<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/16/2015 05:00 AM, Nikolay
Makhotkin wrote:<br>
</div>
<blockquote
cite="mid:CACarOJZxvcD3WSgRhnzXTUtHcYW7jxtQtCkXPqCxhXVxZZZhRg@mail.gmail.com"
type="cite">
<div dir="ltr">Well, if we use trust-scoped token for getting
server-list from nova (simply use nova.servers.list() ),
<div><br>
</div>
<div>Novaclient somehow tries to get another token: <a
moz-do-not-send="true"
href="https://github.com/openstack/python-novaclient/blob/master/novaclient/client.py#L690-L724">https://github.com/openstack/python-novaclient/blob/master/novaclient/client.py#L690-L724</a><br>
<br>
Actually, novaclient does this request: (found from debug of
novaclient)<br>
</div>
</div>
</blockquote>
So this sounds like a bug in Nova client. Jamie Lennox has been
working with the various client teams to get the using the Auth
plugin architecture and session management from Keystone client to
try and make the usage consistent.<br>
<br>
<br>
<br>
<blockquote
cite="mid:CACarOJZxvcD3WSgRhnzXTUtHcYW7jxtQtCkXPqCxhXVxZZZhRg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
<font face="monospace, monospace">REQ: curl -i
'<a class="moz-txt-link-freetext" href="http://">http://</a><my_host>:5000/v2.0/tokens' -X POST -H
"Accept: application/json" -H "Content-Type:
application/json" -H "User-Agent: python-novaclient" -d
'{"auth": {"token": {"id":
"78c71fb549244075b3a5d994baa326b3"}, "tenantName":
"b0c9bbb541d541b098c3c0a92412720d"}}'</font></div>
<div><br>
</div>
<div>I.e., this is the request for another auth token from
keystone. Keystone here returns 403 because token in request
is trust-scoped.</div>
<div><br>
</div>
<div>Why I can't do this simple command using trust-scoped
token?<br>
<br>
Note: Doing the <font face="monospace, monospace">keystone
--os-token 5483086d91094a3886ccce1442b538a0 --os-endpoint
<a class="moz-txt-link-freetext" href="http://">http://</a><my_host>:5000/v2.0 tenant-list, </font><font
face="arial, helvetica, sans-serif">it returns tenant-list
(not 403).</font><br>
<font face="arial, helvetica, sans-serif">Note2: Doing the
server-list request directly to api with trust-scoped token,
it returns 200, not 403: </font><br>
<br>
<font face="monospace, monospace">curl -H "X-Auth-Token:
5483086d91094a3886ccce1442b538a0" <a moz-do-not-send="true"
href="http://192.168.0.2:8774/v3/servers">http://192.168.0.2:8774/v3/servers</a><br>
<br>
</font>
<div><font face="monospace, monospace">{</font></div>
<div><font face="monospace, monospace"> "servers": [
<list_of_servers> ]</font></div>
<div><font face="monospace, monospace">}</font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">How I can use
trust-scoped tokrn via client? </font></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Feb 13, 2015 at 9:16 PM,
Alexander Makarov <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:amakarov@mirantis.com"
target="_blank">amakarov@mirantis.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Adam, Nova client does it for some reason
during a call to <span
style="font-family:monospace,monospace;font-size:13px">nova.servers.list()</span>
<div><span
style="font-family:monospace,monospace;font-size:13px"><br>
</span></div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Feb 12, 2015 at 10:03
PM, Adam Young <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 02/12/2015 10:40 AM, Alexander Makarov
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">A trust token cannot be used
to get another token:
<div><a moz-do-not-send="true"
href="https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156"
target="_blank">https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L154-L156</a><br>
<div>You have to make your Nova client
use the very same trust scoped token
obtained from authentication using
trust without trying to authenticate
with it one more time.</div>
</div>
</div>
</blockquote>
<br>
<br>
</span> Actually, there have been some recent
changes to allow re-delegation of Trusts, but
for older deployments, you are correct. I
hadn't seen anywhere here that he was trying to
use a trust token to get another token, though.
<div>
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 11,
2015 at 9:10 PM, Adam Young <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com"
target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"><span>
<div>On 02/11/2015 12:16 PM,
Nikolay Makhotkin wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">No, I just
checked it. Nova receives
trust token and raise this
error.
<div><br>
</div>
<div>In my script, I see: <br>
<br>
</div>
<div><a
moz-do-not-send="true"
href="http://paste.openstack.org/show/171452/"
target="_blank">http://paste.openstack.org/show/171452/</a><br>
</div>
<div><br>
</div>
<div>And as you can see,
token from trust differs
from direct user's token.
<br>
</div>
</div>
</blockquote>
<br>
</span> The original user needs to
have the appropriate role to
perform the operation on the
specified project. I see the
admin role is created on the
trust. If the trustor did not have
that role, the trustee would not
be able to exececute the trust and
get a token. It looks like you
were able to execute the trust and
get a token, but I would like you
to confirm that, and not just
trust the keystone client: either
put debug statements in Keystone
or call the POST to tokens from
curl with the appropriate options
to get a trust token. In short,
make sure you have not fooled
yourself. You can also look in
the token table inside Keystone to
see the data for the trust token,
or validate the token via curl to
see the data in it. In all cases,
there should be an OS-TRUST stanza
in the token data.<br>
<br>
<br>
If it is still failing, there
might be some issue on the Policy
side. I have been assuming that
you are running with the default
policy for Nova. <br>
<br>
<a moz-do-not-send="true"
href="http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json"
target="_blank">http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json</a><br>
<br>
I'm not sure which rule matches
for list servers (Nova developer
input would be appreciated) but
I'm guessing it is executing the
rule <br>
<code><font face="sans-serif"><br>
"admin_or_owner":
"is_admin:True or
project_id:%(project_id)s",<br>
<br>
Since that is the default. I
am guessing that the
project_id in question comes
from the token here, as that
seems to be common, but if
not, it might be that the two
values are mismatched. Perhaps
there Proejct ID value from
the client env var is sent,
and matches what the trustor
normally works as, not the
project in question. If these
two values don't match, then,
yes, the rule would fail.</font><br>
</code>
<div>
<div><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Feb 11, 2015 at
7:55 PM, Adam Young <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>
<div>
<div>On
02/11/2015
10:52 AM,
Nikolay
Makhotkin
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Hi
!
<div><br>
</div>
<div>I
investigated
trust's use
cases and
encountered
the problem:
When I use
auth_token
obtained from
keystoneclient
using trust, I
get <b>403</b>
Forbidden
error: <b>You
are not
authorized to
perform the
requested
action.</b></div>
<div><br>
</div>
<div>Steps to
reproduce: </div>
<div><br>
</div>
<div>- Import
v3
keystoneclient
(used keystone
and
keystoneclient
from master,
tried also to
use
stable/icehouse)</div>
<div>- Import
v3 novaclient<br>
- initialize
the
keystoneclient:</div>
<div> <font
face="monospace,
monospace"> keystone
=
keystoneclient.Client(username=username,
password=password,
tenant_name=tenant_name,
auth_url=auth_url)</font></div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">-
create a
trust:</font></div>
<div><font
face="monospace,
monospace"> trust
=
keystone.trusts.create(</font>
<div
style="font-family:monospace,monospace">
keystone.user_id,</div>
<div
style="font-family:monospace,monospace">
keystone.user_id,</div>
<div
style="font-family:monospace,monospace">
impersonation=True,</div>
<div
style="font-family:monospace,monospace">
role_names=['admin'],</div>
<div
style="font-family:monospace,monospace">
project=keystone.project_id</div>
<div
style="font-family:monospace,monospace">
)</div>
<div
style="font-family:monospace,monospace"><br>
</div>
<div><font
face="arial,
helvetica,
sans-serif">-
initialize new
keystoneclient:</font></div>
<div
style="font-family:monospace,monospace">
<div>
client_from_trust
=
keystoneclient.Client(</div>
<div>
username=username,
password=password,</div>
<div>
trust_id=<a
moz-do-not-send="true"
href="http://trust.id" target="_blank">trust.id</a>, auth_url=auth_url,</div>
<div> )</div>
</div>
<div
style="font-family:monospace,monospace"><br>
</div>
<div><font
face="arial,
helvetica,
sans-serif">-
create nova
client using
new token from
new client:</font></div>
<div
style="font-family:monospace,monospace">
<div> nova =
novaclient.Client(</div>
<div>
auth_token=client_from_trust.auth_token,</div>
<div>
auth_url=auth_url_v2,</div>
<div>
project_id=from_trust.project_id,</div>
<div>
service_type='compute',</div>
<div>
username=None,</div>
<div>
api_key=None</div>
<div> )</div>
</div>
<div
style="font-family:monospace,monospace"><br>
</div>
<div><font
face="arial,
helvetica,
sans-serif">-
do simple
request to
nova:</font></div>
<div> <font
face="monospace,
monospace">nova.servers.list()</font><br>
</div>
<div><font
face="monospace,
monospace"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">-
get the error
described
above.</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
Maybe I
misunderstood
something but
what is wrong?
I supposed I
just can work
with nova like
it was
initialized
using direct
token.</font></div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
From what you wrote
here it should work,
but since Heat has
been doing stuff
like this for a
while, I'm pretty
sure it is your
setup and not a
fundamental problem.<br>
<br>
I'd take a look at
what is going back
and forth on the
wire and make sure
the right token is
being sent to Nova.
If it is the
original users token
and not the trust
token, then you
would see that
error.<span><font
color="#888888"><br>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div><font>Best
Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</font></span></div>
<br>
__________________________________________________________________________<br>
OpenStack Development
Mailing List (not for
usage questions)<br>
Unsubscribe: <a
moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div><font>Best
Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List
(not for usage questions)<br>
Unsubscribe: <a
moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr"><font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Kind Regards,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Alexander Makarov,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Senoir Software
Developer,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Mirantis, Inc.</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">35b/3, Vorontsovskaya
St., 109147, Moscow, Russia</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Tel.: +7 (495)
640-49-04</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Tel.: +7 (926)
204-50-60</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Skype:
MAKAPOB.AJIEKCAHDP</font><br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr"><font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Kind Regards,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Alexander Makarov,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Senoir Software Developer,</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Mirantis, Inc.</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">35b/3, Vorontsovskaya St.,
109147, Moscow, Russia</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Tel.: +7 (495) 640-49-04</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Tel.: +7 (926) 204-50-60</font><br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<br
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px">
<font
style="color:rgb(0,0,0);font-family:Cantarell;font-size:15px"
color="#000000">Skype: MAKAPOB.AJIEKCAHDP</font><br>
</div>
</div>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div><font>Best Regards,</font></div>
<div><font>Nikolay</font></div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>