castellan

Castellan doesn't support trust-scoped token for barbican

Bug #1827047 reported by Vladislav Kuzmin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
castellan
Fix Released
Undecided
Unassigned

Bug Description

When I tried to run Heat tests with `reauthentication_auth_method = trusts` some tests are failed and I can see the dollowing in nova-compute.log:

castellan.key_manager.barbican_key_manager [req-dbe35d07-d2e1-4fe9-9a80-b999665efb72 a918ad5bad3847b89ea761f4d507083f b7f3181dfc864554bd2f
bd20a4223d4e - default default] Error creating Barbican client: You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create
a new trust-scoped token instead. (HTTP 403) (Request-ID: req-774770c4-7650-48db-ba78-01ffc0efc3bd): Forbidden: You are not authorized to perform the requested action: Using tru
st-scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403) (Request-ID: req-774770c4-7650-48db-ba78-01ffc0efc3bd)
2019-04-15 10:05:22,438.438 6405 ERROR cursive.signature_utils [req-dbe35d07-d2e1-4fe9-9a80-b999665efb72 a918ad5bad3847b89ea761f4d507083f b7f3181dfc864554bd2fbd20a4223d4e - defa
ult default] Unable to retrieve certificate with ID b50bfd20-2757-4e19-8081-dee15d8fc56f: Key manager error: You are not authorized to perform the requested action: Using trust-
scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403) (Request-ID: req-774770c4-7650-48db-ba78-01ffc0efc3bd): KeyManagerError: Key manager er
ror: You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403) (Request-ID: req-774770c4-7650-48db-ba78-01ffc0efc3bd)

As I can see castellan tried to create new token used trust-scope token for barbican client, but this is not allowed.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to castellan (master)

Reviewed: https://review.opendev.org/662830
Committed: https://git.openstack.org/cgit/openstack/castellan/commit/?id=5d936763380b9d97df409de2d33b3e9b98d61a94
Submitter: Zuul
Branch: master

commit 5d936763380b9d97df409de2d33b3e9b98d61a94
Author: Vladislav Kuzmin <email address hidden>
Date: Tue Jun 4 17:09:58 2019 +0400

    Reuse existing token from RequestContext

    When castellan trying to recreate trust-scoped token
    from RequestContext keystone throw exception
    because it's not allowed.
    Starting from this commit castellan trying to
    reuse existing token constructed from RequestContext
    if get_auth_plugin() is available.

    Change-Id: I10a12b9a2a7f796eca37dd20a280d3a4015a6903
    Closes-Bug: #1827047
    Depends-On: https://review.opendev.org/#/c/664558/

Changed in castellan:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/castellan 1.4.0

This issue was fixed in the openstack/castellan 1.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to castellan (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/702263

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to castellan (stable/train)

Reviewed: https://review.opendev.org/702263
Committed: https://git.openstack.org/cgit/openstack/castellan/commit/?id=193b4a2cc3c6b65b531b95e6b8b8b7c604ca7b77
Submitter: Zuul
Branch: stable/train

commit 193b4a2cc3c6b65b531b95e6b8b8b7c604ca7b77
Author: Vladislav Kuzmin <email address hidden>
Date: Tue Jun 4 17:09:58 2019 +0400

    Reuse existing token from RequestContext

    When castellan trying to recreate trust-scoped token
    from RequestContext keystone throw exception
    because it's not allowed.
    Starting from this commit castellan trying to
    reuse existing token constructed from RequestContext
    if get_auth_plugin() is available.

    Change-Id: I10a12b9a2a7f796eca37dd20a280d3a4015a6903
    Closes-Bug: #1827047
    Depends-On: https://review.opendev.org/#/c/664558/
    (cherry picked from commit 5d936763380b9d97df409de2d33b3e9b98d61a94)

tags: added: in-stable-train
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.