[openstack-dev] [keystone] policy issues when generating trusts with different clients
michael mccune
msm at redhat.com
Mon Aug 3 23:11:34 UTC 2015
hi all,
i am doing some work to change sahara to make greater use of
keystoneclient.session.Session objects and i am running into a strange
error when issuing the trusts.
the crux of this issue is that when i create Client objects by passing
all the parameters directly to the client, the trust is created as
normal. But, if i create a Password based auth plugin object, using the
same parameters, and the instantiate a Client by using the auth and a
Session object, then i fail to create the trust with an error about not
having sufficient permission.
i have put together a few python repl samples to show what is happening,
these are also available on github[1].
the following code shows how we've been doing this, using the generic
Client object we authenticate using the named parameters.
>>> from keystoneclient.v3 import client
>>> trustor = client.Client(
auth_url='http://192.168.122.2:5000/v3',
username='demo',
password='openstack',
project_name='demo',
user_domain_name='Default',
project_domain_name='Default')
>>> trustee = client.Client(
auth_url='http://192.168.122.2:5000/v3',
username='admin',
password='openstack',
project_name='admin',
user_domain_name='Default',
project_domain_name='Default')
>>> trustor.trusts.create(
trustor_user=trustor.user_id,
trustee_user=trustee.user_id,
project=trustor.project_id,
role_names=['Member'],
impersonation=True,
expires_at=None)
<Trust deleted_at=None, expires_at=None,
id=ac0d8f3b9e7443c2bdb0f855c2a3b9b5, impersonation=True, links={u'self':
u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/ac0d8f3b9e7443c2bdb0f855c2a3b9b5'},
project_id=416290f342e04a34acccafe79bb399c7, redelegation_count=0,
remaining_uses=None, roles=[{u'id': u'433c86b705ef4656b90514ea5401469e',
u'links': {u'self':
u'http://192.168.122.2:35357/v3/roles/433c86b705ef4656b90514ea5401469e'}, u'name':
u'Member'}], roles_links={u'self':
u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/ac0d8f3b9e7443c2bdb0f855c2a3b9b5/roles',
u'next': None, u'previous': None},
trustee_user_id=cf45da134c76460e89b5837e07cc4b82,
trustor_user_id=863b972dbbfd44b7bbde1b988e2b5098>
the trust is created with no issues.
next, i try to create a Client using a Session and a Password auth
plugin object.
>>> from keystoneclient.auth.identity import v3
>>> from keystoneclient import session
>>> sess = session.Session()
>>> trustor_auth = v3.Password(
auth_url='http://192.168.122.2:5000/v3',
username='demo',
password='openstack',
project_name='demo',
user_domain_name='Default',
project_domain_name='Default')
>>> trustee_auth = v3.Password(
auth_url='http://192.168.122.2:5000/v3',
username='admin',
password='openstack',
project_name='admin',
user_domain_name='Default',
project_domain_name='Default')
>>> trustor = client.Client(session=sess, auth=trustor_auth)
>>> trustee = client.Client(session=sess, auth=trustee_auth)
>>> trustor.trusts.create(
trustor_user=trustor.user_id,
trustee_user=trustee.user_id,
project=trustor.project_id,
role_names=['Member'],
impersonation=True,
expires_at=None)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py",
line 76, in create
**kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py",
line 73, in func
return f(*args, **new_kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py",
line 333, in create
self.key)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py",
line 151, in _create
return self._post(url, body, response_key, return_raw, **kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py",
line 165, in _post
resp, body = self.client.post(url, body=body, **kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/adapter.py",
line 176, in post
return self.request(url, 'POST', **kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/adapter.py",
line 206, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/adapter.py",
line 95, in request
return self.session.request(url, method, **kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/utils.py",
line 336, in inner
return func(*args, **kwargs)
File
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/session.py",
line 397, in request
raise exceptions.from_response(resp, method, url)
keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You
are not authorized to perform the requested action:
identity:create_trust (Disable debug mode to suppress these details.)
(HTTP 403) (Request-ID: req-c67aee46-2baf-4bc3-9bd5-b82ff31057a7)
this time, not so much...
the same authentication parameters are used as for the previous Client
method but this time i am denied the trust based on the authorization.
i am wondering if i have done something wrong when creating the Session
based Client, or is this an issue with keystone treating the user's
differently depending on the client type, or perhaps something is going
on with the policy stuff within keystone?
thanks for taking a look,
mike
[1]: https://gist.github.com/elmiko/d3df44f6910660f680b6
More information about the OpenStack-dev
mailing list