Ok, looks like this is invalid, curl examples posted here work OK: http://lists.openstack.org/pipermail/openstack- dev/2013-August/013837.html
So my issues have been due to a combination of: - Confusion between project/tenant terminology leading to a project/tenant mismatch in my test code - Trying to create a trust with the admin user which doesn't have a tenantId - Trying to use a trust created with an empty roles list On the last point, it's interesting to note that, as mentioned in the docs: "A project_id may not be specified without at least one role, and vice versa." https://github.com/openstack/identity-api/blob/master/openstack- identity-api/v3/src/markdown/identity-api-v3-os-trust-ext.md However it appears it is possible to create a trust specifying a project_id with an empty roles list. Trying to consume that trust will always fail with 401, which IMHO is a lot less obvious than just failing at trust-creation time - surely creating the trust is pointless since it can never be consumed? Anyway, maybe a bug to be discussed on the comment above, but this can be closed invalid - thanks! ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1213340 Title: v3 token requests always 401 with scope OS-TRUST:trust Status in OpenStack Identity (Keystone): Invalid Bug description: Whenever a request to get a token contains the OS-TRUST:trust scope, the request always returns a 401 response. The exact same request without the OS-TRUST:trust scope always works. Attempting to consume a trust as per: https://github.com/openstack/identity-api/blob/master/openstack- identity-api/v3/src/markdown/identity-api-v3-os-trust- ext.md#consuming-a-trust-with-post-authtokens I've tried with methods:['token'] and methods:['password'] and the results are the same, whenever the request contains a trust id in the scope section, the request gets 401'd The token case can be reproduced as described in bug #1212778 (which returns 401 with the proposed patch fixing the 500 error) The username/password can be reproduced with the reproducer attached. In both cases you need the keystone client patch from https://review.openstack.org/#/c/39899/ to add the trusts interfaces. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1213340/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp