[openstack-dev] [keystone] Help consuming trusts

Steven Hardy shardy at redhat.com
Sat Aug 17 12:18:30 UTC 2013


On Fri, Aug 16, 2013 at 11:42:52AM -0400, Steve Martinelli wrote:
> 
> Hi Steven,
> 
> You can look at the unit tests being run.
> https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_auth.py#L1782
> 
> It looks like you need to provide the trustee uname/password and the trust
> id. Keep digging into 'build_authentication_request" to see how it's
> structured, then it's just a call to /auth/tokens.

Thanks for the pointers, I've looked at the tests, and it seems like most
of them are error path tests, I'm not sure which one demonstrates a
successful response from the v3 /auth/tokens with a trust ID specified in
the scope section of the request?

I've raised two bugs related to this issue:

https://bugs.launchpad.net/keystone/+bug/1213340
https://bugs.launchpad.net/keystone/+bug/1212778

The latter was discussed on IRC yesterday and I've tested the fix and the
500 error is fixed, but now I get the same 401 response for both token and
username/password requests.  If I don't specify a trust ID in the request,
I get a token back without any problem.

It may be that there is an issue with my keystoneclient patch:

https://review.openstack.org/#/c/39899/

However, despite looking carefully at the requests generated, I can't spot
any problem, the requests appear to match the required format in the API
docs AFAICS:

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md#consuming-a-trust-with-post-authtokens

There are reproducers on each of the bugs above, showing the failure in
both token and password methods, if anyone has time to take a look and help
me figure out the next step, that would be much appreciated as atm I'm a
bit stumped!

Thanks!

Steve



More information about the OpenStack-dev mailing list