On Wed, Sep 4, 2013 at 5:45 AM, Steven Hardy <[email protected]> wrote:
> On Wed, Sep 04, 2013 at 09:49:48AM +0100, Steven Hardy wrote: > > This final step is the problematic step - atm (unless I'm making a > mistake, > > which as previously proven is entirely possible! ;) it seems that it's > > impossible for anyone except the trustor to delete the trust, even if we > > impersonate the trustor. > > Ok, apologies, after further testing, it appears I made a mistake and you > *can* delete the trust by impersonating the user. > No worries! I was going to say, I couldn't think of a reason to explicitly deny the behavior. > > The reason for the confusion is there's an odd issue when authenticating > the client using a trust_id. If (and only if) the trust has > impersonation=True, you *must* specify the endpoint when initialising the > client, otherwise we do not get a token, we get a 401. > So I misinterpreted the authentication failure as a 401 on delete, because > I'd copied some code and changed impersonate from False to True, which > changes the required arguments when consuming the trust. Seems like a bug? > That definitely sounds like a bug (in keystoneclient?) > > I've created a gist containing an example which demonstrates the problem: > > https://gist.github.com/hardys/6435299 > > You shouldn't have to specify auth_url and endpoint together, ever... so something here is probably a bug on the client side: https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L55-L56 I also find it odd that you're specifying a project redundantly... given that the trust already specifies a project: https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L45 You shouldn't have to specify one here: https://gist.github.com/hardys/6435299#file-trust_delete_test-py-L54 I'm not sure if the bug is that the authenticate works without the endpoint > when impersonate=False, or that is doesn't when impersonate=True. > > Thanks! > > Steve > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
