From d08479ff0cb355754fc3f871a7feed320ee634bf Mon Sep 17 00:00:00 2001
From: Adriano Petrich <apetrich@redhat.com>
Date: Mon, 14 Aug 2017 14:51:07 +0100
Subject: [PATCH] Fix cron keystone calls when token is available

When a token_id is present we get

Failed to process cron trigger CronTrigger
AuthorizationFailure: Authentication cannot be scoped to multiple targets.
Pick one of: project, domain, trust or unscoped

We have a test to do that if CONF.keystone_authtoken.auth_type is not None
but a change was needed when it was none.

Change-Id: I636873c0db4b3dbf66a0c5a856fee4dcb644ac3c
Closes-bug: #1711069
---
 mistral/utils/openstack/keystone.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mistral/utils/openstack/keystone.py b/mistral/utils/openstack/keystone.py
index 80b1ea7d5..088bf1c06 100644
--- a/mistral/utils/openstack/keystone.py
+++ b/mistral/utils/openstack/keystone.py
@@ -96,11 +96,17 @@ def get_session_and_auth(context, **kwargs):
 def _admin_client(trust_id=None):
     if CONF.keystone_authtoken.auth_type is None:
         auth_url = CONF.keystone_authtoken.auth_uri
+        project_name = CONF.keystone_authtoken.admin_tenant_name
+
+        # You can't use trust and project together
+
+        if trust_id:
+            project_name = None
 
         cl = ks_client.Client(
             username=CONF.keystone_authtoken.admin_user,
             password=CONF.keystone_authtoken.admin_password,
-            project_name=CONF.keystone_authtoken.admin_tenant_name,
+            project_name=project_name,
             auth_url=auth_url,
             trust_id=trust_id
         )