OpenStack Identity (keystone)

  1. Bug #1717918
  2. Comment #5

Comment 5 for bug 1717918

Revision history for this message
Xiaoyang Zhang (es-xiaoyang) wrote :

When reauthentication_auth_method = trusts, heat uses trust token to build sahara client. However, sahara uses heat`s trust token to build nova session client without auth_ref.

nova = nova_client.Client('2', session=session, auth=keystone.auth(),
                          endpoint_type=CONF.nova.endpoint_type,
                          region_name=CONF.os_region_name)

                         reauthentication_auth_method =trusts
             user_token +------+ trust_token +--------+ heat_trust_token +----------------+
create_stact ----------> | heat | -----------> | sahara | ----------------> | nova/glance... |
                         +------+ +--------+ 403 error +----------------+

This is not allowed in keystone token method. The original is described in this way : 'Do not allow tokens used for delegation to create another token, or perform any changes of state in Keystone. To do so is to invite elevation of privilege attacks'
There are two possible solutions without changing the heat configuration :
1. Sahara uses HTTPclient when building other components of client.
2. When building other components client, add auth_ref.

The problem will have a new problem after it is repaired. Sahara uses heat_trust_token to create new trust. The heat_trust_token`s redelegation_count==0 causes 403 errors.
problem analysis :
                                                          heat_trust_token
                         reauthentication_auth_method =trusts +
             user_token +------+ trust_token +--------+ auth_ref +----------------+
create_stact ----------> | heat | -----------> | sahara | ----------------> | nova/glance... |
                         +------+ +--------+ complete +----------------+
                                                    \
                                                     \ create_trust
                                            403 error \ +----------+
                                                       -> | keystone |
                                                          +----------+

We also need to modify heat to create trust. Add allow_redelegation=True parameter :

trust = self.client.trusts.create(trustor_user=trustor_user_id,
                                  trustee_user=trustee_user_id,
                                  project=trustor_proj_id,
                                  impersonation=True,
                                  allow_redelegation=True,
                                  role_names=roles)