>
without explicitly defining the endpoint, because this triggers<br>
reauthentication, which as you've discovered, won't work.<br>
<br>
Hope that helps!<br>
<br>
Steve<br>
<div><div><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Kind Regards,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Alexander Makarov,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Senoir Software Developer,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Mirantis, Inc.</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">35b/3, Vorontsovskaya St., 109147, Moscow, Russia</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (495) 640-49-04</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (926) 204-50-60</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Skype: MAKAPOB.AJIEKCAHDP</font><br></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Kind Regards,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Alexander Makarov,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Senoir Software Developer,</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Mirantis, Inc.</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">35b/3, Vorontsovskaya St., 109147, Moscow, Russia</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (495) 640-49-04</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Tel.: +7 (926) 204-50-60</font><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><br style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"><font color="#000000" style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">Skype: MAKAPOB.AJIEKCAHDP</font><br></div></div>
</div>