When keystone trusts are disabled (CONF.trusts.enabled is False in keystone.conf), https://github.com/openstack/heat/blob/a41b5cf5eb2fcb3ab999c2eaee0838d5ca10f6e6/heat/engine/clients/os/keystone/heat_keystoneclient.py#L223 results in an HTTP 400 response. This is wrong, because there is nothing wrong with the request that was made (whereas 400 indicates caller error). Also, the reason message is inappropriate and unhelpful to the caller. And nothing useful is logged in heat's logs, which made this a real pain to debug.
The caller needs a response code/reason that indicates there is an issue with the service so that they go bug their operator to look into it, not waste time trying to figure out what is wrong with their request. And the operator needs something useful logged so they can distinguish this from other possible errors.
Note: it doesn't appear that HTTP 400 would be appropriate for any of the possible reasons for getting to the line of code referenced above, so having trusts disabled in keystone is but one way to hit this issue. Another configuration issue that might hit this line is if the trustee user does not exist, though this was not tested. All reasons for hitting this line should be analyzed and the appropriate error and logging may differ between them.
Found in Pike.
Yeah, HTTP 400 response is not correct in both the below cases
1. When trusts are disabled in keystone
2. trustee user does not exist.
The fact that keystone returns a 404 NotFound() in all these cases including that when the user does not have required 'trusts_
Probably the assumption earlier had been that if you've deferred_
I think change[3] tried to make the error more clear when the user does not have the required roles. However, it hides the other reasons for 404 from keystone.
Now that we inherit all roles when creating a trust context by default[4], we can probably
revert[3] rather than creating different errors for the user based on the error message from keystone.
[1] https:/
[2] https:/
[3] https:/
[4] https:/