python-cinderclient

token + service_url based authentication

Bug #1197746 reported by Attila Fazekas
296
This bug affects 9 people
Affects Status Importance Assigned to Milestone
python-cinderclient
Invalid
Undecided
Unassigned
python-novaclient
Invalid
Medium
Unassigned

Bug Description

The keystone service provides a token which is usable for accessing all OpenStack services.
A single REST token-get response also contains all service endpoints.

So after a token-get no future keystone communication required on the client side until the token expires (24h).

The glance, neutron, and keystone clients are able to use the already acquired tokens, but the python-novaclient and python-cinderclient not yet.

Example usage with glance CLI:
https://github.com/openstack-dev/devstack/blob/master/functions#L1168

The CLI usage is not efficient with a frequent token-get, it is major issue when you use the client from a shell scripts.

IMHO token based authentication is nicer in python scripts as well.

Revision history for this message
Joe Gordon (jogo) wrote :

This is a two part bug, one we the keyring is disabled by default and two its broken: https://bugs.launchpad.net/python-novaclient/+bug/1039572

Once we fix the keyring we should enable it by default as long as the dependencies are there.

Changed in python-novaclient:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Lorin Hochstein (lorinh) wrote :

Would definitely like to be able to authenticate against an endpoint in a Python script using an existing token.

Revision history for this message
Jacob Godin (jacobgodin) wrote :

Has there been any traction on this? It looks like https://bugs.launchpad.net/python-novaclient/+bug/1039572 has been fixed.

Masco (masco)
Changed in python-cinderclient:
assignee: nobody → Masco Kaliyamoorthy (masco)
Masco (masco)
Changed in python-cinderclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-cinderclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/74602

Revision history for this message
git-harry (git-harry) wrote :

@Masco Kaliyamoorthy - you haven't updated your proposed fix in several months. I was going to rebase it for you to get things moving along, but so much has changed on the project since you submitted it I found it was easy to write a new patch. I will submit my patch but if you would like to get yours merged instead please update it and let me know and I will abandon mine.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/111051

Changed in python-cinderclient:
assignee: Masco Kaliyamoorthy (masco) → git-harry (git-harry)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-cinderclient (master)

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/74602

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Sean McGinnis (<email address hidden>) on branch: master
Review: https://review.openstack.org/111051
Reason: This review is > 8 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Ashish Singh (ashish-singh7)
information type: Public → Public Security
Revision history for this message
Ashish Singh (ashish-singh7) wrote :

Guys, Can somebody tell me if there are some activity going on in here? Is there any way to reuse keystone auth_token for authentication with cinder?

Revision history for this message
Matt Riedemann (mriedem) wrote :

Is this still valid now that python-novaclient uses keystoneauth1 with sessions?

Changed in python-novaclient:
status: Confirmed → Invalid
Changed in python-cinderclient:
status: In Progress → Confirmed
assignee: git-harry (git-harry) → nobody
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

Same question for Cinder that Matt had. Cinder has switched over to keystoneauth1 now. Is this still an issue? Closing as Invalid for now, but if still needed please reopen it.

Changed in python-cinderclient:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.