1477126 – openstack client do not accept { in password

Bug 1477126 - openstack client do not accept { in password

Summary: openstack client do not accept { in password

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-os-client-config
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	z9
Target Release:	10.0 (Newton)
Assignee:	Julie Pichon
QA Contact:	grozov
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1599189 (view as bug list)
Depends On:
Blocks:	1477128 1593636
TreeView+	depends on / blocked

Reported:	2017-08-01 09:54 UTC by KOSAL RAJ I
Modified:	2021-03-11 15:30 UTC (History)
CC List:	15 users (show)
Fixed In Version:	python-os-client-config-1.21.1-2.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, password values were subject to variable substitution using a syntax of matched braces {} to delimit the variable. Any variable syntax error in the password string, or unintended variable substitution would cause the password to fail. With this update, passwords are not subject to variable substitution and the client accepts passwords with any mix of braces.
Clone Of:
Clones:	1477128 (view as bug list)
Environment:
Last Closed:	2018-09-17 16:59:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1635696	None	None	None	2017-08-01 09:56:05 UTC
OpenStack gerrit	525744	'None'	MERGED	Do not apply format expansions to passwords	2020-02-11 16:06:53 UTC
Red Hat Product Errata	RHBA-2018:2671	None	None	None	2018-09-17 17:00:47 UTC

Description KOSAL RAJ I 2017-08-01 09:54:08 UTC

Description of problem:
openstack client do not accept { in password

Version-Release number of selected component (if applicable):
RHOSP 11

How reproducible:
Create a user with password containing { and add them in a project.

Steps to Reproduce:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[stack@instack ~]$ openstack --debug --os-auth-type password --os-password 's6{nLuU=A' token issue
START with options: [u'--debug', u'--os-auth-type', u'password', u'--os-password', u's6{nLuU=A', u'token', u'issue']
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', aodh_endpoint='', auth_type=u'password', auth_url='http://10.11.48.187:5000/v2.0', authorization_code='', cacert=None, cert='', client_id='', client_secret='***', cloud='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, inspector_api_version='1', inspector_url=None, interface='', key='', log_file=None, murano_url='', old_profile=None, openid_scope='', os_alarming_api_version='2', os_application_catalog_api_version='1', os_baremetal_api_version='1.6', os_beta_command=False, os_compute_api_version='', os_container_infra_api_version='1', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_metrics_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='2', os_tripleoclient_api_version='1', os_volume_api_version='', os_workflow_api_version='2', passcode='', password=***'s6{nLuU=A', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='proj1', protocol='', redirect_uri='', region_name='', roles='', timing=False, token='***', trust_id='', url='', user='', user_domain_id='', user_domain_name='', user_id='', username='user1', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': u'password', 'beta_command': False, 'tripleoclient_api_version': '1', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'metrics_api_version': '1', 'data_processing_api_version': '1.1', 'inspector_api_version': '1', 'auth_url': 'http://10.11.48.187:5000/v2.0', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'username': 'user1', 'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': '1.6', 'queues_api_version': '2', 'auth': {'project_name': 'proj1'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', 'application_catalog_api_version': '1', 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'alarming_api_version': '2', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 135, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format

END return value: 1
[stack@instack ~]$ 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Actual results:
unmatched '{' in format

Expected results:
should receive the token.

Additional info:

And here are the client packages:
user@host$ rpm -qa | grep keystone
python-keystoneclient-3.10.0-1.el7ost.noarch
openstack-keystone-11.0.0-5.el7ost.noarch
python-keystoneauth1-2.18.0-1.el7ost.noarch
puppet-keystone-10.3.0-2.el7ost.noarch
python-keystone-11.0.0-5.el7ost.noarch
python-keystonemiddleware-4.14.0-1.el7ost.noarch

Comment 6 John Dennis 2017-12-05 20:46:58 UTC

proposed upstream patch: https://review.openstack.org/#/c/525744/

Comment 7 Jason E. Rist 2018-03-15 16:01:52 UTC

Upstream patch has merged.

Comment 17 Julie Pichon 2018-07-09 07:39:20 UTC

*** Bug 1599189 has been marked as a duplicate of this bug. ***

Comment 25 Alex McLeod 2018-09-03 07:57:19 UTC

Hi there,

If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field.

The documentation team will review, edit, and approve the text.

If this bug does not require doc text, please set the 'requires_doc_text' flag to -.

Thanks,
Alex

Comment 26 John Dennis 2018-09-11 13:13:19 UTC

This is probably a nit but I don't think this current doc text is correct:

> Previously, password values in formatted strings were expanded, causing the
> client commands to fail when the password contained special characters.

Passwords are not contained in formatted strings and the term "special characters" in the context of passwords implies non-alhpanumerics. May I suggest this instead:

Previously password values were subject to variable substitution using a syntax
of matched braces {} to delimit the variable. Any variable syntax error in the password string or unintended variable substitution would cause the password to fail.

With this update, passwords are not subject to variable substitution and the client accepts passwords with any mix of braces.

Comment 27 Alex McLeod 2018-09-11 13:19:21 UTC

Much obliged John, thank you :)

Comment 29 errata-xmlrpc 2018-09-17 16:59:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2671

Note You need to log in before you can comment on or make changes to this bug.