Re: [openstack-dev] what permission is required to create a Keystone trust

2016-09-08 Thread Matt Jia 
Yes,  thanks.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] what permission is required to create a Keystone trust

2016-09-01 Thread Alexander Makarov 

Hi, Matt!

The issue is most probably in the absence of roles being trusted, which 
are required to create a trust.




On 01.09.2016 06:54, Matt Jia wrote:

Hi,

I am experimenting the Keystone Trusts feature with a script which 
creates a trust between two users.


import keystoneclient.v3 as keystoneclient
#import swiftclient.client as swiftclient


auth_url_v3 = 'http:/xxxt.com:5000/v3/ '


demo = keystoneclient.Client(auth_url=auth_url_v3,
 username='demo',
 password='openstack',
 project='demo')
import pdb; pdb.set_trace()
alt_demo = keystoneclient.Client(auth_url=auth_url_v3,
   username='alt_demo',
   password='openstack',
   project='alt_demo')

trust = demo.trusts.create(trustor_user=demo.user_id,
   trustee_user=alt_demo.user_id,
   project=demo.tenant_id)

When I run this script, I got this error:

Traceback (most recent call last):
  File "test_os_trust_1.py", line 20, in 
project=demo.tenant_id)
  File 
"/usr/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py", 
line 75, in create

**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
72, in func

return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
328, in create

self.key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
151, in _create

return self._post(url, body, response_key, return_raw, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 
165, in _post

resp, body = self.client.post(url, body=body, **kwargs)
  File 
"/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 
635, in post

return self._cs_request(url, 'POST', **kwargs)
  File 
"/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 
621, in _cs_request

return self.request(url, method, **kwargs)
  File 
"/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 
596, in request

resp = super(HTTPClient, self).request(url, method, **kwargs)
  File 
"/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py", line 
21, in request

return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", 
line 318, in inner

return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", 
line 354, in request

raise exceptions.from_response(resp, method, url)
keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You 
are not authorized to perform the requested action. (HTTP 403) 
(Request-ID: req-6898b073-d467-4f2a-acc0-c4c0ca15970a)


Can anyone explain what sort of permission is required for the demo 
user to create a trust?


Cheers, Matt


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] what permission is required to create a Keystone trust

2016-09-01 Thread Thomas Herve 
On Thu, Sep 1, 2016 at 5:54 AM, Matt Jia  wrote:
> Hi,
>
> I am experimenting the Keystone Trusts feature with a script which creates a
> trust between two users.
>
> import keystoneclient.v3 as keystoneclient
> #import swiftclient.client as swiftclient
>
>
> auth_url_v3 = 'http:/xxxt.com:5000/v3/'
>
>
> demo = keystoneclient.Client(auth_url=auth_url_v3,
>  username='demo',
>  password='openstack',
>  project='demo')
> import pdb; pdb.set_trace()
> alt_demo = keystoneclient.Client(auth_url=auth_url_v3,
>  username='alt_demo',
>  password='openstack',
>  project='alt_demo')
>
> trust = demo.trusts.create(trustor_user=demo.user_id,
>trustee_user=alt_demo.user_id,
>project=demo.tenant_id)

I believe you need to at least specify one role to be able to create a
trust. You can't delegate all users roles if you pass in a project.

-- 
Thomas

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] what permission is required to create a Keystone trust

2016-08-31 Thread Matt Jia 
Hi,

I am experimenting the Keystone Trusts feature with a script which creates
a trust between two users.

import keystoneclient.v3 as keystoneclient
#import swiftclient.client as swiftclient


auth_url_v3 = 'http:/xxxt.com:5000/v3/'


demo = keystoneclient.Client(auth_url=auth_url_v3,
 username='demo',
 password='openstack',
 project='demo')
import pdb; pdb.set_trace()
alt_demo = keystoneclient.Client(auth_url=auth_url_v3,
 username='alt_demo',
 password='openstack',
 project='alt_demo')

trust = demo.trusts.create(trustor_user=demo.user_id,
   trustee_user=alt_demo.user_id,
   project=demo.tenant_id)

When I run this script, I got this error:

Traceback (most recent call last):
  File "test_os_trust_1.py", line 20, in 
project=demo.tenant_id)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/contrib/trusts.py",
line 75, in create
**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 72,
in func
return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 328,
in create
self.key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 151,
in _create
return self._post(url, body, response_key, return_raw, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 165,
in _post
resp, body = self.client.post(url, body=body, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py",
line 635, in post
return self._cs_request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py",
line 621, in _cs_request
return self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py",
line 596, in request
resp = super(HTTPClient, self).request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py",
line 21, in request
return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line
318, in inner
return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line
354, in request
raise exceptions.from_response(resp, method, url)
keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You are not
authorized to perform the requested action. (HTTP 403) (Request-ID:
req-6898b073-d467-4f2a-acc0-c4c0ca15970a)

Can anyone explain what sort of permission is required for the demo user to
create a trust?

Cheers, Matt
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev