[Openstack] creating trust failing

Steven Hardy shardy at redhat.com
Fri Jul 11 19:33:46 UTC 2014 

On Thu, Jul 10, 2014 at 04:48:02PM +0100, Michael Hearn wrote:
>    Want to use Trusts but when creating I am being told I do not have the
>    correct authorization e.g
>    You are not authorized to perform the requested action.", "code": 403,
>    "title": "Forbidden
> 
>    Distro: Icehouse
>    Token:A A  scoped at project level , and using admin user/pass
>    Policy File Rule: (opened it up)A  "identity:create_trust": ""
>    Keystone.conf: trust enabled
>    Command:
>    curl -s -H X-Auth-Token: $TOKEN -H Content-Type: application/json -d
>    { "trust": {
>    A A A  "expires_at": "2014-12-30T23:59:59.999999Z",
>    A A A  "impersonation": false,
>    A A A  "project_id": "470de03ce1e84009936151a91de19044",
>    A A A  "roles": [
>    A A A A A A A  { "name": "399c7033b0944fcbb471b474f5625c22" }
>    A A A A A  ],
>    A A A  "trustee_user_id": "7d59da760f844f7fbf31f7a5b8f6b9e2",
>    A A A  "trustor_user_id": "4b132cedccb145a182f996225dde6af6"
>    }} http://xxxxxxxxxxxx:5000/v3/OS-TRUST/trusts
> 
>    Keystone log file suggests the policy rule is fine but the endpoint access
>    is being denied on the PUT.A  A Get on /V3/OS-TRUST/trusts is not
>    denied.A A A 
>    A 
>    2014-07-10 10:23:51.506 17888 DEBUG keystone.openstack.common.policy [-]
>    Rule identity:create_trust will be now enforced enforce
>    /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:258
>    2014-07-10 10:23:51.506 17888 DEBUG keystone.common.controller [-] RBAC:
>    Authorization granted inner
>    /usr/lib/python2.6/site-packages/keystone/common/controller.py:151
>    2014-07-10 10:23:51.514 17888 WARNING keystone.common.wsgi [-] You are not
>    authorized to perform the requested action.
>    2014-07-10 10:23:51.515 17888 INFO eventlet.wsgi.server [-]A  - -
>    [10/Jul/2014 10:23:51] "POST /v3/OS-TRUST/trusts HTTP/1.1" 403 252
>    0.020884
> 
>    Any suggestions what is amiss?

There are some hard-coded checks in the trusts code (in addition to what is
in the policy), so it's likely you're hitting one of those:

https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L142

>From your description, it sounds like the most likely thing is you're
creating the trust with credentials of someone other than the trustor user?

E.g, is 4b132cedccb145a182f996225dde6af6 the ID of the admin user whose
credentials are using?

Note that you don't need to be admin to create a trust, but you can only
create a trust as the trustor user (even as with the admin role, you can't
create a trust between two third parties)

Hope that helps.

Steve

More information about the Openstack mailing list