← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1324023] [NEW] Can't create trusts on projects, and can't consume trusts on domains

 

Public bug reported:

When trying to create a trust on a project, I always get a "forbidden"
error. When creating a trust on a domain, the trust is created
successfully but then I get this error when trying to use it:

"Expecting to find id or name in project. The server could not comply
with the request since it is either malformed or otherwise incorrect.
The client is assumed to be in error."

To recreate:
1) Create a domain called dom1:
curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/domains -d '{"domain": {"name": "dom1", "enabled": true}}'

2) Create a user called dom1admin:
curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1admin", "password": "dom1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

3) Give dom1admin the "admin" role on the domain:
curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/domains/53f39ebfa9b44f4ab2543a151ac29d3f/users/09d1e1931f564952abb7a4f515a28f35/roles/d43cb0756e2848ee800bbd5d90e207d1

4) With a token of dom1admin, create a project called dom1proj1:
 curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/projects -d '{"project": {"name": "dom1proj1", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

5) Create a user called dom1proj1admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1proj1admin", "password": "dom1proj1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

6) Grant admin rights to dom1proj1admin:
curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/projects/8ec21ac3aa2c4d0f961ea3df6e77514a/users/308402875e10487dbf59941b20abc84c/roles/d43cb0756e2848ee800bbd5d90e207d1

7) Repeat steps 4-6 to create dom1proj2, dom1proj2admin, and role
granting.

8) With a token of dom1proj1admin, create a trust to give admin rights to dom1proj2admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "project_id": "8ec21ac3aa2c4d0f961ea3df6e77514a", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "308402875e10487dbf59941b20abc84c"}}'

You get:
{
    "error": {
        "code": 403,
        "message": "You are not authorized to perform the requested action.",
        "title": "Forbidden"
    }
}

I tried different rules in the policy file but couldn't get this to
work.

9) With a token of dom1admin, give a trust on the domain to user dom1proj1admin:
curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "domain_id": "3e919ca95be540ffb3e132be5fc367f2", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"}}'

Trust is created:
{
    "trust": {
        "domain_id": "3e919ca95be540ffb3e132be5fc367f2",
        "expires_at": "2015-02-27T18:30:59.999999Z",
        "id": "6c6b7e4067d64df2acb9a9e33579fbc9",
        "impersonation": true,
        "links": {
            "self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9";
        },
        "project_id": null,
        "remaining_uses": null,
        "role": [
            {
                "name": "admin"
            }
        ],
        "roles": [],
        "roles_links": {
            "next": null,
            "previous": null,
            "self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9/roles";
        },
        "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2",
        "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"
    }
}

10) With a token of dom1proj1admin, try to consume the trust:
{
    "auth": {
        "identity": {
            "methods": [
                "token"
            ],
            "token": {
                "id": "$TOKEN2"
            }
        },
        "scope": {
            "OS-TRUST:trust": {
                "id": "6c6b7e4067d64df2acb9a9e33579fbc9"
            }
        }
    }
}

You get:
{"error": {"message": "Expecting to find id or name in project. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1324023

Title:
  Can't create trusts on projects, and can't consume trusts on domains

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When trying to create a trust on a project, I always get a "forbidden"
  error. When creating a trust on a domain, the trust is created
  successfully but then I get this error when trying to use it:

  "Expecting to find id or name in project. The server could not comply
  with the request since it is either malformed or otherwise incorrect.
  The client is assumed to be in error."

  To recreate:
  1) Create a domain called dom1:
  curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/domains -d '{"domain": {"name": "dom1", "enabled": true}}'

  2) Create a user called dom1admin:
  curl -X POST -H "X-Auth-Token:$MYTOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1admin", "password": "dom1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

  3) Give dom1admin the "admin" role on the domain:
  curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/domains/53f39ebfa9b44f4ab2543a151ac29d3f/users/09d1e1931f564952abb7a4f515a28f35/roles/d43cb0756e2848ee800bbd5d90e207d1

  4) With a token of dom1admin, create a project called dom1proj1:
   curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/projects -d '{"project": {"name": "dom1proj1", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

  5) Create a user called dom1proj1admin:
  curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/users -d '{"user": {"name": "dom1proj1admin", "password": "dom1proj1admin", "domain_id": "53f39ebfa9b44f4ab2543a151ac29d3f", "enabled": true}}'

  6) Grant admin rights to dom1proj1admin:
  curl -X PUT -H "X-Auth-Token:$MYTOKEN" http://localhost:35357/v3/projects/8ec21ac3aa2c4d0f961ea3df6e77514a/users/308402875e10487dbf59941b20abc84c/roles/d43cb0756e2848ee800bbd5d90e207d1

  7) Repeat steps 4-6 to create dom1proj2, dom1proj2admin, and role
  granting.

  8) With a token of dom1proj1admin, create a trust to give admin rights to dom1proj2admin:
  curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "project_id": "8ec21ac3aa2c4d0f961ea3df6e77514a", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "308402875e10487dbf59941b20abc84c"}}'

  You get:
  {
      "error": {
          "code": 403,
          "message": "You are not authorized to perform the requested action.",
          "title": "Forbidden"
      }
  }

  I tried different rules in the policy file but couldn't get this to
  work.

  9) With a token of dom1admin, give a trust on the domain to user dom1proj1admin:
  curl -X POST -H "X-Auth-Token:$TOKEN" -H "Content-type:application/json" http://localhost:35357/v3/OS-TRUST/trusts -d '{"trust": {"expires_at": "2015-02-27T18:30:59.999999Z", "impersonation": true, "domain_id": "3e919ca95be540ffb3e132be5fc367f2", "role": [{"name": "admin"}], "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2", "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"}}'

  Trust is created:
  {
      "trust": {
          "domain_id": "3e919ca95be540ffb3e132be5fc367f2",
          "expires_at": "2015-02-27T18:30:59.999999Z",
          "id": "6c6b7e4067d64df2acb9a9e33579fbc9",
          "impersonation": true,
          "links": {
              "self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9";
          },
          "project_id": null,
          "remaining_uses": null,
          "role": [
              {
                  "name": "admin"
              }
          ],
          "roles": [],
          "roles_links": {
              "next": null,
              "previous": null,
              "self": "http://localhost:35357/v3/OS-TRUST/trusts/6c6b7e4067d64df2acb9a9e33579fbc9/roles";
          },
          "trustee_user_id": "3e919ca95be540ffb3e132be5fc367f2",
          "trustor_user_id": "09d1e1931f564952abb7a4f515a28f35"
      }
  }

  10) With a token of dom1proj1admin, try to consume the trust:
  {
      "auth": {
          "identity": {
              "methods": [
                  "token"
              ],
              "token": {
                  "id": "$TOKEN2"
              }
          },
          "scope": {
              "OS-TRUST:trust": {
                  "id": "6c6b7e4067d64df2acb9a9e33579fbc9"
              }
          }
      }
  }

  You get:
  {"error": {"message": "Expecting to find id or name in project. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1324023/+subscriptions


Follow ups

References