[heystone][nova][cinder] netapp queens trust scoped token
Ignazio Cassano
ignaziocassano at gmail.com
Mon Jan 21 15:39:58 UTC 2019
Many thanks
Ignazio
Il giorno lun 21 gen 2019 alle ore 15:39 Lance Bragstad <lbragstad at gmail.com>
ha scritto:
> Yes, they were originally implemented during the Queens release [0].
>
> [0]
> http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/application-credentials.html
>
> On Sat, Jan 19, 2019 at 1:45 AM Ignazio Cassano <ignaziocassano at gmail.com>
> wrote:
>
>> Hello Lance, application credential are also supported in queens?
>> Thanks
>> Ignazio
>>
>>
>> Il giorno Ven 18 Gen 2019 16:04 Lance Bragstad <lbragstad at gmail.com> ha
>> scritto:
>>
>>>
>>>
>>> On Fri, Jan 18, 2019 at 6:49 AM Ignazio Cassano <
>>> ignaziocassano at gmail.com> wrote:
>>>
>>>> Hello Everyone,
>>>> I am using a client for backupping openstack virtual machine.
>>>> The crux of the problem is the client uses trust based authentication
>>>> for scheduling backup jobs on behalf of user. When a trust scoped token is
>>>> passed to cinder client to take a snapshot, I expect the client use the
>>>> token to authenticate and perform the operation which cinder client does.
>>>> However cinder volume service invokes novaclient as part of cinder nfs
>>>> backend snapshot operation and novaclient tries to re-authenticate. Since
>>>> keystone does not allow re-authentication using trust based tokens, cinder
>>>> snapshot operation fails.
>>>>
>>>>
>>> Keystone allows authorization by allowing users to scope tokens to
>>> trusts, but once a trust-token is scoped, it can't be rescoped. Instead,
>>> keystone requires that you build another authentication request for a new
>>> trust-scoped token using the trust [0][1].
>>>
>>> [0]
>>> https://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=consuming-a-trust-detail#id121
>>> [1]
>>> https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/token.py#n84
>>>
>>>
>>>> So I get the following error:
>>>>
>>>> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs [req-61d977c1-eef3-4309-ac02-aaa0eb880925
>>>> ab1bdb5dadc54312891f3a6410fef04d 6d1bffb04e3b4cdda30dc17aa96bfffc - default
>>>> default] Call to Nova to create snapshot failed: Forbidden: You are not
>>>> authorized to perform the requested action: Using trust-scoped token to
>>>> create another token. Create a new trust-scoped token instead. (HTTP 403)
>>>> (Request-ID: req-f55b682a-001b-4952-bfb1-abf4dd6bf459)
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs Traceback
>>>> (most recent call last):
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> File "/usr/lib/python2.7/site-packages/cinder/volume/drivers/ remotefs.py",
>>>> line 1452, in _create_snapshot_online
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> connection_info)
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> File "/usr/lib/python2.7/site-packages/cinder/compute/nova.py", line 188,
>>>> in create_volume_snapshot
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> create_info=create_info)
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> File
>>>> "/usr/lib/python2.7/site-packages/novaclient/v2/assisted_volume_snapshots.py",
>>>> line 43, in create
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> return self._create('/os-assisted-volume-snapshots', body, 'snapshot')
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 361, in
>>>> _create
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> resp, body = self.api.client.post(url, body=body)
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 310,
>>>> in post
>>>>
>>>> > 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>> return self.request(url, 'POST', **kwargs)
>>>>
>>>>
>>>> My cinder volume are non netapp fas8040 via nfs.
>>>>
>>>> Anyone can help me ?
>>>>
>>>
>>> There is another feature in keystone that sounds like a better fit for
>>> what you're trying to do, called application credentials [2]. Application
>>> credentials were written as a way for users to grant authorization to
>>> services and scripts (e.g., the scipt asking cinder for a snapshot in your
>>> case.)
>>>
>>> Application credentials aren't tokens, but your scripts can use them to
>>> authenticate for a token [3]. The keystoneauth library already supports
>>> application credentials, so if you use that for building a session you
>>> should be able to use it in other clients that already support keystoneauth
>>> [4].
>>>
>>> [2]
>>> https://docs.openstack.org/keystone/latest/user/application_credentials.html
>>> [3]
>>> https://docs.openstack.org/keystone/latest/user/application_credentials.html#using-application-credentials
>>> [4]
>>> https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#application-credentials
>>>
>>>>
>>>> Regards
>>>>
>>>> Ignazio
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190121/ceacc6fd/attachment-0001.html>
More information about the openstack-discuss
mailing list