python-keystoneclient

keystoneclient requires --pass to create user while keystone doesn't

Bug #1273988 reported by ZhiQiang Fan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned
python-keystoneclient
Fix Released
Low
Juan Manuel Ollé
python-keystoneclient 0.10.0

Bug Description

name is required in REST API, but CLI requires an extra argument --pass

# uname -a
Linux havana 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

# keystone-manage --version
2013.2

# keystone --version
0.3.2

# curl -i -X POST http://160.132.0.17:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: ac60d12b5b6c668f726a" -d '{"user": {"name": "test-create"}}'
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 92
Date: Wed, 29 Jan 2014 07:27:09 GMT

{"user": {"enabled": true, "name": "test-create", "id": "f23d8e2835a0491db1f13a313446768d"}}

# keystone user-create --name test-create
Expecting to find string in password. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400)

if keystone cli supports creating an user without pass, we can update that user's password by:

# keystone user-password-update test-create --pass xxx

to verify this solution:

# keystone user-role-add --user test-create --tenant admin --role admin # can be other tenant and role
# keystone --os-username test-create --os-password xxx --os-tenant-name admin user-get test-create
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| enabled | True |
| id | f23d8e2835a0491db1f13a313446768d |
| name | test-create |
+----------+----------------------------------+

the problem is that

# keystone --debug user-create --name test-create
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
REQ: curl -i -X POST http://160.132.0.17:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: ac60d12b5b6c668f726a"
REQ BODY: {"user": {"email": null, "password": null, "enabled": true, "name": "test-create", "tenantId": null}}

RESP: [400] CaseInsensitiveDict({'date': 'Wed, 29 Jan 2014 07:43:58 GMT', 'vary': 'X-Auth-Token', 'content-length': '236', 'content-type': 'application/json'})
RESP BODY: {"error": {"message": "Expecting to find string in password. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}

the server side can bare pass attribute is not set, but cannot accept it is None....

we can fix this via set --pass to SUPRESS or update the server side validation to treat None as not set and leave it blank in db backend, I would prefer fix both side, since some user may claim such problem when he try to send a rest.json={..., 'pass': null} to server.

ref: https://github.com/openstack/keystone/blob/2013.2.1/keystone/common/utils.py#L100

See original description
ZhiQiang Fan (aji-zqfan)
Changed in python-keystoneclient:
assignee: nobody → ZhiQiang Fan (aji-zqfan)
Changed in keystone:
assignee: nobody → ZhiQiang Fan (aji-zqfan)
description: updated
Revision history for this message
ZhiQiang Fan (aji-zqfan) wrote :

It seems not a bug in keystone, but it is still a bit weired, because if the user explicitly tells the server he doesn't need a password, the server will reject the request because the password field is not a string. This sounds like that: "we don't welcome extra labor work, so just be lazy or you get nothing!" : )

Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

Well, it is explicitly optional in the v3 API at least.

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#users-v3users

ZhiQiang Fan (aji-zqfan)
Changed in keystone:
assignee: ZhiQiang Fan (aji-zqfan) → nobody
Changed in python-keystoneclient:
assignee: ZhiQiang Fan (aji-zqfan) → nobody
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I don't think this is necessarily a Keystone bug since it is following the Identity API spec, which defines 'password' as an optional parameter when creating a user.

python-keystoneclient V3 also follows the Identity API V3 spec according to this code: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L48

python-keystoneclient V2.0 doesn't follow the spec and requires password on user create.

https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/users.py#L89

Changed in keystone:
status: New → Invalid
Revision history for this message
Dolph Mathews (dolph) wrote :

Passwords are optional in the v2 API as well [1]; it seems like the v2 client lib call should be relaxed to make them optional (if the existing method signature can accommodate such a change without breaking compatibility).

[1] https://github.com/openstack/identity-api/blob/master/v2.0/src/xsd/OS-KSADM.xsd#L120-L126

Revision history for this message
Juan Manuel Ollé (juan-m-olle) wrote :

I could not reproduced it in master, I think this problems was fixed in icehouse

https://bugs.launchpad.net/keystone/+bug/1245342

Revision history for this message
Dolph Mathews (dolph) wrote :

@Juan: I believe that's why Lance marked this bug as invalid against keystone in comment #3, but the issue still stands that python-keystoneclient's v2.0 implementation doesn't follow the spec and requires password on user create:

  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/users.py#L89

Revision history for this message
Juan Manuel Ollé (juan-m-olle) wrote :

@Dolph: I think I'm missing something, I though that

keystone --debug user-create --name test-create

fails (according to bug description), but it is working correctly because it is passing None as password parameter (if no --pass in the command line)

What you mean is to have the method signature with password=None as default?

Revision history for this message
Dolph Mathews (dolph) wrote :

@Juan: yes, exactly!

Changed in python-keystoneclient:
importance: Undecided → Low
status: New → Triaged
Juan Manuel Ollé (juan-m-olle)
Changed in python-keystoneclient:
assignee: nobody → Juan Manuel Ollé (juan-m-olle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/97597

Changed in python-keystoneclient:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/97597
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=e4b7daf71acd2d2d7bb19d6fbcd6d492c1338620
Submitter: Jenkins
Branch: master

commit e4b7daf71acd2d2d7bb19d6fbcd6d492c1338620
Author: Juan Manuel Olle <email address hidden>
Date: Tue Jun 3 15:58:02 2014 -0300

    Keystoneclient create user API should have optional password.

    Password is optional in Keystone service. The create user API
    in keystoneclient should have password None as default value.

    Change-Id: Ic72867c9b86ca65e3237786e35bcb5bd44f5f053
    Closes-Bug: #1273988

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.10.0
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.