yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #14778
[Bug 1324023] [NEW] Can't create trusts on projects, and can't consume trusts on domains
Public bug reported:
When trying to create a trust on a project, I always get a "forbidden"
error. When creating a trust on a domain, the trust is created
successfully but then I get this error when trying to use it:
"Expecting to find id or name in project. The server could not comply
with the request since it is either malformed or otherwise incorrect.
The client is assumed to be in error."
To recreate:
1) Create a domain called dom1:
curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/domains -d '{"domain": {"name": "dom1", "enabled": true}}'
2) Create a user called dom1admin:
curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1admin", "password": "dom1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'
3) Give dom1admin the "admin" role on the domain:
curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/domains/53f39ebfa9b44f4ab2543a151ac29d3f/users/09d1e1931f564952abb7a4f515a28f35/roles/d43cb0756e2848ee800bbd5d90e207d1
4) With a token of dom1admin, create a project called dom1proj1:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/projects -d '{"project": {"name": "dom1proj1", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'
5) Create a user called dom1proj1admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1proj1admin", "password": "dom1proj1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'
6) Grant admin rights to dom1proj1admin:
curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/projects/8ec21ac3aa2c4d0f961ea3df6e77514a/users/308402875e10487dbf59941b20abc84c/roles/d43cb0756e2848ee800bbd5d90e207d1
7) Repeat steps 4-6 to create dom1proj2, dom1proj2admin, and role
granting.
8) With a token of dom1proj1admin, create a trust to give admin rights to dom1proj2admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "project_id": "8ec21ac3aa2c4d0f961ea3df6e77514a", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "308402875e10487dbf59941b20abc84c"}}'
You get:
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action.",
"title": "Forbidden"
}
}
I tried different rules in the policy file but couldn't get this to
work.
9) With a token of dom1admin, give a trust on the domain to user dom1proj1admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "domain_id": "3e919ca95be540ffb3e132be5fc367f2", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"}}'
Trust is created:
{
"trust": {
"domain_id": "3e919ca95be540ffb3e132be5fc367f2",
"expires_at": "2015-02-27T18:30:59.999999Z",
"id": "6c6b7e4067d64df2acb9a9e33579fbc9",
"impersonation": true,
"links": {
"self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9"
},
"project_id": null,
"remaining_uses": null,
"role": [
{
"name": "admin"
}
],
"roles": [],
"roles_links": {
"next": null,
"previous": null,
"self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9/roles"
},
"trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2",
"trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"
}
}
10) With a token of dom1proj1admin, try to consume the trust:
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "$TOKEN2"
}
},
"scope": {
"OS-TRUST:trust": {
"id": "6c6b7e4067d64df2acb9a9e33579fbc9"
}
}
}
}
You get:
{"error": {"message": "Expecting to find id or name in project. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1324023
Title:
Can't create trusts on projects, and can't consume trusts on domains
Status in OpenStack Identity (Keystone):
New
Bug description:
When trying to create a trust on a project, I always get a "forbidden"
error. When creating a trust on a domain, the trust is created
successfully but then I get this error when trying to use it:
"Expecting to find id or name in project. The server could not comply
with the request since it is either malformed or otherwise incorrect.
The client is assumed to be in error."
To recreate:
1) Create a domain called dom1:
curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/domains -d '{"domain": {"name": "dom1", "enabled": true}}'
2) Create a user called dom1admin:
curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1admin", "password": "dom1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'
3) Give dom1admin the "admin" role on the domain:
curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/domains/53f39ebfa9b44f4ab2543a151ac29d3f/users/09d1e1931f564952abb7a4f515a28f35/roles/d43cb0756e2848ee800bbd5d90e207d1
4) With a token of dom1admin, create a project called dom1proj1:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/projects -d '{"project": {"name": "dom1proj1", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'
5) Create a user called dom1proj1admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1proj1admin", "password": "dom1proj1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'
6) Grant admin rights to dom1proj1admin:
curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/projects/8ec21ac3aa2c4d0f961ea3df6e77514a/users/308402875e10487dbf59941b20abc84c/roles/d43cb0756e2848ee800bbd5d90e207d1
7) Repeat steps 4-6 to create dom1proj2, dom1proj2admin, and role
granting.
8) With a token of dom1proj1admin, create a trust to give admin rights to dom1proj2admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "project_id": "8ec21ac3aa2c4d0f961ea3df6e77514a", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "308402875e10487dbf59941b20abc84c"}}'
You get:
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action.",
"title": "Forbidden"
}
}
I tried different rules in the policy file but couldn't get this to
work.
9) With a token of dom1admin, give a trust on the domain to user dom1proj1admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "domain_id": "3e919ca95be540ffb3e132be5fc367f2", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"}}'
Trust is created:
{
"trust": {
"domain_id": "3e919ca95be540ffb3e132be5fc367f2",
"expires_at": "2015-02-27T18:30:59.999999Z",
"id": "6c6b7e4067d64df2acb9a9e33579fbc9",
"impersonation": true,
"links": {
"self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9"
},
"project_id": null,
"remaining_uses": null,
"role": [
{
"name": "admin"
}
],
"roles": [],
"roles_links": {
"next": null,
"previous": null,
"self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9/roles"
},
"trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2",
"trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"
}
}
10) With a token of dom1proj1admin, try to consume the trust:
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "$TOKEN2"
}
},
"scope": {
"OS-TRUST:trust": {
"id": "6c6b7e4067d64df2acb9a9e33579fbc9"
}
}
}
}
You get:
{"error": {"message": "Expecting to find id or name in project. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1324023/+subscriptions
Follow ups
References