<div dir="ltr"><div dir="ltr">Yes, they were originally implemented during the Queens release [0].<br><div><br></div><div>[0] <a href="http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/application-credentials.html">http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/application-credentials.html</a></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, Jan 19, 2019 at 1:45 AM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hello Lance, application credential are also supported in queens?<div dir="auto">Thanks </div><div dir="auto">Ignazio</div><div dir="auto"><div dir="auto"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">Il giorno Ven 18 Gen 2019 16:04 Lance Bragstad <<a href="mailto:lbragstad@gmail.com" rel="noreferrer" target="_blank">lbragstad@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jan 18, 2019 at 6:49 AM Ignazio Cassano <<a href="mailto:ignaziocassano@gmail.com" rel="noreferrer noreferrer" target="_blank">ignaziocassano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello Everyone,</div><div>I am using a client for backupping openstack virtual machine.</div><div><span>The crux of the problem is the client uses trust based
authentication for scheduling backup jobs on behalf of user. When a
trust scoped token is passed to cinder client to take a snapshot, I
expect the client use the token to authenticate and perform the
operation which cinder client does. However cinder volume service
invokes novaclient as part of cinder nfs backend snapshot operation and
novaclient tries to re-authenticate. Since keystone does not allow
re-authentication using trust based tokens, cinder snapshot operation
fails.</span></div><div><span><br></span></div></div></blockquote><div><br></div><div>Keystone allows authorization by allowing users to scope tokens to trusts, but once a trust-token is scoped, it can't be rescoped. Instead, keystone requires that you build another authentication request for a new trust-scoped token using the trust [0][1].</div><div><br></div><div>[0] <a href="https://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=consuming-a-trust-detail#id121" rel="noreferrer noreferrer" target="_blank">https://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=consuming-a-trust-detail#id121</a></div><div>[1] <a href="https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/token.py#n84" rel="noreferrer noreferrer" target="_blank">https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/token.py#n84</a></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><span></span></div><div><span>So I get the following error:</span></div><div><span><br></span></div><div><span>2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers.
<span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> [req-61d977c1-eef3-4309-ac02-aaa0eb880925
ab1bdb5dadc54312891f3a6410fef04d 6d1bffb04e3b4cdda30dc17aa96bfffc -
default default] Call to Nova to create snapshot failed: Forbidden: You
are not authorized to perform the requested action: Using trust-scoped
token to create another token. Create a new trust-scoped token instead.
(HTTP 403) (Request-ID: req-f55b682a-001b-4952-bfb1-abf4dd6bf459)
</span><p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> Traceback (most recent call last):</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> File "/usr/lib/python2.7/site-packages/cinder/volume/drivers/ <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span>.py", line 1452, in _create_snapshot_online</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> connection_info)</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> File "/usr/lib/python2.7/site-packages/cinder/compute/nova.py", line 188, in create_volume_snapshot</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> create_info=create_info)</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> File "/usr/lib/python2.7/site-packages/novaclient/v2/assisted_volume_snapshots.py", line 43, in create</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> return self._create('/os-assisted-volume-snapshots', body, 'snapshot')</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 361, in _create</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> resp, body = self.api.client.post(url, body=body)</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 310, in post</p>
<p style="margin:0px"> <span style="opacity:0">></span> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. <span class="gmail-m_-235892556977283451m_-4246534312852061982m_-534595307303230180gmail-m_-7494382634227499130gmail-m_2216109017703456300gmail-m_-209326966715589170gmail-m_-7809194808105151010gmail-m_3596618912615674995gmail-il">remotefs</span> return self.request(url, 'POST', **kwargs)</p><p style="margin:0px"><br></p><p style="margin:0px">My cinder volume are non netapp fas8040 via nfs.<br></p><p style="margin:0px">Anyone can help me ?</p></div></div></blockquote><div><br></div><div>There is another feature in keystone that sounds like a better fit for what you're trying to do, called application credentials [2]. Application credentials were written as a way for users to grant authorization to services and scripts (e.g., the scipt asking cinder for a snapshot in your case.)</div><div><br></div><div>Application credentials aren't tokens, but your scripts can use them to authenticate for a token [3]. The keystoneauth library already supports application credentials, so if you use that for building a session you should be able to use it in other clients that already support keystoneauth [4].</div><div><br></div><div>[2] <a href="https://docs.openstack.org/keystone/latest/user/application_credentials.html" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystone/latest/user/application_credentials.html</a></div><div>[3] <a href="https://docs.openstack.org/keystone/latest/user/application_credentials.html#using-application-credentials" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystone/latest/user/application_credentials.html#using-application-credentials</a></div><div>[4] <a href="https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#application-credentials" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#application-credentials</a></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><p style="margin:0px"><br></p><p style="margin:0px">Regards</p><p style="margin:0px">Ignazio<br></p></div></div>
</blockquote></div></div></div></div></div></div></div>
</blockquote></div>
</blockquote></div>