condense credentials (ec2, v3, compute)

Bug #1409218 reported by Steve Martinelli on 2015-01-10
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-openstackclient
Triaged
Medium
Unassigned

Bug Description

Currently we have:

  os ec2 credentials
  os credential

and an un-implemented

  nova x509-cert-*

we should condense all three into the same command set, just:

  os credentials

I am thinking:

  os credential create
      [--type <ec2 | cert> --project <project> --user <user> --domain <domain> --data <blob>]
      [--x509 --private-key <filename> --x509-cert <filename>]

More info here: https://etherpad.openstack.org/p/credentials-osc

Dean Troyer (dtroyer) wrote :

I like the idea of --type x509. We can pick a default type, I'd like 'cert' from the wtf-is-it standpoint (ec2 and x509 are pretty clear).

The --data option should be a filename or '-' for stdin. If it is required, maybe even read from stdin if --data is not supplied for the correct type.

Changed in python-openstackclient:
importance: Undecided → High
status: New → Confirmed
milestone: none → m7
Dean Troyer (dtroyer) on 2015-01-16
Changed in python-openstackclient:
milestone: m7 → m8
Changed in python-openstackclient:
assignee: nobody → Steve Martinelli (stevemar)
Changed in python-openstackclient:
status: Confirmed → In Progress
Dean Troyer (dtroyer) on 2015-03-05
Changed in python-openstackclient:
milestone: m8 → m9
Dag Stenstad (dag-stenstad) wrote :

If you define "--type ec2", shouldn't really all arguments be optional? It should probably take the domain_id, user_id and project_id from the currently scoped token by default?

The typical consumer of Openstack services probably just wants to create an access key to use with Swift/S3 API or the Nova/EC2 API. And he/she problably have no idea on how to look up the various ID's needed, as there probably is no access to identity:list_domains/list_projects/list_users without special privileges.

Steve Martinelli (stevemar) wrote :

@dag-stenstad, agreed they should get retrieved from the auth session. Additionally, an admin may want to create ec2 cred for a non-admin account.

Dean Troyer (dtroyer) on 2015-04-21
Changed in python-openstackclient:
milestone: m9 → m10
Dean Troyer (dtroyer) on 2015-04-29
Changed in python-openstackclient:
milestone: m10 → none

Change abandoned by Steve Martinelli (<email address hidden>) on branch: master
Review: https://review.openstack.org/148466
Reason: abandon for now

Changed in python-openstackclient:
status: In Progress → Triaged
assignee: Steve Martinelli (stevemar) → nobody
importance: High → Medium
Sean Perry (sean-perry-a) wrote :

Ticket 1418837 complains that the arguments to 'credential set' claim to be optional but in reality are required. The spec https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#credentials-v3credentials says they are required too.

I have a change proposed https://review.openstack.org/#/c/226922/ enforcing that user, type, and data (aka blob) are all required. Should ec2 work differently?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers