[openstack-dev] [keystone][heat] Question re deleting trusts via trust token

Steven Hardy shardy at redhat.com
Wed Sep 4 10:45:09 UTC 2013


On Wed, Sep 04, 2013 at 09:49:48AM +0100, Steven Hardy wrote:
> This final step is the problematic step - atm (unless I'm making a mistake,
> which as previously proven is entirely possible! ;) it seems that it's
> impossible for anyone except the trustor to delete the trust, even if we
> impersonate the trustor.

Ok, apologies, after further testing, it appears I made a mistake and you
*can* delete the trust by impersonating the user.

The reason for the confusion is there's an odd issue when authenticating
the client using a trust_id.  If (and only if) the trust has
impersonation=True, you *must* specify the endpoint when initialising the
client, otherwise we do not get a token, we get a 401.

So I misinterpreted the authentication failure as a 401 on delete, because
I'd copied some code and changed impersonate from False to True, which
changes the required arguments when consuming the trust.  Seems like a bug?

I've created a gist containing an example which demonstrates the problem:

https://gist.github.com/hardys/6435299

I'm not sure if the bug is that the authenticate works without the endpoint
when impersonate=False, or that is doesn't when impersonate=True.

Thanks!

Steve



More information about the OpenStack-dev mailing list