No, I just checked it. Nova receives trust token and raise this error. In my script, I see:
http://paste.openstack.org/show/171452/ And as you can see, token from trust differs from direct user's token. On Wed, Feb 11, 2015 at 7:55 PM, Adam Young <ayo...@redhat.com> wrote: > On 02/11/2015 10:52 AM, Nikolay Makhotkin wrote: > > Hi ! > > I investigated trust's use cases and encountered the problem: When I use > auth_token obtained from keystoneclient using trust, I get *403* > Forbidden error: *You are not authorized to perform the requested > action.* > > Steps to reproduce: > > - Import v3 keystoneclient (used keystone and keystoneclient from > master, tried also to use stable/icehouse) > - Import v3 novaclient > - initialize the keystoneclient: > keystone = keystoneclient.Client(username=username, password=password, > tenant_name=tenant_name, auth_url=auth_url) > > - create a trust: > trust = keystone.trusts.create( > keystone.user_id, > keystone.user_id, > impersonation=True, > role_names=['admin'], > project=keystone.project_id > ) > > - initialize new keystoneclient: > client_from_trust = keystoneclient.Client( > username=username, password=password, > trust_id=trust.id, auth_url=auth_url, > ) > > - create nova client using new token from new client: > nova = novaclient.Client( > auth_token=client_from_trust.auth_token, > auth_url=auth_url_v2, > project_id=from_trust.project_id, > service_type='compute', > username=None, > api_key=None > ) > > - do simple request to nova: > nova.servers.list() > > - get the error described above. > > > Maybe I misunderstood something but what is wrong? I supposed I just can > work with nova like it was initialized using direct token. > > > From what you wrote here it should work, but since Heat has been doing > stuff like this for a while, I'm pretty sure it is your setup and not a > fundamental problem. > > I'd take a look at what is going back and forth on the wire and make sure > the right token is being sent to Nova. If it is the original users token > and not the trust token, then you would see that error. > > > -- > Best Regards, > Nikolay > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Best Regards, Nikolay
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev