Keystone confuses users when creating a trust when there's a roles name conflict

It sounds like the proper fix to this is to allow for python-openstackclient to pass role ids instead of automatically converting them to names. As you noted, keystone already has the logic to bypass the name-id conversion if id are used originally [0]. Otherwise we might be able to take the opportunity to improve the error message in keystone to say something along the lines of ambiguity instead of Not Found.

[0] https://github.com/openstack/keystone/blob/03319d1/keystone/trust/controllers.py#L90-L94

Also affects python-keystoneclient as it only support names. [0]
Agree that the correct solution is to allow ids also.

0. https://github.com/openstack/python-keystoneclient/blob/71af540c81ecb933d912ef5ecde128afcc0deeeb/keystoneclient/v3/contrib/trusts.py#L41

Fix proposed to branch: master
Review: https://review.openstack.org/475010

Reviewed: https://review.openstack.org/475010
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=ef49844248661671063567f98016e88943955ba0
Submitter: Jenkins
Branch: master

commit ef49844248661671063567f98016e88943955ba0
Author: Kristi Nikolla <email address hidden>
Date: Fri Jun 16 11:30:56 2017 -0400

    Add support for specifying role ids when creating trust

    Change-Id: I38e0ac35946ee6e53128babac3ea759a380572e0
    Partial-Bug: 1696111

There are three possible patches for this issue:

python-keystoneclient needs to support role ids (merged)
python-openstackclient needs to support role ids (in review)
keystone should emit a better error message (not proposed yet)

The python-openstackclient patch is available for review here - https://review.openstack.org/#/c/475068/

Fix proposed to branch: master
Review: https://review.openstack.org/476451

Reviewed: https://review.openstack.org/475068
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=da53c2b33457f4f1e93bdda6c0c16172ea36bc78
Submitter: Jenkins
Branch: master

commit da53c2b33457f4f1e93bdda6c0c16172ea36bc78
Author: Kristi Nikolla <email address hidden>
Date: Fri Jun 16 15:33:46 2017 -0400

    When creating a trust, send role_ids instead or role_names

    This changes create a trust to use ids instead of names because of
    the possibility of roles sharing a name. Even if the user
    uniquely identified a role by inputting the id, the request sent
    to the identity service would used the name, therefore the command
    would fail in the case that two roles share a name.

    This does not change how trusts are displayed during trust list or
    trust show, a name will still be shown instead of an id.

    Depends-On: I38e0ac35946ee6e53128babac3ea759a380572e0

    Change-Id: I5bdf89f1e288954a7f5c2704231f270bc7d196f5
    Closes-Bug: 1696111

Reviewed: https://review.openstack.org/476451
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1ec118a85f1e31573813e6b433a35d87f0f5bfb8
Submitter: Jenkins
Branch: master

commit 1ec118a85f1e31573813e6b433a35d87f0f5bfb8
Author: Kristi Nikolla <email address hidden>
Date: Thu Jun 22 10:13:30 2017 +0000

    Return 400 when trying to create trust with ambiguous role name

    If a user is trying to create a trust by specifying roles by name
    and the name is used by multiple roles, return a more descriptive
    error message. Prior to this it was returning "role not found".

    Change-Id: Ife437ac15774f546f551e191cd5e6fdde7c67d49
    Partial-Bug: 1696111

This issue was fixed in the openstack/python-openstackclient 3.12.0 release.