def create_trust(ctxt):
LOG.debug("Creating Keystone trust")
trusts_auth_plugin = _get_trusts_auth_plugin()
loader = loading.get_plugin_loader("v3token")
auth = loader.load_from_options(
auth_url=trusts_auth_plugin.auth_url,
token=ctxt.auth_token,
project_name=ctxt.project_name,
project_domain_name=ctxt.project_domain)
session = ks_session.Session(
auth=auth, verify=not CONF.keystone.allow_untrusted)
try:
trustee_user_id = trusts_auth_plugin.get_user_id(session)
except ks_exceptions.Unauthorized as ex:
LOG.exception(ex)
raise exception.NotAuthorized("Trustee authentication failed")
trustor_user_id = ctxt.user
trustor_proj_id = ctxt.tenant
roles = ctxt.roles
LOG.debug("Granting Keystone trust. Trustor: %(trustor_user_id)s, trustee:"
" %(trustee_user_id)s, project: %(trustor_proj_id)s, roles:"
" %(roles)s",
{"trustor_user_id": trustor_user_id,
"trustee_user_id": trustee_user_id,
"trustor_proj_id": trustor_proj_id,
"roles": roles})
# Trusts are not supported before Keystone v3
client = kc_v3.Client(session=session)
trust = client.trusts.create(trustor_user=trustor_user_id,
trustee_user=trustee_user_id,
project=trustor_proj_id,
impersonation=True,
role_names=roles)
LOG.debug("Trust id: %s" % trust.id)
return trust.id
评论列表
文章目录
