Yes, they were originally implemented during the Queens release [0]. [0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/ap... On Sat, Jan 19, 2019 at 1:45 AM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello Lance, application credential are also supported in queens? Thanks Ignazio
Il giorno Ven 18 Gen 2019 16:04 Lance Bragstad <lbragstad@gmail.com> ha scritto:
On Fri, Jan 18, 2019 at 6:49 AM Ignazio Cassano <ignaziocassano@gmail.com> wrote:
Hello Everyone, I am using a client for backupping openstack virtual machine. The crux of the problem is the client uses trust based authentication for scheduling backup jobs on behalf of user. When a trust scoped token is passed to cinder client to take a snapshot, I expect the client use the token to authenticate and perform the operation which cinder client does. However cinder volume service invokes novaclient as part of cinder nfs backend snapshot operation and novaclient tries to re-authenticate. Since keystone does not allow re-authentication using trust based tokens, cinder snapshot operation fails.
Keystone allows authorization by allowing users to scope tokens to trusts, but once a trust-token is scoped, it can't be rescoped. Instead, keystone requires that you build another authentication request for a new trust-scoped token using the trust [0][1].
[0] https://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=... [1] https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins...
So I get the following error:
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs [req-61d977c1-eef3-4309-ac02-aaa0eb880925 ab1bdb5dadc54312891f3a6410fef04d 6d1bffb04e3b4cdda30dc17aa96bfffc - default default] Call to Nova to create snapshot failed: Forbidden: You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403) (Request-ID: req-f55b682a-001b-4952-bfb1-abf4dd6bf459)
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs Traceback (most recent call last):
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs File "/usr/lib/python2.7/site-packages/cinder/volume/drivers/ remotefs.py", line 1452, in _create_snapshot_online
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs connection_info)
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs File "/usr/lib/python2.7/site-packages/cinder/compute/nova.py", line 188, in create_volume_snapshot
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs create_info=create_info)
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs File "/usr/lib/python2.7/site-packages/novaclient/v2/assisted_volume_snapshots.py", line 43, in create
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs return self._create('/os-assisted-volume-snapshots', body, 'snapshot')
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 361, in _create
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs resp, body = self.api.client.post(url, body=body)
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 310, in post
2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs return self.request(url, 'POST', **kwargs)
My cinder volume are non netapp fas8040 via nfs.
Anyone can help me ?
There is another feature in keystone that sounds like a better fit for what you're trying to do, called application credentials [2]. Application credentials were written as a way for users to grant authorization to services and scripts (e.g., the scipt asking cinder for a snapshot in your case.)
Application credentials aren't tokens, but your scripts can use them to authenticate for a token [3]. The keystoneauth library already supports application credentials, so if you use that for building a session you should be able to use it in other clients that already support keystoneauth [4].
[2] https://docs.openstack.org/keystone/latest/user/application_credentials.html [3] https://docs.openstack.org/keystone/latest/user/application_credentials.html... [4] https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#a...
Regards
Ignazio