settingsLogin | Registersettings

[openstack-dev] what permission is required to create a Keystone trust

0 votes

Hi,

I am experimenting the Keystone Trusts feature with a script which creates
a trust between two users.

import keystoneclient.v3 as keystoneclient

import swiftclient.client as swiftclient

authurlv3 = 'http:/xxxt.com:5000/v3/'

demo = keystoneclient.Client(authurl=authurlv3,
username='demo',
password='openstack',
project='demo')
import pdb; pdb.set
trace()
altdemo = keystoneclient.Client(authurl=authurlv3,
username='altdemo',
password='openstack',
project='alt
demo')

trust = demo.trusts.create(trustoruser=demo.userid,
trusteeuser=altdemo.userid,
project=demo.tenant
id)

When I run this script, I got this error:

Traceback (most recent call last):
File "testostrust1.py", line 20, in
project=demo.tenant
id)
File "/usr/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py",
line 75, in create
**kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 72,
in func
return f(args, **newkwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 328,
in create
self.key)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 151,
in _create
return self.
post(url, body, responsekey, returnraw, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 165,
in post
resp, body = self.client.post(url, body=body, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py",
line 635, in post
return self.
csrequest(url, 'POST', **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py",
line 621, in _cs
request
return self.request(url, method, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py",
line 596, in request
resp = super(HTTPClient, self).request(url, method, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py",
line 21, in request
return self.session.request(url, method, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line
318, in inner
return func(
args, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line
354, in request
raise exceptions.from_response(resp, method, url)
keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You are not
authorized to perform the requested action. (HTTP 403) (Request-ID:
req-6898b073-d467-4f2a-acc0-c4c0ca15970a)

Can anyone explain what sort of permission is required for the demo user to
create a trust?

Cheers, Matt


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Sep 1, 2016 in openstack-dev by Matt_Jia (160 points)  
retagged Jan 26, 2017 by admin

3 Responses

0 votes

On Thu, Sep 1, 2016 at 5:54 AM, Matt Jia mjia@redhat.com wrote:
Hi,

I am experimenting the Keystone Trusts feature with a script which creates a
trust between two users.

import keystoneclient.v3 as keystoneclient

import swiftclient.client as swiftclient

authurlv3 = 'http:/xxxt.com:5000/v3/'

demo = keystoneclient.Client(authurl=authurlv3,
username='demo',
password='openstack',
project='demo')
import pdb; pdb.set
trace()
altdemo = keystoneclient.Client(authurl=authurlv3,
username='altdemo',
password='openstack',
project='alt
demo')

trust = demo.trusts.create(trustoruser=demo.userid,
trusteeuser=altdemo.userid,
project=demo.tenant
id)

I believe you need to at least specify one role to be able to create a
trust. You can't delegate all users roles if you pass in a project.

--
Thomas


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 1, 2016 by therve_at_redhat.com (2,620 points)   1 2
0 votes

Hi, Matt!

The issue is most probably in the absence of roles being trusted, which
are required to create a trust.

On 01.09.2016 06:54, Matt Jia wrote:
Hi,

I am experimenting the Keystone Trusts feature with a script which
creates a trust between two users.

import keystoneclient.v3 as keystoneclient

import swiftclient.client as swiftclient

authurlv3 = 'http:/xxxt.com:5000/v3/ '

demo = keystoneclient.Client(authurl=authurlv3,
username='demo',
password='openstack',
project='demo')
import pdb; pdb.set
trace()
altdemo = keystoneclient.Client(authurl=authurlv3,
username='altdemo',
password='openstack',
project='alt
demo')

trust = demo.trusts.create(trustoruser=demo.userid,
trusteeuser=altdemo.userid,
project=demo.tenant
id)

When I run this script, I got this error:

Traceback (most recent call last):
File "testostrust1.py", line 20, in
project=demo.tenant
id)
File
"/usr/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py",
line 75, in create
**kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line
72, in func
return f(args, **newkwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line
328, in create
self.key)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line
151, in _create
return self.
post(url, body, responsekey, returnraw, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line
165, in post
resp, body = self.client.post(url, body=body, **kwargs)
File
"/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line
635, in post
return self.
csrequest(url, 'POST', **kwargs)
File
"/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line
621, in _cs
request
return self.request(url, method, **kwargs)
File
"/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line
596, in request
resp = super(HTTPClient, self).request(url, method, **kwargs)
File
"/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py", line
21, in request
return self.session.request(url, method, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py",
line 318, in inner
return func(
args, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/session.py",
line 354, in request
raise exceptions.from_response(resp, method, url)
keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You
are not authorized to perform the requested action. (HTTP 403)
(Request-ID: req-6898b073-d467-4f2a-acc0-c4c0ca15970a)

Can anyone explain what sort of permission is required for the demo
user to create a trust?

Cheers, Matt


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 1, 2016 by Alexander_V_Makarov (900 points)   1 2
0 votes

Yes, thanks.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Sep 9, 2016 by Matt_Jia (160 points)  
...