1035199 – python-heatclient doesn't handle token-only auth properly

Bug 1035199 - python-heatclient doesn't handle token-only auth properly

Summary: python-heatclient doesn't handle token-only auth properly

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-heatclient
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	4.0
Assignee:	Steven Hardy
QA Contact:	Jeff Peeler
Docs Contact:
URL:
Whiteboard:
Depends On:	1035277
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-27 09:37 UTC by Steven Hardy
Modified:	2013-12-20 00:39 UTC (History)
CC List:	9 users (show)
Fixed In Version:	python-heatclient-0.2.6-1.el6ost
Doc Type:	Bug Fix
Doc Text:	A bug in the python-heatclient shell interface prevented users from passing existing tokens correctly. Specifically, the '--os-auth-token' parameter always required a username; however, a username should only be required if the specified token is not tenant-scoped. This, in turn, prevented users from correctly reusing and passing tokens to the openstack-heat-api service in the request header. This fix ensures that '--os-auth-token' only requires a username when a token is not tenant-scoped.
Clone Of:
Clones:	1035277 (view as bug list)
Environment:
Last Closed:	2013-12-20 00:39:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1252248	0	None	None	None	Never
Red Hat Product Errata	RHEA-2013:1859	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2013-12-21 00:01:48 UTC

Description Steven Hardy 2013-11-27 09:37:52 UTC

Description of problem:
I did some testing and found a number of issues related to token-only auth via python-heatclient:

Upstream bug has details:

https://bugs.launchpad.net/python-heatclient/+bug/1252248

Patches proposed but not yet merged:
https://review.openstack.org/#/q/status:open+project:openstack/python-heatclient+branch:master+topic:bug/1252248_2,n,z

The heat API aspects discussed under bz #989681 all seem to work OK AFAICT, the issues were only in the client code, so we need to track getting the necessary fixes into an upstream python-heatclient release, then sync that into RDO and RHOS.

Version-Release number of selected component (if applicable):
python-heatclient-0.2.5-1

How reproducible:
Always

Steps to Reproduce:
1. heat --os-auth-url http://127.0.0.1:35357/v2.0/ --os-auth-token <a keystone token> --os-tenant-id <tenant ID> stack-list
2. heat --os-no-client-auth --heat-url http://127.0.0.1:8004/v1/<tenant ID> --os-auth-token <a token> stack-list


Actual results:
Both of the above should work, but don't

Expected results:
Authentication against a Heat service should work with an existing keystone token.

Additional info:
To validate this, we should ensure that the CLI interfaces above work, and also the corresponding environment variable interfaces to the same options, e.g:

OS_AUTH_URL, OS_AUTH_TOKEN, OS_TENANT_ID for example (1) above, and
OS_NO_CLIENT_AUTH, OS_AUTH_TOKEN, HEAT_URL for example (2)

Comment 2 Steven Hardy 2013-12-04 15:51:40 UTC

This is now fixed upstream, we just need to tag a new release containing the fixes.

Comment 6 Steven Dake 2013-12-05 17:59:07 UTC

We agreed to handle this with a rebase in Bug #1038740

Comment 11 Jeff Peeler 2013-12-11 20:28:02 UTC

Four patches to verify as outlined here:
https://bugs.launchpad.net/python-heatclient/+bug/1252248

https://github.com/openstack/python-heatclient/commit/845018fbf3717d2758c8073d9da11a20882b31f9
[superceded by http://github.com/openstack/python-heatclient/commit/fd6e99793088aadbae86d4a5c17249f81b6806bb]

https://github.com/openstack/python-heatclient/commit/a7ba3c323b16227e0ba2527f21bc89625f125234
[reverted by e259163d5632188065b2ad4bbb2065d4fd5fc91d]

https://github.com/openstack/python-heatclient/commit/fe3629f1bab78664498192efcc9d782d061459f1
[verified]

https://github.com/openstack/python-heatclient/commit/2706b48159e8937b4ef266f194a158ba60e2f36d
[verified]

Comment 12 Jeff Peeler 2013-12-18 01:09:49 UTC

Clearing SanityOnly, verified CLI operations directly:

heat --os-auth-url http://127.0.0.1:5000/v2.0 --os-auth-token MIr4EoyQeliT-ArbhFqW+s<truncated> --os-tenant-id ef2d58b54df043968e8208459a4af9b3 stack-list
[verified]

heat --os-no-client-auth --heat-url=http://127.0.0.1:8004/v1/ef2d58b54df043968e8208459a4af9b3 --os-auth-token MIr4EoyQeliT-ArbhFqW+s<truncated> --os-tenant-id ef2d58b54df043968e8208459a4af9b3 stack-list
[verified]

Both tests were done with environment variables as well.

Comment 14 errata-xmlrpc 2013-12-20 00:39:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.