OidcPassword auth plugin should accept Keystone scope parameters

Hmm, I have digged more into the problem, and it seems that it is actually related with the python-keystoneclient. I am working on a solution...

The python-keystoneclient OIDC password authentication plugin should accept keyword arguments that indicate the scope (e.g. project name). Otherwise, it is not possible to get an scoped token, and when using it with python-openstackclient it fails with:

Fix proposed to branch: master
Review: https://review.openstack.org/317895

Change abandoned by Alvaro Lopez Garcia (<email address hidden>) on branch: master
Review: https://review.openstack.org/317895

So this is because openstackclient makes assumptions about the authenticatino options required when the plugin ends in password. I think the assumption there was this would catch the v2 v3 and generic password plugins but is also catching oidc password.

The OIDC plugin should accept the options that it present in its get_options field and if OSC passes it more than that it's a bug. This will hopefully get cleaned up as OSC moves towards os-client-config and keystoneauth.

I'm trying to do a proof of concept of v3oidcpassword using python-openstack client, and I'm hitting this. I'm attempting 'openstack configuration show' based on:

(Test Case 1): clouds.yml file.
(Test Case 2): environment variables.
(Test Case 3): interactive CLI switches.

How best to proceed given this bug?

Hi Joshua,

I think OSC needs a few fixes here, specifically:

1) https://review.openstack.org/#/c/276350/
and
2) https://review.openstack.org/#/c/318201/

Until they are merged and released, you can try patching a virtualenv with those patches and see if it fixes your problem.

Hi Steve.

Thanks for your comments.

I pulled down the code from the first review in a venv and cherry picked the second onto the first and installed in place using pip -e .

Given this clouds.yml file: https://gist.github.com/josdotso/83470e4e0d8d64548b8356b6019128bd

Result is:
$ openstack --os-cloud devstack-oidc configuration show
auth_ref
$ openstack --os-cloud devstack-oidc server list
auth_ref

Not sure what that's about. Will look into it more tomorrow.

Thanks again!
-Joshua

Joshua, can you also add --debug to the command? I thought Alvaro reported success with the combination of those two patches, maybe he could chime in :)

Hi all.

I tested the changes with v3oidcaccesstoken but I have realized that there are bits missing with the password grant type classes, both in keystoneauth (not accepting kwargs for specifying scope) and in python-openstackclient (setting the scope parameter "user_domain_id"). I will upload several patches that will fix that, with a reference to this bug.

However, you are also missing several configuration parameters in your clouds.yaml that are required for OIDC when using the password credentials grant type:

 - protocol: The configured protocol for the IdP that you configured in Keystone.
 - access_token_endpoint: The endpoint from your IdP where you can obtain an OIDC access token
 - client_id: The client ID that you have configured at your IdP.
 - client_secret: The client secret that corresponds to your client ID.

Hope this helps.

Fix proposed to branch: master
Review: https://review.openstack.org/322032

I do not know why this has not been updated by hudson, the relevant patches are:

 - python-openstackclient: https://review.openstack.org/322032
 - keystoneauth: https://review.openstack.org/#/c/322027/

Thanks for the update.

I find, with all of the patches here installed, both v3oidcpassword and "normal" calls end in "AttributeError: auth_ref".

Here's an example of invoking the devstack-admin which is generated by Devstack to /etc/openstack/clouds.yml.

https://gist.github.com/josdotso/e25796d77a15f09f62b4a4ef8d0f2b36

My issue seems to stem from keystoneauth1.loading.base not containing get_plugin_class on my patched setup. I think I need to pull in a review that implements 'get_plugin_class' in keystoneauth1.loading.base. I'll try to find out where to get that patch.

Okay so get_plugin_class was in keystoneclient and isn't in keystoneauth.

https://review.openstack.org/gitweb?p=openstack/python-keystoneclient.git;a=blob;f=keystoneclient/auth/base.py;h=4754942ac7dcfccf1970dfb9d0e1a76134cc34bd;hb=1e542e14ca16147ad55625a4dbb3ddb19e38d66d#l31

I got it working. Had to switch the get_plugin_class call to use the keystoneauth implementation of the same function which is called 'get_plugin_loader'.

Thanks!

Reviewed: https://review.openstack.org/322027
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=4343ce524af461132f7d4e1684ea478e9b2c8c3e
Submitter: Jenkins
Branch: master

commit 4343ce524af461132f7d4e1684ea478e9b2c8c3e
Author: Alvaro Lopez Garcia <email address hidden>
Date: Fri May 27 10:53:00 2016 +0200

    Let Oidc* auth plugins accept scope parameters as kwargs

    The OidcPassword and OidcAauthCode auth plugins should accept scope
    parameters like the project, otherwise it would be impossible to get a
    scoped token, making python-openstackclient fail.

    Closes-Bug: #1582774
    Change-Id: I960d67b4529afbc83eff0da945677b2fd83973e1

This issue was fixed in the openstack/keystoneauth 2.8.0 release.

What is the approved scope "var/switch name" for (1) Command line, (2) Env Var and (3) Clouds.yaml?

I've found that --os-scope is on the wiki (and it was working as of my comment #16), while --os-openid-scope is mentioned in the help docs. However, none of these methods work now using the latest patch sets for the reviews mentioned above.

Can we address this inconsistency?

http://paste.openstack.org/raw/518478/

Hi Joshua.

I think that there is a bit of mess here :-(

There are two different meanings for "scope" here.

On the one hand we have the Keystone token scope: this particular bug was regarding Keystone scope parameters (that is, project_id, domain_id, tenant_id, etc.).

On the other hand we have the OpenID Connect Scope. OpenID Connect scope should be specified with "os-openid-scope" option in the command line.

Probably, the naming inconsistency that you get comes from the switch from python-keystoneclient (the legacy) to keystoneauth. The previous plugin used "os-scope" whereas the new one uses "os-openid-scope". Moreover, there was a bug (https://bugs.launchpad.net/python-openstackclient/+bug/1594272) that made impossible to specify an scope due to a naming error. Can you confirm that this is your case?

Reviewed: https://review.openstack.org/322032
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=099a2c38b99dff6a0909c0a3ba2909f1aea58644
Submitter: Jenkins
Branch: master

commit 099a2c38b99dff6a0909c0a3ba2909f1aea58644
Author: Alvaro Lopez Garcia <email address hidden>
Date: Fri May 27 11:03:15 2016 +0200

    Refactor setting defaults for some scope parameters

    The code is setting defaults for some scope parameters, cheking if the
    name ends with some specific substring (namely ending in "password")
    causing failures in some plugins that end with the same string, but do
    not allow those parameters (like "user_domain_id" in "v3oidcpassword").

    Closes-Bug: #1582774
    Change-Id: Id7036db3b783b135353d035dc4c1df7c808d6474

This issue was fixed in the openstack/python-openstackclient 3.0.0 release.