v3 token requests always 401 with scope OS-TRUST:trust

Bug #1213340 reported by Steven Hardy on 2013-08-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

Whenever a request to get a token contains the OS-TRUST:trust scope, the request always returns a 401 response.

The exact same request without the OS-TRUST:trust scope always works.

Attempting to consume a trust as per:


I've tried with methods:['token'] and methods:['password'] and the results are the same, whenever the request contains a trust id in the scope section, the request gets 401'd

The token case can be reproduced as described in bug #1212778 (which returns 401 with the proposed patch fixing the 500 error)

The username/password can be reproduced with the reproducer attached.

In both cases you need the keystone client patch from https://review.openstack.org/#/c/39899/ to add the trusts interfaces.

Steven Hardy (shardy) wrote :
Steven Hardy (shardy) wrote :

Ok, looks like this is invalid, curl examples posted here work OK:


So my issues have been due to a combination of:

- Confusion between project/tenant terminology leading to a project/tenant mismatch in my test code
- Trying to create a trust with the admin user which doesn't have a tenantId
- Trying to use a trust created with an empty roles list

On the last point, it's interesting to note that, as mentioned in the docs:

"A project_id may not be specified without at least one role, and vice versa."


However it appears it is possible to create a trust specifying a project_id with an empty roles list. Trying to consume that trust will always fail with 401, which IMHO is a lot less obvious than just failing at trust-creation time - surely creating the trust is pointless since it can never be consumed?

Anyway, maybe a bug to be discussed on the comment above, but this can be closed invalid - thanks!

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers