nova client keeps asking for a keyring password

Bug #1020238 reported by David Kranz on 2012-07-02
90
This bug affects 18 people
Affects Status Importance Assigned to Milestone
python-novaclient
Undecided
Unassigned
python-novaclient (Ubuntu)
Low
Unassigned

Bug Description

I installed a recent devstack and now some keyring code asks for a password every time 'nova' is invoked. It seems that uninstalling python-keyring makes it stop, but we can't rely on that package not being installed. If this is not a bug, and there is some intended way to make this work, it should be documented.

Thierry Carrez (ttx) on 2012-07-12
affects: nova → python-novaclient
Akihiro Motoki (amotoki) wrote :

I have the same problem on Ubuntu 12.04 server.
Passing '--no_cache' option to 'nova' avoids the problem (as a workaround):
  % nova --no_cache image-list

Following traceback is produced with Ctrl-C:

ubuntu@t2:~/devstack$ nova image-list
Please input your password for the keyring
Wrong password for the keyring.
Please input your password for the keyringTraceback (most recent call last):
  File "/usr/local/bin/nova", line 9, in <module>
    load_entry_point('python-novaclient==2.6.10.12', 'console_scripts', 'nova')()
  File "/opt/stack/python-novaclient/novaclient/shell.py", line 460, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/opt/stack/python-novaclient/novaclient/shell.py", line 390, in main
    self.cs.authenticate()
  File "/opt/stack/python-novaclient/novaclient/v1_1/client.py", line 126, in authenticate
    self.client.authenticate()
  File "/opt/stack/python-novaclient/novaclient/client.py", line 329, in authenticate
    keyring_key, keyring_value)
  File "/usr/lib/python2.7/dist-packages/keyring/core.py", line 39, in set_password
    _keyring_backend.set_password(service_name, username, password)
  File "/usr/lib/python2.7/dist-packages/keyring/backend.py", line 316, in set_password
    password_encrypted = self.encrypt(password.encode('utf-8'))
  File "/usr/lib/python2.7/dist-packages/keyring/backend.py", line 456, in encrypt
    crypter = self._init_crypter()
  File "/usr/lib/python2.7/dist-packages/keyring/backend.py", line 440, in _init_crypter
    password = self._getpass("Please input your password for the keyring")
  File "/usr/lib/python2.7/dist-packages/keyring/backend.py", line 371, in _getpass
    return getpass.getpass(*args, **kwargs)
  File "/usr/lib/python2.7/getpass.py", line 71, in unix_getpass
    passwd = _raw_input(prompt, stream, input=input)
  File "/usr/lib/python2.7/getpass.py", line 133, in _raw_input
    line = input.readline()
KeyboardInterrupt

David Kranz (david-kranz) wrote :

There was a discussion about this on the dev mailing list and I was curious about the final resolution. This change breaks Tempest and I am about to change it to pass the no_cache argument. But then it won't work with the older client. I am not sure what kind of stability we are trying to provide in the client projects. It also doesn't seem friendly for a python API to require reading from stdin in order to continue. Perhaps only the cli part should do this?

David Kranz (david-kranz) wrote :

Actually, the tempest issue would be solved if the Client.__init__ set no_cache to True if there was an explicit password (api_key) provided.

Marco CONSONNI (marco-consonni) wrote :

I'm also experimenting this

Can Zhang (acme-ican) wrote :

I also encountered that (installed on ubuntu12.04 using devstack)

It's OK in a prompt but in a python script using the API, it's intolerant.

As a makeshift, I use this in a script:

nt = client.Client(USER, PASSWORD, TENANT_NAME, AUTH_URL, service_type="compute", no_cache = True)

David Kranz (david-kranz) wrote :

I'm really confused about this. I just installed this package from the ubuntu test archive

ii python-novaclient 1:2.8.0.26+git20120921180 client library for OpenStack Compute API

When I do 'nova list' it asks for a password. I give it and it asks to confirm. I do that but it still continues to ask for the
password every time I do a nova command. This seems like a really bad bug.

Tom Fifield (fifieldt) on 2012-09-29
Changed in python-novaclient:
status: New → Confirmed
Eoghan Glynn (eglynn) on 2012-10-08
Changed in python-novaclient:
assignee: nobody → Eoghan Glynn (eglynn)
assignee: Eoghan Glynn (eglynn) → nobody
Doug Goldstein (cardoe) wrote :

This bug is even a little bit more annoying in that the prompt for the password is not really well written. e.g. the input is:

Please input your password for the keyring

The cursor sits right after the "g" in keyring and does not express through * or any other means that keyboard input is recognized. There should also be a space after "keyring" and potentially a colon.

Lastly --no_cache is documented as not taking an argument however it currently expects an argument so you actually have to do something like:

$ nova --no_cache blah list

Dave Spano (dspano) wrote :

In this mailing list response, Vish says you can use
export OS_NO_CACHE=1 in your .bashrc to stop this behaviour.

https://lists.launchpad.net/openstack/msg16095.html

Chuck Short (zulcss) wrote :

Work around according to the last comment.

Changed in python-novaclient (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
cloud.abada (cloud-abada) wrote :

Works perfectly with the changes proposed by Vish.

Gui Maluf (guimalufb) wrote :

export OS_NO_CACHE=1 worked for me as well.

Jian Wen (wenjianhn) wrote :

Not a bug.
It's just annoying.

Changed in python-novaclient:
status: Confirmed → Invalid
Changed in python-novaclient (Ubuntu):
status: Confirmed → Invalid
Doug Goldstein (cardoe) wrote :

It is a bug when its impossible to set the initial password so it always tells you that your password is invalid because there is no password set for the keyring. The issue here is that the code Ubuntu adds for Nova client initializes the keyring incorectly.

Changed in python-novaclient:
status: Invalid → New
Joshua Harlow (harlowja) wrote :

Upgrade to python keyring >=1 seems to use the unencrypted keyring by default, thus no prompting ;)

Pedro Perez (pperezrubio) wrote :

According to docs in https://wiki.openstack.org/wiki/KeyringSupport:

"The keyring is used only if --os-use-keyring is specified, or if environment variable OS_USE_KEYRING=true is defined. "

This do not appears to be the case.

Alan Pevec (apevec) wrote :

In keystoneclient no-cache was renamed to os-cache and default is not to use keyring
https://github.com/openstack/python-keystoneclient/commit/d734821c99aade7cd4285a5fd51736c475707dcd

For consistency, this should applied in all clients.

Alan Pevec (apevec) wrote :
Changed in python-novaclient:
status: New → Fix Committed
Changed in python-novaclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers