Bug 1477126 – openstack client do not accept { in password

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1477126 - openstack client do not accept { in password

Summary:	openstack client do not accept { in password

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-os-client-config (Show other bugs)
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified Unspecified

Priority	urgent Severity urgent
Target Milestone:	z9
Target Release:	10.0 (Newton)
Assigned To:	Julie Pichon
QA Contact:	grozov
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged, ZStream

Duplicates:	1599189 (view as bug list)
Depends On:
Blocks:	1593636 1477128
	Show dependency tree / graph

Reported:	2017-08-01 05:54 EDT by KOSAL RAJ I
Modified:	2018-09-17 13:00 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:	python-os-client-config-1.21.1-2.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, password values were subject to variable substitution using a syntax of matched braces {} to delimit the variable. Any variable syntax error in the password string, or unintended variable substitution would cause the password to fail. With this update, passwords are not subject to variable substitution and the client accepts passwords with any mix of braces.
Story Points:	---
Clone Of:
Clones:	1477128 (view as bug list)
Environment:
Last Closed:	2018-09-17 12:59:16 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1635696	None	None	None	2017-08-01 05:56 EDT
OpenStack gerrit	525744	None	None	None	2018-03-15 12:01 EDT
Red Hat Product Errata	RHBA-2018:2671	None	None	None	2018-09-17 13:00 EDT

Groups: None (edit)

Description KOSAL RAJ I 2017-08-01 05:54:08 EDT

Description of problem:
openstack client do not accept { in password

Version-Release number of selected component (if applicable):
RHOSP 11

How reproducible:
Create a user with password containing { and add them in a project.

Steps to Reproduce:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[stack@instack ~]$ openstack --debug --os-auth-type password --os-password 's6{nLuU=A' token issue
START with options: [u'--debug', u'--os-auth-type', u'password', u'--os-password', u's6{nLuU=A', u'token', u'issue']
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', aodh_endpoint='', auth_type=u'password', auth_url='http://10.11.48.187:5000/v2.0', authorization_code='', cacert=None, cert='', client_id='', client_secret='***', cloud='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, inspector_api_version='1', inspector_url=None, interface='', key='', log_file=None, murano_url='', old_profile=None, openid_scope='', os_alarming_api_version='2', os_application_catalog_api_version='1', os_baremetal_api_version='1.6', os_beta_command=False, os_compute_api_version='', os_container_infra_api_version='1', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_metrics_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='2', os_tripleoclient_api_version='1', os_volume_api_version='', os_workflow_api_version='2', passcode='', password=***'s6{nLuU=A', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='proj1', protocol='', redirect_uri='', region_name='', roles='', timing=False, token='***', trust_id='', url='', user='', user_domain_id='', user_domain_name='', user_id='', username='user1', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': u'password', 'beta_command': False, 'tripleoclient_api_version': '1', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'metrics_api_version': '1', 'data_processing_api_version': '1.1', 'inspector_api_version': '1', 'auth_url': 'http://10.11.48.187:5000/v2.0', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'username': 'user1', 'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': '1.6', 'queues_api_version': '2', 'auth': {'project_name': 'proj1'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', 'application_catalog_api_version': '1', 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'alarming_api_version': '2', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 135, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format

END return value: 1
[stack@instack ~]$ 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Actual results:
unmatched '{' in format

Expected results:
should receive the token.

Additional info:

And here are the client packages:
user@host$ rpm -qa | grep keystone
python-keystoneclient-3.10.0-1.el7ost.noarch
openstack-keystone-11.0.0-5.el7ost.noarch
python-keystoneauth1-2.18.0-1.el7ost.noarch
puppet-keystone-10.3.0-2.el7ost.noarch
python-keystone-11.0.0-5.el7ost.noarch
python-keystonemiddleware-4.14.0-1.el7ost.noarch

Comment 6 John Dennis 2017-12-05 15:46:58 EST

proposed upstream patch: https://review.openstack.org/#/c/525744/

Comment 7 Jason E. Rist 2018-03-15 12:01:52 EDT

Upstream patch has merged.

Comment 17 Julie Pichon 2018-07-09 03:39:20 EDT

*** Bug 1599189 has been marked as a duplicate of this bug. ***

Comment 25 Alex 2018-09-03 03:57:19 EDT

Hi there,

If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field.

The documentation team will review, edit, and approve the text.

If this bug does not require doc text, please set the 'requires_doc_text' flag to -.

Thanks,
Alex

Comment 26 John Dennis 2018-09-11 09:13:19 EDT

This is probably a nit but I don't think this current doc text is correct:

> Previously, password values in formatted strings were expanded, causing the
> client commands to fail when the password contained special characters.

Passwords are not contained in formatted strings and the term "special characters" in the context of passwords implies non-alhpanumerics. May I suggest this instead:

Previously password values were subject to variable substitution using a syntax
of matched braces {} to delimit the variable. Any variable syntax error in the password string or unintended variable substitution would cause the password to fail.

With this update, passwords are not subject to variable substitution and the client accepts passwords with any mix of braces.

Comment 27 Alex 2018-09-11 09:19:21 EDT

Much obliged John, thank you :)

Comment 29 errata-xmlrpc 2018-09-17 12:59:16 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2671

Note You need to log in before you can comment on or make changes to this bug.