Bug 2185118

Summary: auth_config_hook ignores some OS_* variables from rc files
Product: Red Hat OpenStack Reporter: Juan Pablo Marti <jmarti>
Component: python-openstackclientAssignee: OSP Team <rhos-maint>
Status: CLOSED NEXTRELEASE QA Contact: Nobody <nobody>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17.0 (Wallaby)CC: apevec, jmarti, jpichon, lhh, rdopiera, tkajinam
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-20 14:40:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Pablo Marti 2023-04-06 21:41:42 UTC 
Description of problem:
When sourcing a custom rc file for a user/project created for a domain different from Default, openstack commands fail with:

~~~
keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-5e4d45db-b14a-4514-92d9-bd7934fc6925)
clean_up ListServer: The request you have made requires authentication. (HTTP 401) (Request-ID: req-5e4d45db-b14a-4514-92d9-bd7934fc6925)
~~~

The custom rc file is a copy from the generated overcloudrc changing OS_USERNAME,  OS_PROJECT_NAME, OS_USER_DOMAIN_NAME, OS_PROJECT_DOMAIN_NAME and OS_PASSWORD for the values created for that user/project/domain. The contents are (masking the password):

~~~
(overcloud) [stack@undercloud ~]$ cat RHOSPVirtLabrc                                                                                                                                
# Clear any old environment that may conflict.                   
for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
export OS_USERNAME=test-admin                                
export OS_PROJECT_NAME=test-project                                                           
export OS_USER_DOMAIN_NAME=RHOSPVirtLab                                                       
export OS_PROJECT_DOMAIN_NAME=RHOSPVirtLab                       
export OS_NO_CACHE=True                                                                                                                                                            
export OS_CLOUD=overcloud
export no_proxy=10.0.0.254,192.168.24.41
export PYTHONWARNINGS='ignore:Certificate has no, ignore:A true SSLContext object is not available'
export OS_AUTH_TYPE=password
export OS_PASSWORD=******
export OS_AUTH_URL=http://10.0.0.254:5000
export OS_IDENTITY_API_VERSION=3
export OS_COMPUTE_API_VERSION=2.latest
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=3
export OS_REGION_NAME=regionOne

# Add OS_CLOUD to PS1
if [ -z "${CLOUDPROMPT_ENABLED:-}" ]; then
    export PS1=${PS1:-""}
    export PS1=\${OS_CLOUD:+"(\$OS_CLOUD)"}\ $PS1
    export CLOUDPROMPT_ENABLED=1
fi
~~~

Version-Release number of selected component (if applicable): 
$ openstack --version
openstack 5.5.1

How reproducible:
Creating or downloading from horizon the rc file corresponding to a user/project from a domain different from Default.

Steps to Reproduce:
1. Create a Domain (openstack domain create RHOSPVirtLab)
2. Create a project for that domain (openstack project create --domain RHOSPVirtLab test-project)
3. Create a user in that project (openstack user create --domain RHOSPVirtLab --project test-project --project-domain RHOSPVirtLab --password ****** --description "Test project admin" test-admin)
4. Assign the admin role for that user at domain level and project level (openstack role add --domain RHOSPVirtLab --user test-admin --user-domain RHOSPVirtLab admin; openstack role add --project test-project --user test-admin --user-domain RHOSPVirtLab admin)
5. Copy the overcloudrc file to RHOSPVirtLabrc and change the values of the required variables.
6. Source the RHOSPVirtLabrc file.
7. Attempt an openstack command (for example openstack server list)

Actual results:
The request you have made requires authentication. (HTTP 401) (Request-ID: req-5e4d45db-b14a-4514-92d9-bd7934fc6925)                                                                

Expected results:
The valid output of the command

Additional info:
Using the --debug flag from the openstack command, you can see:

~~~
Auth plugin password selected                                                                                                                                                       
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': '', 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'auth_url': 'http://10.0.0.254:5000', 'password': '***', 'username': 'admin', 'user_domain_name': 'Default', 'project_domain_name': 'Default', 'project_name': 'admin'}, 'identity_api_version': '3', 'region_name': 'regionOne', 'volume_api_version': '3', 'additional_user_agent': [('osc-lib', '2.3.1')], 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'cloud': 'overcloud', 'default_domain': 'default', 'timing': False, 'inspector_api_version': '1', 'auth_url': 'http://10.0.0.254:5000', 'username': 'test-admin', 'password': '***', 'beta_command': False, 'compute_api_version': '2.latest', 'image_api_version': '2', 'orchestration_api_version': '1', 'baremetal_api_version': '1.69', 'queues_api_version': '2', 'workflow_api_version': '2', 'database_api_version': '1', 'loadbalancer_api_version': '2.0', 'data_processing_api_version': '1.1', 'share_api_version': '2.63', 'dns_api_version': '2', 'container_infra_api_version': '1', 'alarming_api_version': '2', 'key_manager_api_version': '1', 'tripleoclient_api_version': '2', 'metrics_api_version': '1', 'placement_api_version': '1.0', 'auth_type': 'password', ': []}                                                                                                                                                                                 
Using auth plugin: password                                                                                                                                                         
Using parameters {'auth_url': 'http://10.0.0.254:5000', 'project_name': 'admin', 'project_domain_name': 'Default', 'username': 'test-admin', 'user_domain_name': 'Default', 'password': '***'}     
~~~

So some values of the specific OS_* variables are being ignored.
Comment 1 Juan Pablo Marti 2023-04-06 22:21:20 UTC 
Additional info:

After installing python-openstackclient 6.2.0 from pip in a venv I don't see the problem:

Steps I followed:

$ python -m venv virtenv/
$ source virtenv/bin/activate
$ python -m pip install python-openstackclient
$ openstack --version
openstack 6.2.0
$ source RHOSPVirtLabrc
$ openstack server list
(empty output, so no error)
Comment 2 Radomir Dopieralski 2023-04-13 14:35:39 UTC 
Looks like the problem is resolved then, should I close the issue?
Comment 3 Juan Pablo Marti 2023-04-13 17:12:52 UTC 
Hi Radomir!

No, the problem is not solved. Forcing a newer version of python-openstackclient (unsupported) using pip showed no error in that specific command. But we need to fix that behavior for the RHOSP 17.0 corresponding release.
Comment 4 Radomir Dopieralski 2023-04-14 10:12:46 UTC 
If we fix it now, the fix will be released in the next version anyways.
Comment 5 Juan Pablo Marti 2023-04-14 12:06:52 UTC 
Yeah, no problem.