python-keystoneclient

DefaultCLI plugin doesn't invalidate stored tokens

Bug #1551392 reported by Jacek Tomasiak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keystoneclient
Won't Fix
Undecided
Jacek Tomasiak

Bug Description

Keystone Session's "reauth" feature relies on proper implementation of invalidate() in auth plugins.
DefaultCLI aims to handle typical cases found in CLI client implementations.
As such it is a "combo" plugin which can handle both username/password and token.
If client is called with both of the above, token has higher priority but if it expires, username/password should be used to generate new token for subsequent requests.
The problem is that DefaultCLI doesn't provide custom invalidate() function which would invalidate internally stored token value and enable fallback to username/password.

Jacek Tomasiak (skazi)
Changed in python-keystoneclient:
assignee: nobody → Jacek Tomasiak (skazi)
status: New → Confirmed
Revision history for this message
Steve Martinelli (stevemar) wrote :

please ensure that this is also the case for 'python-openstackclient' (which is a new unified CLI) as the CLI that is bundled with 'python-keystoneclient' is deprecated and will be removed in the N release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/286236

Changed in python-keystoneclient:
status: Confirmed → In Progress
Revision history for this message
Jacek Tomasiak (skazi) wrote :

I checked briefly in python-openstackclient and it seems that it's not directly related to this bug as python-openstackclient doesn't use DefaultCLI plugin from python-keystoneclient.

This bug itself is not limited to keystone CLI as it was discovered while working on Murano client re-auth fix (https://bugs.launchpad.net/python-muranoclient/+bug/1499329).

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Please confirm this is still a valid bug against the code in keystoneauth library not keystoneclient. Keystoneclient session, and cli are deprecated in favor of keystoneauth and openstackclient (CLI) respectively.

If this is valid against openstackclient and/or keystoneauth please add those projects to this bug.

Changed in python-keystoneclient:
status: In Progress → Won't Fix
Revision history for this message
Jacek Tomasiak (skazi) wrote :

As far as I can see from keystoneauth code, this bug doesn't affect it as the functionality which contains this bug doesn't exist in keystoneauth at all.
DefaultCLI plugin in keystoneclient seems to be the only one able to handle both token and username/password auth at the same time. Comparing keystoneclient to keystoneauth, I would consider this to be a kind of "functional regression" as with keystoneauth clients need to add their own code to implement "fallback to username/password in case of invalid/expired token" functionality.
It seems that neither keystoneauth nor openstackclient provide any support for this kind of behavior.

As for not fixing this bug, I'm not sure how many projects are using keystoneclient but for sure there is muranoclient which still does. Without this fix the "fallback" functionality mentioned above will not work or will require more code on client side to implement something which could easily be fixed in keystoneclient.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-keystoneclient (master)

Change abandoned by Jacek Tomasiak (<email address hidden>) on branch: master
Review: https://review.openstack.org/286236
Reason: Problem worked around on client side.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.