v3 token requests always 401 with scope OS-TRUST:trust

Bug #1213340 reported by Steven Hardy on 2013-08-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Unassigned

Bug Description

Whenever a request to get a token contains the OS-TRUST:trust scope, the request always returns a 401 response.

The exact same request without the OS-TRUST:trust scope always works.

Attempting to consume a trust as per:

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md#consuming-a-trust-with-post-authtokens

I've tried with methods:['token'] and methods:['password'] and the results are the same, whenever the request contains a trust id in the scope section, the request gets 401'd

The token case can be reproduced as described in bug #1212778 (which returns 401 with the proposed patch fixing the 500 error)

The username/password can be reproduced with the reproducer attached.

In both cases you need the keystone client patch from https://review.openstack.org/#/c/39899/ to add the trusts interfaces.

Steven Hardy (shardy) wrote :
Steven Hardy (shardy) wrote :

Ok, looks like this is invalid, curl examples posted here work OK:

http://lists.openstack.org/pipermail/openstack-dev/2013-August/013837.html

So my issues have been due to a combination of:

- Confusion between project/tenant terminology leading to a project/tenant mismatch in my test code
- Trying to create a trust with the admin user which doesn't have a tenantId
- Trying to use a trust created with an empty roles list

On the last point, it's interesting to note that, as mentioned in the docs:

"A project_id may not be specified without at least one role, and vice versa."

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md

However it appears it is possible to create a trust specifying a project_id with an empty roles list. Trying to consume that trust will always fail with 401, which IMHO is a lot less obvious than just failing at trust-creation time - surely creating the trust is pointless since it can never be consumed?

Anyway, maybe a bug to be discussed on the comment above, but this can be closed invalid - thanks!

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers