heat CLI doesn't properly support token auth

Bug #1252248 reported by Steven Hardy
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-heatclient
Fix Released
High
Steven Hardy

Bug Description

A partial fix was merged under bug #1248265, but token auth via the heat CLI is still pretty broken:

- The keystone client created in _get_ksclient assumes username/password, so auth_token auth will fail in non-standalone mode (where we specify the endpoint explicitly)
- the --token-only option doesn't do anything AFAICS
- When you specify --os-auth-token you are still required to enter a username and tenant, the latter should only be needed if the token isn't tenant scoped.
- You're required to enter --os-auth-url even if you specify --os-no-client-auth and an explicit endpoint via --heat-url

When you navigate the various conditions attached to CLI arguments, you end up with something like:

heat --debug --os-no-client-auth --heat-url http://127.0.0.1:8004/v1 --os-username User1 --os-tenant-id 0809343a8f9e4f07bce678855acef39a --os-auth-url notneeded --os-auth-token $(cat token.txt) stack-list

Which still doesn't set X-Auth-Token correctly in the request:

curl -i -X GET -H 'X-Auth-Url: notneeded' -H 'Content-Type: application/json' -H 'X-Auth-User: User1' -H 'Accept: application/json' -H 'User-Agent: python-heatclient' http://127.0.0.1:8004/v1/stacks?
DEBUG (http:110) curl -i -X GET -H 'X-Auth-Url: notneeded' -H 'Content-Type: application/json' -H 'X-Auth-User: User1' -H 'Accept: application/json' -H 'User-Agent: python-heatclient' http://127.0.0.1:8004/v1/stacks?

Basically, this all seems very broken

Steven Hardy (shardy)
Changed in python-heatclient:
assignee: nobody → Steven Hardy (shardy)
Revision history for this message
JunJie Nan (nanjj) wrote :

We may need to reconsider bug #1250731 proposal fix also.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-heatclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/57006

Changed in python-heatclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/57007

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/57280

Revision history for this message
Steven Hardy (shardy) wrote :

The fixes above should allow the non-standalone token auth to work properly, another patch coming soon which allows token auth to work when using OS_NO_CLIENT_AUTH for standalone mode.

Steven Hardy (shardy)
Changed in python-heatclient:
importance: Undecided → High
milestone: none → v0.2.6
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/57438

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-heatclient (master)

Reviewed: https://review.openstack.org/57006
Committed: http://github.com/openstack/python-heatclient/commit/845018fbf3717d2758c8073d9da11a20882b31f9
Submitter: Jenkins
Branch: master

commit 845018fbf3717d2758c8073d9da11a20882b31f9
Author: Steven Hardy <email address hidden>
Date: Mon Nov 18 15:38:13 2013 +0000

    Remove --token-only option, it does nothing

    This option appears to do nothing at all, so remove it

    Change-Id: If0cd263403cd4786681a8642f7b2dba5a84358b5
    Partial-Bug: #1252248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/57280
Committed: http://github.com/openstack/python-heatclient/commit/a7ba3c323b16227e0ba2527f21bc89625f125234
Submitter: Jenkins
Branch: master

commit a7ba3c323b16227e0ba2527f21bc89625f125234
Author: Steven Hardy <email address hidden>
Date: Tue Nov 19 16:06:18 2013 +0000

    Don't call credentials_headers() twice

    We don't need to call credentials_headers in the stack create/update
    code, as it's already called in the HTTPClient. This has the side-
    effect of simplifying the shell test, which currently has to mock
    header arguments to json_request, which are incorrect anyway because
    HTTPClient always sets X-Auth-Token if a token is passed in (as
    evidenced by bug #1250731)

    Change-Id: I6212cf5a50f5a8d919f743e23ece4bd1d0e1ad1c
    Partial-Bug: #1252248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/57007
Committed: http://github.com/openstack/python-heatclient/commit/fe3629f1bab78664498192efcc9d782d061459f1
Submitter: Jenkins
Branch: master

commit fe3629f1bab78664498192efcc9d782d061459f1
Author: Steven Hardy <email address hidden>
Date: Tue Nov 19 16:42:49 2013 +0000

    Fix shell operation with --os-auth-token

    Currently the --os-auth-token/env[OS_AUTH_TOKEN] case doesn't
    work, as we always expect a username/password to create the
    connection to keystone. This enables the client to be used
    with only a token and tenant (which is required for keystoneclient
    to retrieve the catalog) specified, e.g:

    heat --os-auth-url http://127.0.0.1:35357/v2.0/ \
         --os-auth-token <a keystone token> \
         --os-tenant-id <tenant ID> stack-list

    Change-Id: I478ce178f44e42c68153f1b347c6144f0a133f5b
    Partial-Bug: #1252248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/57438
Committed: http://github.com/openstack/python-heatclient/commit/2706b48159e8937b4ef266f194a158ba60e2f36d
Submitter: Jenkins
Branch: master

commit 2706b48159e8937b4ef266f194a158ba60e2f36d
Author: Steven Hardy <email address hidden>
Date: Wed Nov 20 13:22:44 2013 +0000

    Make tokens work with --os-no-client-auth

    Currently --os-no-client-auth assumes you'll only ever want to pass
    a username and password to the standalone auth_password middleware,
    but it's also valid to pass a token and endpoint, which can then
    be used to either connect to a normal (non-standalone) Heat without
    needing the client to connect to keystone, or pass a token to custom
    auth middleware in standalone mode where tokens are accepted.

    e.g:

    heat --os-no-client-auth
          --heat-url http://127.0.0.1:8004/v1/<tenant ID>
          --os-auth-token <a token> stack-list

    Change-Id: Ie22c85ba5b3b987505f4d6204b4dd6ff03e0d912
    Closes-Bug: #1252248

Changed in python-heatclient:
status: In Progress → Fix Committed
Changed in python-heatclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.