Bug 1035199

Summary: python-heatclient doesn't handle token-only auth properly
Product: Red Hat OpenStack Reporter: Steven Hardy <shardy>
Component: python-heatclientAssignee: Steven Hardy <shardy>
Status: CLOSED ERRATA QA Contact: Jeff Peeler <jpeeler>
Severity: high Docs Contact:
Priority: high    
Version: 4.0CC: asalkeld, breeler, ddomingo, hateya, jruzicka, sdake, shardy, yeylon, zbitter
Target Milestone: rcKeywords: OtherQA, Triaged
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-heatclient-0.2.6-1.el6ost Doc Type: Bug Fix
Doc Text:
A bug in the python-heatclient shell interface prevented users from passing existing tokens correctly. Specifically, the '--os-auth-token' parameter always required a username; however, a username should only be required if the specified token is not tenant-scoped. This, in turn, prevented users from correctly reusing and passing tokens to the openstack-heat-api service in the request header. This fix ensures that '--os-auth-token' only requires a username when a token is not tenant-scoped.
 Story Points: ---
Clone Of:
: 1035277 (view as bug list) Environment:
Last Closed: 2013-12-20 00:39:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1035277    
Bug Blocks:    

Description Steven Hardy 2013-11-27 09:37:52 UTC 
Description of problem:
I did some testing and found a number of issues related to token-only auth via python-heatclient:

Upstream bug has details:

https://bugs.launchpad.net/python-heatclient/+bug/1252248

Patches proposed but not yet merged:
https://review.openstack.org/#/q/status:open+project:openstack/python-heatclient+branch:master+topic:bug/1252248_2,n,z

The heat API aspects discussed under bz #989681 all seem to work OK AFAICT, the issues were only in the client code, so we need to track getting the necessary fixes into an upstream python-heatclient release, then sync that into RDO and RHOS.

Version-Release number of selected component (if applicable):
python-heatclient-0.2.5-1

How reproducible:
Always

Steps to Reproduce:
1. heat --os-auth-url http://127.0.0.1:35357/v2.0/ --os-auth-token <a keystone token> --os-tenant-id <tenant ID> stack-list
2. heat --os-no-client-auth --heat-url http://127.0.0.1:8004/v1/<tenant ID> --os-auth-token <a token> stack-list


Actual results:
Both of the above should work, but don't

Expected results:
Authentication against a Heat service should work with an existing keystone token.

Additional info:
To validate this, we should ensure that the CLI interfaces above work, and also the corresponding environment variable interfaces to the same options, e.g:

OS_AUTH_URL, OS_AUTH_TOKEN, OS_TENANT_ID for example (1) above, and
OS_NO_CLIENT_AUTH, OS_AUTH_TOKEN, HEAT_URL for example (2)
Comment 2 Steven Hardy 2013-12-04 15:51:40 UTC 
This is now fixed upstream, we just need to tag a new release containing the fixes.
Comment 6 Steven Dake 2013-12-05 17:59:07 UTC 
We agreed to handle this with a rebase in Bug #1038740
Comment 11 Jeff Peeler 2013-12-11 20:28:02 UTC 
Four patches to verify as outlined here:
https://bugs.launchpad.net/python-heatclient/+bug/1252248

https://github.com/openstack/python-heatclient/commit/845018fbf3717d2758c8073d9da11a20882b31f9
[superceded by http://github.com/openstack/python-heatclient/commit/fd6e99793088aadbae86d4a5c17249f81b6806bb]

https://github.com/openstack/python-heatclient/commit/a7ba3c323b16227e0ba2527f21bc89625f125234
[reverted by e259163d5632188065b2ad4bbb2065d4fd5fc91d]

https://github.com/openstack/python-heatclient/commit/fe3629f1bab78664498192efcc9d782d061459f1
[verified]

https://github.com/openstack/python-heatclient/commit/2706b48159e8937b4ef266f194a158ba60e2f36d
[verified]
Comment 12 Jeff Peeler 2013-12-18 01:09:49 UTC 
Clearing SanityOnly, verified CLI operations directly:

heat --os-auth-url http://127.0.0.1:5000/v2.0 --os-auth-token MIr4EoyQeliT-ArbhFqW+s<truncated> --os-tenant-id ef2d58b54df043968e8208459a4af9b3 stack-list
[verified]

heat --os-no-client-auth --heat-url=http://127.0.0.1:8004/v1/ef2d58b54df043968e8208459a4af9b3 --os-auth-token MIr4EoyQeliT-ArbhFqW+s<truncated> --os-tenant-id ef2d58b54df043968e8208459a4af9b3 stack-list
[verified]

Both tests were done with environment variables as well.
Comment 14 errata-xmlrpc 2013-12-20 00:39:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html