Comment 3 for bug 1213340

Steven Hardy (shardy) wrote :

Ok, looks like this is invalid, curl examples posted here work OK:

http://lists.openstack.org/pipermail/openstack-dev/2013-August/013837.html

So my issues have been due to a combination of:

- Confusion between project/tenant terminology leading to a project/tenant mismatch in my test code
- Trying to create a trust with the admin user which doesn't have a tenantId
- Trying to use a trust created with an empty roles list

On the last point, it's interesting to note that, as mentioned in the docs:

"A project_id may not be specified without at least one role, and vice versa."

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md

However it appears it is possible to create a trust specifying a project_id with an empty roles list. Trying to consume that trust will always fail with 401, which IMHO is a lot less obvious than just failing at trust-creation time - surely creating the trust is pointless since it can never be consumed?

Anyway, maybe a bug to be discussed on the comment above, but this can be closed invalid - thanks!