cinderclient does not support noauth

Bug #1657156 reported by Julia Kreger on 2017-01-17
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-cinderclient
Undecided
Ivan Kolodyazhny

Bug Description

While implementing support for Ironic to communicate with cinder, I noticed that python-cinderclient does not appear to support noauth mode for the client. The client presently expects authentication parameters on the command line, such as username, password, tenant, auth_url, even if auth_system and auth_plugin are set to something that is not keystone related.

This logic does not appear to be overridable via providing a proxy_token or bypass_url to the client on the CLI as the library attempts to then obtain a auth_url from the plugin, disregarding one defined on the command line, which has no override mechanism.

https://github.com/openstack/python-cinderclient/blob/master/cinderclient/client.py#L219

A compromise may be to allow the auth parameter to be passed through to the client, which would allow a caller to explicitly state the endpoint to be returned. See the admin_token keystoneath1 plugin. The CLI would not be usable for noauth, but the library could then be used programatically.

https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/_plugins/admin_token.py

Alternatively, the bypass_url option could be used to populate the data if something like admin_token is defined as the auth_plugin.

Ivan Kolodyazhny (e0ne) on 2017-01-19
description: updated
Ivan Kolodyazhny (e0ne) on 2017-01-19
Changed in python-cinderclient:
assignee: nobody → Ivan Kolodyazhny (e0ne)
Ivan Kolodyazhny (e0ne) on 2017-01-25
Changed in python-cinderclient:
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/425277

Changed in python-cinderclient:
assignee: Ivan Kolodyazhny (e0ne) → Gorka Eguileor (gorka)
status: Confirmed → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/427143

Changed in python-cinderclient:
assignee: Gorka Eguileor (gorka) → Ivan Kolodyazhny (e0ne)

Change abandoned by Sean McGinnis (<email address hidden>) on branch: master
Review: https://review.openstack.org/427143
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Gorka Eguileor (<email address hidden>) on branch: master
Review: https://review.openstack.org/425277
Reason: In favor of using keystoneclient plugins: https://review.openstack.org/427143

Reviewed: https://review.openstack.org/427143
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=60f92db7049b4f66e5198b86bfecc1029b6cdccd
Submitter: Jenkins
Branch: master

commit 60f92db7049b4f66e5198b86bfecc1029b6cdccd
Author: Ivan Kolodyazhny <email address hidden>
Date: Tue Jan 31 14:33:32 2017 +0200

    Fix noauth support

    This patch includes several improvements:
    1. Use keystoneauth1 plugin mechanism for auth plugins.
    2. Implements CinderNoAuthPlugin.
    3. Deletes non-working cinderclient.auth_plugin module.
    4. Deprecates --bypass-url in flavor of --os-endpoint to be consistent
    with keystoneauth1 plugins.
    5. Deprecates in --os-auth-system in falvor of --os-auth-type to be
    consistent with keystoneauth1 plugins.

    Both bypass_url and os_auth_system params are not changed for client
    objects to not break backward compatibility for Python API.

    How to use noauth with cinderclient CLI:
    OS_USER_ID=userid OS_PROJECT_ID=projectis cinder --os-auth-type noauth
    --os-endpoint=http://localhost:8776/v2 list

    Change-Id: I3be59a5a39235acbc3334e0a0b797081507a5c88
    Closes-Bug: #1657156

Changed in python-cinderclient:
status: In Progress → Fix Released

This issue was fixed in the openstack/python-cinderclient 2.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers