[openstack-dev] [keystone] policy issues when generating trusts with different clients
Steve Martinelli
stevemar at ca.ibm.com
Wed Aug 5 06:34:56 UTC 2015
I think this is happening because the last "session" created was based off
of trustee_auth. Try creating 2 sessions, one for each user (trustor and
trustee). Maybe Jamie will chime in.
Thanks,
Steve Martinelli
OpenStack Keystone Core
michael mccune <msm at redhat.com> wrote on 2015/08/03 07:11:34 PM:
> From: michael mccune <msm at redhat.com>
> To: "OpenStack Development Mailing List (not for usage questions)"
> <openstack-dev at lists.openstack.org>
> Date: 2015/08/03 07:12 PM
> Subject: [openstack-dev] [keystone] policy issues when generating
> trusts with different clients
>
> hi all,
>
> i am doing some work to change sahara to make greater use of
> keystoneclient.session.Session objects and i am running into a strange
> error when issuing the trusts.
>
> the crux of this issue is that when i create Client objects by passing
> all the parameters directly to the client, the trust is created as
> normal. But, if i create a Password based auth plugin object, using the
> same parameters, and the instantiate a Client by using the auth and a
> Session object, then i fail to create the trust with an error about not
> having sufficient permission.
>
> i have put together a few python repl samples to show what is happening,
> these are also available on github[1].
>
> the following code shows how we've been doing this, using the generic
> Client object we authenticate using the named parameters.
>
> >>> from keystoneclient.v3 import client
> >>> trustor = client.Client(
> auth_url='http://192.168.122.2:5000/v3',
> username='demo',
> password='openstack',
> project_name='demo',
> user_domain_name='Default',
> project_domain_name='Default')
> >>> trustee = client.Client(
> auth_url='http://192.168.122.2:5000/v3',
> username='admin',
> password='openstack',
> project_name='admin',
> user_domain_name='Default',
> project_domain_name='Default')
> >>> trustor.trusts.create(
> trustor_user=trustor.user_id,
> trustee_user=trustee.user_id,
> project=trustor.project_id,
> role_names=['Member'],
> impersonation=True,
> expires_at=None)
> <Trust deleted_at=None, expires_at=None,
> id=ac0d8f3b9e7443c2bdb0f855c2a3b9b5, impersonation=True, links={u'self':
> u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/
> ac0d8f3b9e7443c2bdb0f855c2a3b9b5'},
> project_id=416290f342e04a34acccafe79bb399c7, redelegation_count=0,
> remaining_uses=None, roles=[{u'id': u'433c86b705ef4656b90514ea5401469e',
> u'links': {u'self':
> u'http://192.168.122.2:35357/v3/roles/
> 433c86b705ef4656b90514ea5401469e'}, u'name':
> u'Member'}], roles_links={u'self':
> u'http://192.168.122.2:35357/v3/OS-TRUST/trusts/
> ac0d8f3b9e7443c2bdb0f855c2a3b9b5/roles',
> u'next': None, u'previous': None},
> trustee_user_id=cf45da134c76460e89b5837e07cc4b82,
> trustor_user_id=863b972dbbfd44b7bbde1b988e2b5098>
>
> the trust is created with no issues.
>
> next, i try to create a Client using a Session and a Password auth
> plugin object.
>
> >>> from keystoneclient.auth.identity import v3
> >>> from keystoneclient import session
> >>> sess = session.Session()
> >>> trustor_auth = v3.Password(
> auth_url='http://192.168.122.2:5000/v3',
> username='demo',
> password='openstack',
> project_name='demo',
> user_domain_name='Default',
> project_domain_name='Default')
> >>> trustee_auth = v3.Password(
> auth_url='http://192.168.122.2:5000/v3',
> username='admin',
> password='openstack',
> project_name='admin',
> user_domain_name='Default',
> project_domain_name='Default')
> >>> trustor = client.Client(session=sess, auth=trustor_auth)
> >>> trustee = client.Client(session=sess, auth=trustee_auth)
> >>> trustor.trusts.create(
> trustor_user=trustor.user_id,
> trustee_user=trustee.user_id,
> project=trustor.project_id,
> role_names=['Member'],
> impersonation=True,
> expires_at=None)
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/v3/contrib/trusts.py",
> line 76, in create
> **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/base.py",
> line 73, in func
> return f(*args, **new_kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/base.py",
> line 333, in create
> self.key)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/base.py",
> line 151, in _create
> return self._post(url, body, response_key, return_raw, **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/base.py",
> line 165, in _post
> resp, body = self.client.post(url, body=body, **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/adapter.py",
> line 176, in post
> return self.request(url, 'POST', **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/adapter.py",
> line 206, in request
> resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/adapter.py",
> line 95, in request
> return self.session.request(url, method, **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/utils.py",
> line 336, in inner
> return func(*args, **kwargs)
> File
> "/home/mike/.venvs/openstack/lib/python2.7/site-packages/
> keystoneclient/session.py",
> line 397, in request
> raise exceptions.from_response(resp, method, url)
> keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You
> are not authorized to perform the requested action:
> identity:create_trust (Disable debug mode to suppress these details.)
> (HTTP 403) (Request-ID: req-c67aee46-2baf-4bc3-9bd5-b82ff31057a7)
>
> this time, not so much...
>
> the same authentication parameters are used as for the previous Client
> method but this time i am denied the trust based on the authorization.
>
> i am wondering if i have done something wrong when creating the Session
> based Client, or is this an issue with keystone treating the user's
> differently depending on the client type, or perhaps something is going
> on with the policy stuff within keystone?
>
> thanks for taking a look,
> mike
>
> [1]: https://gist.github.com/elmiko/d3df44f6910660f680b6
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150805/ae72b078/attachment.html>
More information about the OpenStack-dev
mailing list