yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1213340] Re: v3 token requests always 401 with scope OS-TRUST:trust

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steven Hardy <shardy@xxxxxxxxxx>
Date: Mon, 19 Aug 2013 10:56:21 -0000
Reply-to: Bug 1213340 <1213340@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Ok, looks like this is invalid, curl examples posted here work OK:

http://lists.openstack.org/pipermail/openstack-
dev/2013-August/013837.html

So my issues have been due to a combination of:

- Confusion between project/tenant terminology leading to a project/tenant mismatch in my test code
- Trying to create a trust with the admin user which doesn't have a tenantId
- Trying to use a trust created with an empty roles list

On the last point, it's interesting to note that, as mentioned in the
docs:

"A project_id may not be specified without at least one role, and vice
versa."

https://github.com/openstack/identity-api/blob/master/openstack-
identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md

However it appears it is possible to create a trust specifying a
project_id with an empty roles list.  Trying to consume that trust will
always fail with 401, which IMHO is a lot less obvious than just failing
at trust-creation time - surely creating the trust is pointless since it
can never be consumed?

Anyway, maybe a bug to be discussed on the comment above, but this can
be closed invalid - thanks!

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1213340

Title:
  v3 token requests always 401 with scope OS-TRUST:trust

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  Whenever a request to get a token contains the OS-TRUST:trust scope,
  the request always returns a 401 response.

  The exact same request without the OS-TRUST:trust scope always works.

  Attempting to consume a trust as per:

  https://github.com/openstack/identity-api/blob/master/openstack-
  identity-api/v3/src/markdown/identity-api-v3-os-trust-
  ext.md#consuming-a-trust-with-post-authtokens

  I've tried with methods:['token'] and methods:['password'] and the
  results are the same, whenever the request contains a trust id in the
  scope section, the request gets 401'd

  The token case can be reproduced as described in bug #1212778 (which
  returns 401 with the proposed patch fixing the 500 error)

  The username/password can be reproduced with the reproducer attached.

  In both cases you need the keystone client patch from
  https://review.openstack.org/#/c/39899/ to add the trusts interfaces.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1213340/+subscriptions