keystone_user password does not work

How did you get that error?

If the password is wrong the authentication fails and an error to be raised:
raise(Puppet::Error::OpenstackUnauthorizedError, 'Could not authenticate.')

> How did you get that error?

> If the password is wrong the authentication fails and an error to be raised:
> raise(Puppet::Error::OpenstackUnauthorizedError, 'Could not authenticate.')

See the code above, in the Bug Description. That code is from keystone_user/openstack.rb. Note that the token return value is only checked to see if it is empty. AFAICT it is never empty. It either contains a token, or contains some sort of error message.

The way the problem manifests is that keystone_user.password will always return success. You can use puppet resource to test:
# do a successful openstack install (e.g. packstack)
# puppet resource --modulepath /usr/share/openstack-puppet/modules --debug --edit keystone_user glance

In the edit, remove the id setting - add a 'password' setting with a new password. You will notice that puppet does not set the password.

I've been using something like this to test the password::

      token = Puppet::Provider::Openstack.request('token', 'issue', ['--format', 'value'], credentials)
      if token =~ /ERROR.*Invalid username or password/
        # invalid password
      elsif token =~ /ERROR/
        # unexpected error condition
        raise(Puppet::Error::OpenstackAuthInputError, token)
      elsif !token.empty?
        res = resource[:password]
      end

Note that the above "invalid username or password" message is from v3. If you use the v2.0 api, the message is slightly different - you cannot use the above test for v2.0.

Ok. I'm sorry for the confusion I caused. Gilles is indeed correct that when the puppet-openstacklib provider gets a 401 error, it raises Puppet::Error::OpenstackUnauthorizedError. However, there is still a problem, because puppet-keystone keystone_user password does not catch and handle this error.

Fix proposed to branch: master
Review: https://review.openstack.org/192330

Thanks Richard,

Also, independently from this bug, we effectively need the Puppet::Provider::Openstack class, from openstacklib project, which is the acting interface for the requests to handle new types of return values (v3) and raise errors accordingly.

> Also, independently from this bug, we effectively need the Puppet::Provider::Openstack class, from openstacklib project, which is the acting interface for the requests to handle new types of return values (v3) and raise errors accordingly.

Yes, but it is not necessary to fix it in this bug, nor have I found a situation with v3 where an unexpected error code was returned, so I don't think it is urgent.