token issue fails for keystone v2 if OS_PROJECT_DOMAIN_NAME or OS_USER_DOMAIN_NAME are set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Won't Fix
|
Undecided
|
Unassigned | ||
python-openstackclient |
Fix Released
|
Medium
|
Hieu LE |
Bug Description
"/usr/bin/openstack --insecure token issue" fails when OS_AUTH_URL and OS_IDENTITY_
If I run with --debug, this appears to be the problem:
ERROR: openstackclient
File "/usr/lib/
return super(OpenStack
File "/usr/lib/
result = self.run_
File "/usr/lib/
result = cmd.run(
File "/usr/lib/
column_names, data = self.take_
File "/usr/lib/
token = self.app.
File "/usr/lib/
self._auth_ref = self.auth.
File "/usr/lib/
self._plugin = self._do_
File "/usr/lib/
raise exceptions.
DiscoveryFailure: Could not determine a suitable URL for the plugin
e.g. env vars:
OS_REGION_
OS_IDENTITY_
OS_AUTH_URL=https:/
OS_USERNAME=myuser
OS_PASSWORD=
OS_TENANT_
OS_PROJECT_
OS_USER_
OS_PROJECT_
seen with openstackclient 1.0.3 and keystoneclient 1.1.0
Changed in python-openstackclient: | |
milestone: | m10 → m11 |
Changed in python-openstackclient: | |
milestone: | m11 → m12 |
Changed in python-openstackclient: | |
milestone: | m12 → m13 |
Changed in python-openstackclient: | |
status: | Triaged → In Progress |
Changed in python-openstackclient: | |
assignee: | nobody → Hieu LE (hieulq) |
Changed in python-openstackclient: | |
status: | Triaged → In Progress |
This also occurs with --os-auth-type password, forcing a bypass of OSC's broken endpoint hack. It is actually a two-part problem:
1) There appears to be a design choice in Keystone client. In keystoneclient/ auth/identity/ generic/ base.py _do_create_plugin() line 151 (in my tree) we see:
if (_discover. version_ match(( 2,), version) and
self. _has_domain_ scope):
# NOTE(jamielennox): if there are domain parameters there
# is no point even trying against v2 APIs.
continue
It appears that KSC assumes that you want v3 whenever domain args are present.
2) The user's selection of v2 is not enforced because OSC sets a default auth-type of osc_password. That really needs to be removed so discovery can work properly and --os-identity- api-version is honored.
In short, the obvious workaround is to not set domain args if you want to use v2 auth.