Seems we cannot authenticate as a trustee with OpenStackClient.
The following env vars are set:
OS_AUTH_URL
OS_IDENTITY_API_VERSION
OS_USERNAME
OS_TRUST_ID
OS_PASSWORD
OS_USER_DOMAIN_NAME
These should be the minimal amount of information needed for a "trustee" (a keystone user), to authenticate. The TRUST_ID takes the place of the scope (usually this is project or domain).
I performed the following changes to OpenStackClient, since without these, TRUST_ID wasn't working at all.
/opt/stack/python-openstackclient$ git diff
diff --git a/openstackclient/api/auth.py b/openstackclient/api/auth.py
index 66272e4..672f146 100644
--- a/openstackclient/api/auth.py
+++ b/openstackclient/api/auth.py
@@ -151,11 +151,13 @@ def check_valid_auth_options(options, auth_plugin_name):
options.auth.get('domain_name', None) and not
options.auth.get('project_name', None) and not
options.auth.get('tenant_id', None) and not
- options.auth.get('tenant_name', None)):
+ options.auth.get('tenant_name', None) and not
+ options.auth.get('trust_id', None)):
msg += _('Set a scope, such as a project or domain, set a '
'project scope with --os-project-name, OS_PROJECT_NAME '
'or auth.project_name, set a domain scope with '
- '--os-domain-name, OS_DOMAIN_NAME or auth.domain_name')
+ '--os-domain-name, OS_DOMAIN_NAME or auth.domain_name',
+ 'set a trust with --os-trust-id or OS_TRUST_ID')
elif auth_plugin_name.endswith('token'):
Unfortunately, it seems like we're passing things along to os-client-config properly. Since it looks like the an unscoped token request, which results in no catalog being returned:
$ openstack user list --debug
START with options: ['user', 'list', '--debug']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://172.16.240.162:5000/v2.0', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_baremetal_api_version='1.6', os_compute_api_version='', os_data_processing_api_version='1.1', os_identity_api_version='2.0', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='2', password='***', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', region_name='RegionOne', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='cf884b664f5b42f7b1f1a98cef5da399', url='', user_domain_id='', user_domain_name='', user_id='', username='trustee', verbose_level=3, verify=None)
defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': u'2', u'metering_api_version': u'2', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'1', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', u'metering_api_version': u'2', u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': u'2', 'verify': True, u'dns_api_version': u'2', u'object_store_api_version': u'1', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': '1.6', 'auth': {'username': 'trustee', 'password': '***', 'auth_url': 'http://172.16.240.162:5000/v2.0', 'trust_id': 'cf884b664f5b42f7b1f1a98cef5da399'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', 'timing': False, 'cacert': None, 'data_processing_api_version': '1.1', 'deferred_help': False, u'identity_api_version': '2.0', u'volume_api_version': '2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
command: user list -> openstackclient.identity.v2_0.user.ListUser
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters {'username': 'trustee', 'password': '***', 'auth_url': 'http://172.16.240.162:5000/v2.0', 'trust_id': 'cf884b664f5b42f7b1f1a98cef5da399'}
Get auth_ref
REQ: curl -g -i -X GET http://172.16.240.162:5000/v2.0 -H "Accept: application/json" -H "User-Agent: python-openstackclient"
Starting new HTTP connection (1): 172.16.240.162
"GET /v2.0 HTTP/1.1" 200 340
RESP: [200] Content-Length: 340 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Fri, 15 Jan 2016 19:55:00 GMT Content-Type: application/json x-openstack-request-id: req-78d71175-e334-433b-96ce-1552839df251
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://172.16.240.162:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}
Making authentication request to http://172.16.240.162:5000/v2.0/tokens
"POST /v2.0/tokens HTTP/1.1" 200 374
take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, noindent=False, project=None, quote_mode='nonnumeric'))
Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'>
Making authentication request to http://172.16.240.162:5000/v2.0/tokens
"POST /v2.0/tokens HTTP/1.1" 200 374
The service catalog is empty.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/opt/stack/python-openstackclient/openstackclient/common/utils.py", line 45, in wrapper
return func(self, *args, **kwargs)
File "/opt/stack/python-openstackclient/openstackclient/identity/v2_0/user.py", line 222, in take_action
data = identity_client.users.list(tenant_id=project)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v2_0/users.py", line 126, in list
return self._list("/users%s" % query, "users")
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
resp, body = self.client.get(url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
return self.request(url, 'GET', **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
return self.session.request(url, method, **kwargs)
File "/opt/stack/python-openstackclient/openstackclient/common/session.py", line 40, in request
resp = super(TimingSession, self).request(url, method, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/_utils.py", line 180, in inner
return func(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 345, in request
base_url = self.get_endpoint(auth, **endpoint_filter)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 615, in get_endpoint
return auth.get_endpoint(self, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/auth/identity/base.py", line 328, in get_endpoint
service_name=service_name)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
return func(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/service_catalog.py", line 257, in url_for
raise exceptions.EmptyCatalog(_('The service catalog is empty.'))
EmptyCatalog: The service catalog is empty.