Public bug reported: I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example: curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'
If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get token will fail: {"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} But, the remaining uses of the trust will be consumed. This is because we call "trust_api.consume_use" before "token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375, and issue_v3_token may be fail for some reasons. ** Affects: keystone Importance: Undecided Assignee: wanghong (w-wanghong) Status: New ** Changed in: keystone Assignee: (unassigned) => wanghong (w-wanghong) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1335037 Title: get token fail also consume trust use Status in OpenStack Identity (Keystone): New Bug description: I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example: curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}' If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get token will fail: {"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} But, the remaining uses of the trust will be consumed. This is because we call "trust_api.consume_use" before "token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375, and issue_v3_token may be fail for some reasons. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1335037/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp