[openstack-dev] [keystone] policy issues when generating trusts with different clients

michael mccune msm at redhat.com
Mon Aug 3 23:11:34 UTC 2015


hi all,

i am doing some work to change sahara to make greater use of 
keystoneclient.session.Session objects and i am running into a strange 
error when issuing the trusts.

the crux of this issue is that when i create Client objects by passing 
all the parameters directly to the client, the trust is created as 
normal. But, if i create a Password based auth plugin object, using the 
same parameters, and the instantiate a Client by using the auth and a 
Session object, then i fail to create the trust with an error about not 
having sufficient permission.

i have put together a few python repl samples to show what is happening, 
these are also available on github[1].

the following code shows how we've been doing this, using the generic 
Client object we authenticate using the named parameters.

     >>> from keystoneclient.v3 import client
     >>> trustor = client.Client(
             auth_url='http://192.168.122.2:5000/v3',
             username='demo',
             password='openstack',
             project_name='demo',
             user_domain_name='Default',
             project_domain_name='Default')
     >>> trustee = client.Client(
             auth_url='http://192.168.122.2:5000/v3',
             username='admin',
             password='openstack',
             project_name='admin',
             user_domain_name='Default',
             project_domain_name='Default')
     >>> trustor.trusts.create(
             trustor_user=trustor.user_id,
             trustee_user=trustee.user_id,
             project=trustor.project_id,
             role_names=['Member'],
             impersonation=True,
             expires_at=None)
     <Trust deleted_at=None, expires_at=None, 
id=ac0d8f3b9e7443c2bdb0f855c2a3b9b5, impersonation=True, links={u'self': 
u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/ac0d8f3b9e7443c2bdb0f855c2a3b9b5'}, 
project_id=416290f342e04a34acccafe79bb399c7, redelegation_count=0, 
remaining_uses=None, roles=[{u'id': u'433c86b705ef4656b90514ea5401469e', 
u'links': {u'self': 
u'http://192.168.122.2:35357/v3/roles/433c86b705ef4656b90514ea5401469e'}, u'name': 
u'Member'}], roles_links={u'self': 
u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/ac0d8f3b9e7443c2bdb0f855c2a3b9b5/roles', 
u'next': None, u'previous': None}, 
trustee_user_id=cf45da134c76460e89b5837e07cc4b82, 
trustor_user_id=863b972dbbfd44b7bbde1b988e2b5098>

the trust is created with no issues.

next, i try to create a Client using a Session and a Password auth 
plugin object.

     >>> from keystoneclient.auth.identity import v3
     >>> from keystoneclient import session
     >>> sess = session.Session()
     >>> trustor_auth = v3.Password(
             auth_url='http://192.168.122.2:5000/v3',
             username='demo',
             password='openstack',
             project_name='demo',
             user_domain_name='Default',
             project_domain_name='Default')
     >>> trustee_auth = v3.Password(
             auth_url='http://192.168.122.2:5000/v3',
             username='admin',
             password='openstack',
             project_name='admin',
             user_domain_name='Default',
             project_domain_name='Default')
     >>> trustor = client.Client(session=sess, auth=trustor_auth)
     >>> trustee = client.Client(session=sess, auth=trustee_auth)
     >>> trustor.trusts.create(
             trustor_user=trustor.user_id,
             trustee_user=trustee.user_id,
             project=trustor.project_id,
             role_names=['Member'],
             impersonation=True,
             expires_at=None)
     Traceback (most recent call last):
       File "<stdin>", line 1, in <module>
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py", 
line 76, in create
         **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py", 
line 73, in func
         return f(*args, **new_kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py", 
line 333, in create
         self.key)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py", 
line 151, in _create
         return self._post(url, body, response_key, return_raw, **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/base.py", 
line 165, in _post
         resp, body = self.client.post(url, body=body, **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/adapter.py", 
line 176, in post
         return self.request(url, 'POST', **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/adapter.py", 
line 206, in request
         resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/adapter.py", 
line 95, in request
         return self.session.request(url, method, **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/utils.py", 
line 336, in inner
         return func(*args, **kwargs)
       File 
"/home/mike/.venvs/openstack/lib/python2.7/site-packages/keystoneclient/session.py", 
line 397, in request
         raise exceptions.from_response(resp, method, url)
     keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You 
are not authorized to perform the requested action: 
identity:create_trust (Disable debug mode to suppress these details.) 
(HTTP 403) (Request-ID: req-c67aee46-2baf-4bc3-9bd5-b82ff31057a7)

this time, not so much...

the same authentication parameters are used as for the previous Client 
method but this time i am denied the trust based on the authorization.

i am wondering if i have done something wrong when creating the Session 
based Client, or is this an issue with keystone treating the user's 
differently depending on the client type, or perhaps something is going 
on with the policy stuff within keystone?

thanks for taking a look,
mike

[1]: https://gist.github.com/elmiko/d3df44f6910660f680b6



More information about the OpenStack-dev mailing list