Can't get a trust-scoped token via v2 client

Bug #1231483 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keystoneclient
Wishlist
Steven Hardy
tempest
Wishlist
Unassigned

Bug Description

It should be possible to authenticate a v2 client with a trust ID, as this request is valid (discovered after digging in the v2 controller code, I don't think this is documented anywhere yet?)

      "auth": {
          "tenantId": "0809343a8f9e4f07bce678855acef39a",
          "token": {
              "id": "68f720c6434946f99c7e2d9f1fd64747"
          },
          "trust_id": "4debf7791e0e49e298f933ca3732d0a8"
      }

There are a few strings attached:
- You can't use username/password, you have to get a token first, then get it re-scoped
- When the trust has impersonation==True, you need to know the trustor's tenant ID

Then you can do a call like this:

  c_trust_v2 = client_v2.Client(debug=DEBUG,
                                username=TRUSTEE_USERNAME,
                                password=TRUSTEE_USERNAME,
                                tenant_name=TRUSTEE_TENANT_NAME,
                                auth_url=OS_AUTH_URL_V2)

  ret = c_trust_v2.authenticate(trust_id=trust_i.id,
                                tenant_id=TRUSTOR_TENANT_ID)

After this (with the patch I'm about to post), you have auth_ref correctly trust_scoped for the v2 client.

Steven Hardy (shardy)
Changed in python-keystoneclient:
assignee: nobody → Steven Hardy (shardy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/48462

Changed in python-keystoneclient:
status: New → In Progress
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.3.3
importance: Undecided → Wishlist
Revision history for this message
Steven Hardy (shardy) wrote :

Tempest test in-progress, as requested by ayoung in the review linked above.

I'm adding tests which exercise basic v3 auth & trusts functionality, and also provides coverage of the v2 token re-scoping described in this bug.

I've got standalone tests which I've used to verify the functionality, which I'll use (cleaned up) as a basis for the tempest tests:

curl API tests:

https://github.com/hardys/keystone_trust/blob/master/tests/keystone_pw_example_v2.sh

keystoneclient tests:

https://gist.github.com/hardys/6435299#file-trust_pw_test_v2-py

Changed in tempest:
assignee: nobody → Steven Hardy (shardy)
status: New → In Progress
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: 0.3.3 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.openstack.org/51558

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/51559

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/51560

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/48462
Committed: http://github.com/openstack/python-keystoneclient/commit/5b7a460bc3eb108e1d9df79fb5d3f97d3b06bf4b
Submitter: Jenkins
Branch: master

commit 5b7a460bc3eb108e1d9df79fb5d3f97d3b06bf4b
Author: Steven Hardy <email address hidden>
Date: Thu Sep 26 15:33:00 2013 +0100

    Allow v2 client authentication with trust_id

    It should be possible to authenticate against the v2 tokens
    API with a trust_id, because it suports rescoping an existing
    token to a trust, this patch adds client support for this.

    Note with the current keystone code it's necessary to pass the
    trustor tenant ID when rescoping with a trust where
    impersonation==True, e.g:

    c = client_v2.Client(username=TRUSTEE_USERNAME,
                         password=TRUSTEE_USERNAME,
                         tenant_name=TRUSTEE_TENANT_NAME,
                         auth_url=OS_AUTH_URL_V2)
    c.authenticate(trust_id=trust_i.id, tenant_id=TRUSTOR_TENANT_ID)

    Change-Id: I177c41af298b7437e2c6fb437aa9ce9a09773b9d
    Closes-Bug: #1231483

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.4.1
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
Changed in tempest:
importance: Undecided → Wishlist
Revision history for this message
Yaroslav Lobankov (ylobankov) wrote :

All proposed patches are abandoned (https://review.openstack.org/51558, https://review.openstack.org/51559, https://review.openstack.org/51560), but the status of the bug is "In progress". So moving the status back to "New".

Changed in tempest:
status: In Progress → New
assignee: Steven Hardy (shardy) → nobody
Revision history for this message
Steven Hardy (shardy) wrote :

> the status of the bug is "In progress". So moving the status back to "New"

IIRC the outcome of discussions was that tests for this weren't wanted in tempest, so you might want to just close it as wont-fix.

Revision history for this message
Yaroslav Lobankov (ylobankov) wrote :

Thanks, Steven.

Changed in tempest:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers