[heystone][nova][cinder] netapp queens trust scoped token

Lance Bragstad lbragstad at gmail.com
Mon Jan 21 14:34:08 UTC 2019


Yes, they were originally implemented during the Queens release [0].

[0]
http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/application-credentials.html

On Sat, Jan 19, 2019 at 1:45 AM Ignazio Cassano <ignaziocassano at gmail.com>
wrote:

> Hello Lance, application credential are also supported in queens?
> Thanks
> Ignazio
>
>
> Il giorno Ven 18 Gen 2019 16:04 Lance Bragstad <lbragstad at gmail.com> ha
> scritto:
>
>>
>>
>> On Fri, Jan 18, 2019 at 6:49 AM Ignazio Cassano <ignaziocassano at gmail.com>
>> wrote:
>>
>>> Hello Everyone,
>>> I am using a client for backupping openstack virtual machine.
>>> The crux of the problem is the client uses trust based authentication
>>> for scheduling backup jobs on behalf of user.  When a trust scoped token is
>>> passed to cinder client to take a snapshot, I expect the client use the
>>> token to authenticate and perform the operation which cinder client does.
>>> However cinder volume service invokes novaclient as part of cinder nfs
>>> backend snapshot operation and novaclient tries to re-authenticate. Since
>>> keystone does not allow re-authentication using trust based tokens, cinder
>>> snapshot operation fails.
>>>
>>>
>> Keystone allows authorization by allowing users to scope tokens to
>> trusts, but once a trust-token is scoped, it can't be rescoped. Instead,
>> keystone requires that you build another authentication request for a new
>> trust-scoped token using the trust [0][1].
>>
>> [0]
>> https://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=consuming-a-trust-detail#id121
>> [1]
>> https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/token.py#n84
>>
>>
>>> So I get the following error:
>>>
>>> 2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs [req-61d977c1-eef3-4309-ac02-aaa0eb880925
>>> ab1bdb5dadc54312891f3a6410fef04d 6d1bffb04e3b4cdda30dc17aa96bfffc - default
>>> default] Call to Nova to create snapshot failed: Forbidden: You are not
>>> authorized to perform the requested action: Using trust-scoped token to
>>> create another token. Create a new trust-scoped token instead. (HTTP 403)
>>> (Request-ID: req-f55b682a-001b-4952-bfb1-abf4dd6bf459)
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs Traceback
>>> (most recent call last):
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>> File "/usr/lib/python2.7/site-packages/cinder/volume/drivers/ remotefs.py",
>>> line 1452, in _create_snapshot_online
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>   connection_info)
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>> File "/usr/lib/python2.7/site-packages/cinder/compute/nova.py", line 188,
>>> in create_volume_snapshot
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>   create_info=create_info)
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>> File
>>> "/usr/lib/python2.7/site-packages/novaclient/v2/assisted_volume_snapshots.py",
>>> line 43, in create
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>   return self._create('/os-assisted-volume-snapshots', body, 'snapshot')
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>> File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 361, in
>>> _create
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>   resp, body = self.api.client.post(url, body=body)
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>> File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 310,
>>> in post
>>>
>>>  >  2018-12-12 04:07:14.759 2859 ERROR cinder.volume.drivers. remotefs
>>>   return self.request(url, 'POST', **kwargs)
>>>
>>>
>>> My cinder volume are non netapp fas8040 via nfs.
>>>
>>> Anyone can help me ?
>>>
>>
>> There is another feature in keystone that sounds like a better fit for
>> what you're trying to do, called application credentials [2]. Application
>> credentials were written as a way for users to grant authorization to
>> services and scripts (e.g., the scipt asking cinder for a snapshot in your
>> case.)
>>
>> Application credentials aren't tokens, but your scripts can use them to
>> authenticate for a token [3]. The keystoneauth library already supports
>> application credentials, so if you use that for building a session you
>> should be able to use it in other clients that already support keystoneauth
>> [4].
>>
>> [2]
>> https://docs.openstack.org/keystone/latest/user/application_credentials.html
>> [3]
>> https://docs.openstack.org/keystone/latest/user/application_credentials.html#using-application-credentials
>> [4]
>> https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#application-credentials
>>
>>>
>>> Regards
>>>
>>> Ignazio
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190121/5c62a930/attachment.html>


More information about the openstack-discuss mailing list