<html><body>
<p><font size="2" face="sans-serif">I think this is happening because the last "session" created was based off of trustee_auth. Try creating 2 sessions, one for each user (trustor and trustee). Maybe Jamie will chime in.</font><br>
<font size="2" face="sans-serif"><br>
Thanks,<br>
<br>
Steve Martinelli<br>
OpenStack Keystone Core</font><br>
<br>
<tt><font size="2">michael mccune <msm@redhat.com> wrote on 2015/08/03 07:11:34 PM:<br>
<br>
> From: michael mccune <msm@redhat.com></font></tt><br>
<tt><font size="2">> To: "OpenStack Development Mailing List (not for usage questions)" <br>
> <openstack-dev@lists.openstack.org></font></tt><br>
<tt><font size="2">> Date: 2015/08/03 07:12 PM</font></tt><br>
<tt><font size="2">> Subject: [openstack-dev] [keystone] policy issues when generating <br>
> trusts with different clients</font></tt><br>
<tt><font size="2">> <br>
> hi all,<br>
> <br>
> i am doing some work to change sahara to make greater use of <br>
> keystoneclient.session.Session objects and i am running into a strange <br>
> error when issuing the trusts.<br>
> <br>
> the crux of this issue is that when i create Client objects by passing <br>
> all the parameters directly to the client, the trust is created as <br>
> normal. But, if i create a Password based auth plugin object, using the <br>
> same parameters, and the instantiate a Client by using the auth and a <br>
> Session object, then i fail to create the trust with an error about not <br>
> having sufficient permission.<br>
> <br>
> i have put together a few python repl samples to show what is happening, <br>
> these are also available on github[1].<br>
> <br>
> the following code shows how we've been doing this, using the generic <br>
> Client object we authenticate using the named parameters.<br>
> <br>
> >>> from keystoneclient.v3 import client<br>
> >>> trustor = client.Client(<br>
> auth_url='http://192.168.122.2:5000/v3',<br>
> username='demo',<br>
> password='openstack',<br>
> project_name='demo',<br>
> user_domain_name='Default',<br>
> project_domain_name='Default')<br>
> >>> trustee = client.Client(<br>
> auth_url='http://192.168.122.2:5000/v3',<br>
> username='admin',<br>
> password='openstack',<br>
> project_name='admin',<br>
> user_domain_name='Default',<br>
> project_domain_name='Default')<br>
> >>> trustor.trusts.create(<br>
> trustor_user=trustor.user_id,<br>
> trustee_user=trustee.user_id,<br>
> project=trustor.project_id,<br>
> role_names=['Member'],<br>
> impersonation=True,<br>
> expires_at=None)<br>
> <Trust deleted_at=None, expires_at=None, <br>
> id=ac0d8f3b9e7443c2bdb0f855c2a3b9b5, impersonation=True, links={u'self': <br>
> u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/<br>
> ac0d8f3b9e7443c2bdb0f855c2a3b9b5'}, <br>
> project_id=416290f342e04a34acccafe79bb399c7, redelegation_count=0, <br>
> remaining_uses=None, roles=[{u'id': u'433c86b705ef4656b90514ea5401469e', <br>
> u'links': {u'self': <br>
> u'http://192.168.122.2:35357/v3/roles/<br>
> 433c86b705ef4656b90514ea5401469e'}, u'name': <br>
> u'Member'}], roles_links={u'self': <br>
> u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/<br>
> ac0d8f3b9e7443c2bdb0f855c2a3b9b5/roles', <br>
> u'next': None, u'previous': None}, <br>
> trustee_user_id=cf45da134c76460e89b5837e07cc4b82, <br>
> trustor_user_id=863b972dbbfd44b7bbde1b988e2b5098><br>
> <br>
> the trust is created with no issues.<br>
> <br>
> next, i try to create a Client using a Session and a Password auth <br>
> plugin object.<br>
> <br>
> >>> from keystoneclient.auth.identity import v3<br>
> >>> from keystoneclient import session<br>
> >>> sess = session.Session()<br>
> >>> trustor_auth = v3.Password(<br>
> auth_url='http://192.168.122.2:5000/v3',<br>
> username='demo',<br>
> password='openstack',<br>
> project_name='demo',<br>
> user_domain_name='Default',<br>
> project_domain_name='Default')<br>
> >>> trustee_auth = v3.Password(<br>
> auth_url='http://192.168.122.2:5000/v3',<br>
> username='admin',<br>
> password='openstack',<br>
> project_name='admin',<br>
> user_domain_name='Default',<br>
> project_domain_name='Default')<br>
> >>> trustor = client.Client(session=sess, auth=trustor_auth)<br>
> >>> trustee = client.Client(session=sess, auth=trustee_auth)<br>
> >>> trustor.trusts.create(<br>
> trustor_user=trustor.user_id,<br>
> trustee_user=trustee.user_id,<br>
> project=trustor.project_id,<br>
> role_names=['Member'],<br>
> impersonation=True,<br>
> expires_at=None)<br>
> Traceback (most recent call last):<br>
> File "<stdin>", line 1, in <module><br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/v3/contrib/trusts.py", <br>
> line 76, in create<br>
> **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/base.py", <br>
> line 73, in func<br>
> return f(*args, **new_kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/base.py", <br>
> line 333, in create<br>
> self.key)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/base.py", <br>
> line 151, in _create<br>
> return self._post(url, body, response_key, return_raw, **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/base.py", <br>
> line 165, in _post<br>
> resp, body = self.client.post(url, body=body, **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/adapter.py", <br>
> line 176, in post<br>
> return self.request(url, 'POST', **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/adapter.py", <br>
> line 206, in request<br>
> resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/adapter.py", <br>
> line 95, in request<br>
> return self.session.request(url, method, **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/utils.py", <br>
> line 336, in inner<br>
> return func(*args, **kwargs)<br>
> File <br>
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/<br>
> keystoneclient/session.py", <br>
> line 397, in request<br>
> raise exceptions.from_response(resp, method, url)<br>
> keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You <br>
> are not authorized to perform the requested action: <br>
> identity:create_trust (Disable debug mode to suppress these details.) <br>
> (HTTP 403) (Request-ID: req-c67aee46-2baf-4bc3-9bd5-b82ff31057a7)<br>
> <br>
> this time, not so much...<br>
> <br>
> the same authentication parameters are used as for the previous Client <br>
> method but this time i am denied the trust based on the authorization.<br>
> <br>
> i am wondering if i have done something wrong when creating the Session <br>
> based Client, or is this an issue with keystone treating the user's <br>
> differently depending on the client type, or perhaps something is going <br>
> on with the policy stuff within keystone?<br>
> <br>
> thanks for taking a look,<br>
> mike<br>
> <br>
> [1]: <a href="https://gist.github.com/elmiko/d3df44f6910660f680b6">https://gist.github.com/elmiko/d3df44f6910660f680b6</a><br>
> <br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> <br>
</font></tt></body></html>