python-openstackclient

token authentication does not work

Bug #1608354 reported by Adrian Turjak
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Invalid
Undecided
Unassigned

Bug Description

The documented token authentication method does not work.
http://docs.openstack.org/developer/python-openstackclient/authentication.html

Nor does token_endpoint work, although token_endpoint is less useful.

By just setting --os-auth-url and --os-token I can't do anything as it asks for username even though the documentation states that it should correctly pick the auth_type based on options.

By setting the auth_type manually I still can't do anything.

Paste of my attempts:
http://paste.openstack.org/show/544971/

Digging through the OpenStackClient, osc-lib, and Keystoneauth, I can't actually track how any of this works as the functionality is spread across so many libraries.

I would expect that it works with the keystoneauth plugin here:
https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/token.py

But trying to make sense of where this is going wrong without knowing the codebases across all these libraries makes it hard to track.

Token authentication is hugely useful in circumstances when you want to reuse the same token for CLI calls rather than username/password. It is clearly documented, there appears to be code that is meant to do this, so it not working is a bug.

See original description
Adrian Turjak (adriant-y)
description: updated
description: updated
Revision history for this message
Adrian Turjak (adriant-y) wrote :

I've since tried a few things with curl to confirm both Keystone and the other APIs do actually work as intended.

See bash:
http://paste.openstack.org/show/545496/

The functionality that is documented, and how I'd expect it to work, is that using your set token, either fetch a new token+catalog or get a catalog with the current token, then complete the action from there.

Keystone allows getting a new token+catalog with the old one so the issue is somewhere in the OSclient osc-lib keystoneauth chain.

Revision history for this message
Richard Theis (rtheis) wrote :

Hi Adrian, does https://review.openstack.org/#/c/360100/ fix the problem for you?

Revision history for this message
Adrian Turjak (adriant-y) wrote :

I've mostly found a work around, which is to selectively unset or avoid setting specific variables as the client attempts to pass along everything to Keystoneauth, and keystoneauth throws errors, and those errors aren't exactly clear as to where the issue is.

Turns out the issue is user error, but user error that doesn't provide useful error messages.

Basically, if you have the OS_USER_DOMAIN_NAME value set, the client attempts to pass that along to KeystoneAuth, and it complains. Ideally it should only pass on values the auth method actually needs, so that we don't have to selectively ensure only the right values are set.

The following bash works to set a local var token and use that for auth:
http://paste.openstack.org/show/563692/

You can mark this as resolved if you want, but would be good if someone else can go through and reproduce this and maybe attempt to get some better error messages in, and also fix documentation to be clear as to what exactly is needed for token auth.

Revision history for this message
Richard Theis (rtheis) wrote :

Closing based on comment #3. Please open a separate bug for error message or documentation problems.

Changed in python-openstackclient:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.