An OS_PROJECT_* value is unnecessarily demanded, even if the user has a default project

Bug #1592062 reported by Dolph Mathews on 2016-06-13
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
High
Dolph Mathews

Bug Description

(This overlaps with bug 1506285, but that discussion went into the weeds and mostly focuses on openstack-ansible, so I think it's prudent to discuss openstackclient separately.)

With absolutely nothing set in my environment, openstackclient unnecessarily demands that I specify a project (using OS_PROJECT_NAME or OS_PROJECT_ID) when calling (for example) `server list`, even though it'll happily return a scoped token, scoped by keystone using my user's default project ID.

For example, here's a `token issue` returning a scoped token, without me specifying a scope:

$ openstack --os-identity-api-version=3 --os-username=dolph --os-password=secrete --os-user-domain-id=default --os-auth-url=https://identity.example.com/ token issue
+------------+------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-06-14T16:29:34.135000Z |
| id | abc123 |
| project_id | def456 |
| user_id | aef789 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------+

And then with the same configuration, openstackclient blindly protests:

$ openstack --os-identity-api-version=3 --os-username=dolph --os-password=secrete --os-user-domain-id=default --os-auth-url=https://identity.example.com/ server list
Missing parameter(s):
Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name

Dolph Mathews (dolph) on 2016-06-13
description: updated
Dolph Mathews (dolph) wrote :
Changed in python-openstackclient:
assignee: nobody → Dolph Mathews (dolph)
status: New → In Progress
Changed in python-openstackclient:
importance: Undecided → High

Reviewed: https://review.openstack.org/330057
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=fe0c8e955be0331aef9cc6847c9bddc43ce66d92
Submitter: Jenkins
Branch: master

commit fe0c8e955be0331aef9cc6847c9bddc43ce66d92
Author: Dolph Mathews <email address hidden>
Date: Wed Jun 15 16:26:35 2016 +0000

    Do not prompt for scope options with default scoped tokens

    This changes the scope validation to occur after a token has already
    been created.

    Previous flow:

    1. Validate authentication options.
    2. Validate authorization options if the command requires a scope.
    3. Create a token (using authentication + authorization options)
    4. Run command.

    This means that scope was being checked, even if a default scope was
    applied in step 3 by Keystone.

    New flow:

    1. Validate authentication options.
    2. Create token (using authentication + authorization options)
    3 Validate authorization options if the command requires a scope and
       the token is not scoped.
    4. Run command.

    Change-Id: Idae368a11249f425b14b891fc68b4176e2b3e981
    Closes-Bug: 1592062

Changed in python-openstackclient:
status: In Progress → Fix Released

Change abandoned by Dolph Mathews (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/330136
Reason: Alrighty, then.

Change abandoned by Dolph Mathews (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/330156

This issue was fixed in the openstack/python-openstackclient 3.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers