[openstack-dev] what permission is required to create a Keystone trust

Alexander Makarov amakarov at mirantis.com
Thu Sep 1 14:21:23 UTC 2016


Hi, Matt!

The issue is most probably in the absence of roles being trusted, which 
are required to create a trust.



On 01.09.2016 06:54, Matt Jia wrote:
> Hi,
>
> I am experimenting the Keystone Trusts feature with a script which 
> creates a trust between two users.
>
> import keystoneclient.v3 as keystoneclient
> #import swiftclient.client as swiftclient
>
>
> auth_url_v3 = 'http:/xxxt.com:5000/v3/ <http://xxxt.com:5000/v3/>'
>
>
> demo = keystoneclient.Client(auth_url=auth_url_v3,
>                              username='demo',
>                              password='openstack',
>                              project='demo')
> import pdb; pdb.set_trace()
> alt_demo = keystoneclient.Client(auth_url=auth_url_v3,
>    username='alt_demo',
>    password='openstack',
>    project='alt_demo')
>
> trust = demo.trusts.create(trustor_user=demo.user_id,
>                            trustee_user=alt_demo.user_id,
>                            project=demo.tenant_id)
>
> When I run this script, I got this error:
>
> Traceback (most recent call last):
>   File "test_os_trust_1.py", line 20, in <module>
>     project=demo.tenant_id)
>   File 
> "/usr/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py", 
> line 75, in create
>     **kwargs)
>   File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
> 72, in func
>     return f(*args, **new_kwargs)
>   File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
> 328, in create
>     self.key)
>   File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
> 151, in _create
>     return self._post(url, body, response_key, return_raw, **kwargs)
>   File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
> 165, in _post
>     resp, body = self.client.post(url, body=body, **kwargs)
>   File 
> "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 
> 635, in post
>     return self._cs_request(url, 'POST', **kwargs)
>   File 
> "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 
> 621, in _cs_request
>     return self.request(url, method, **kwargs)
>   File 
> "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 
> 596, in request
>     resp = super(HTTPClient, self).request(url, method, **kwargs)
>   File 
> "/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py", line 
> 21, in request
>     return self.session.request(url, method, **kwargs)
>   File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", 
> line 318, in inner
>     return func(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", 
> line 354, in request
>     raise exceptions.from_response(resp, method, url)
> keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You 
> are not authorized to perform the requested action. (HTTP 403) 
> (Request-ID: req-6898b073-d467-4f2a-acc0-c4c0ca15970a)
>
> Can anyone explain what sort of permission is required for the demo 
> user to create a trust?
>
> Cheers, Matt
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160901/d1d2dd80/attachment.html>


More information about the OpenStack-dev mailing list