heat CLI doesn't properly support token auth
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-heatclient |
Fix Released
|
High
|
Steven Hardy |
Bug Description
A partial fix was merged under bug #1248265, but token auth via the heat CLI is still pretty broken:
- The keystone client created in _get_ksclient assumes username/password, so auth_token auth will fail in non-standalone mode (where we specify the endpoint explicitly)
- the --token-only option doesn't do anything AFAICS
- When you specify --os-auth-token you are still required to enter a username and tenant, the latter should only be needed if the token isn't tenant scoped.
- You're required to enter --os-auth-url even if you specify --os-no-client-auth and an explicit endpoint via --heat-url
When you navigate the various conditions attached to CLI arguments, you end up with something like:
heat --debug --os-no-client-auth --heat-url http://
Which still doesn't set X-Auth-Token correctly in the request:
curl -i -X GET -H 'X-Auth-Url: notneeded' -H 'Content-Type: application/json' -H 'X-Auth-User: User1' -H 'Accept: application/json' -H 'User-Agent: python-heatclient' http://
DEBUG (http:110) curl -i -X GET -H 'X-Auth-Url: notneeded' -H 'Content-Type: application/json' -H 'X-Auth-User: User1' -H 'Accept: application/json' -H 'User-Agent: python-heatclient' http://
Basically, this all seems very broken
Changed in python-heatclient: | |
assignee: | nobody → Steven Hardy (shardy) |
Changed in python-heatclient: | |
importance: | Undecided → High |
milestone: | none → v0.2.6 |
Changed in python-heatclient: | |
status: | Fix Committed → Fix Released |
We may need to reconsider bug #1250731 proposal fix also.