add an option to prompt for passwords to avoid leaking them into history and ps output

Sorry, if it matters, I'm using keystone from python-keystoneclient 1:0.1.3-0ubuntu1.1~cloud0 on Ubuntu 12.04 LTS.

There is a workaround. You can first create the user using user-create without a password specified, then you can call user-password-update to set the password interactively (not part of the command line).

browne@ubuntu:~/devstack$ keystone user-create --name test3
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | aa1fccae2b5844e2a144bd6580994cad |
| name | test3 |
+----------+----------------------------------+
browne@ubuntu:~/devstack$ keystone user-password-update test3
New Password:
Repeat New Password:
browne@ubuntu:~/devstack$

https://review.openstack.org/#/c/66653/

I think we already have this in OSC: https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L310

We should deprecate the use of putting passwords on the keystone command line and possibly remove the capability in the openstackclient.

The entire keystoneclient CLI is already deprecated, so that would be a bit redundant.

As Steve Martinelli pointed out, it is already implemented.

I would disagree on it being invalid. Steve Martinelli's reference is for prompting to get the os-password, not the password for the user-create. See instead: https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v2_0/user.py#L28

Ahhh, on user-create / update... alright.

Fix proposed to branch: master
Review: https://review.openstack.org/74906

Reviewed: https://review.openstack.org/66653
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=cc44d050f86b4bc2431088f69130b59fc345eb45
Submitter: Jenkins
Branch: master

commit cc44d050f86b4bc2431088f69130b59fc345eb45
Author: Eric Brown <email address hidden>
Date: Tue Jan 14 09:19:42 2014 -0800

    Interactive prompt for create user

    Execution of the shell will now prompt the user for a password if argument
    '--pass' is specified without a following parameter. In that way, a user does
    not need to pass passwords on the command line.

    Usage example:
    $ keystone user-create --name bob --tenant admin --pass --enabled true
    New Password:
    Repeat New Password:

    Closes-Bug: #1100116
    Change-Id: I1f6d6322830972dfad19ebe2fe63e91f82ed8033

Reviewed: https://review.openstack.org/74906
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=033f27fe4dc4455c2f07978a273fd65faa653b67
Submitter: Jenkins
Branch: master

commit 033f27fe4dc4455c2f07978a273fd65faa653b67
Author: Terry Howe <email address hidden>
Date: Wed Feb 19 19:30:56 2014 -0700

    Add ability to prompt for passwords for user create and set

    * Add get_password method to the utilities
    * Add --password-prompt option
    * Call the get_password method if a prompt is requested
    * Various tests

    Change-Id: I1786ad531e2a2fbcc21b8bc86aac0ccd7985995a
    Closes-Bug: 1100116