On Wed, Sep 04, 2013 at 09:49:48AM +0100, Steven Hardy wrote: > This final step is the problematic step - atm (unless I'm making a mistake, > which as previously proven is entirely possible! ;) it seems that it's > impossible for anyone except the trustor to delete the trust, even if we > impersonate the trustor.
Ok, apologies, after further testing, it appears I made a mistake and you *can* delete the trust by impersonating the user. The reason for the confusion is there's an odd issue when authenticating the client using a trust_id. If (and only if) the trust has impersonation=True, you *must* specify the endpoint when initialising the client, otherwise we do not get a token, we get a 401. So I misinterpreted the authentication failure as a 401 on delete, because I'd copied some code and changed impersonate from False to True, which changes the required arguments when consuming the trust. Seems like a bug? I've created a gist containing an example which demonstrates the problem: https://gist.github.com/hardys/6435299 I'm not sure if the bug is that the authenticate works without the endpoint when impersonate=False, or that is doesn't when impersonate=True. Thanks! Steve _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
