+++ This bug was initially created as a clone of Bug #1477126 +++ Description of problem: openstack client do not accept { in password Version-Release number of selected component (if applicable): RHOSP 11 How reproducible: Create a user with password containing { and add them in a project. Steps to Reproduce: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [stack@instack ~]$ openstack --debug --os-auth-type password --os-password 's6{nLuU=A' token issue START with options: [u'--debug', u'--os-auth-type', u'password', u'--os-password', u's6{nLuU=A', u'token', u'issue'] options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', aodh_endpoint='', auth_type=u'password', auth_url='http://10.11.48.187:5000/v2.0', authorization_code='', cacert=None, cert='', client_id='', client_secret='***', cloud='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, inspector_api_version='1', inspector_url=None, interface='', key='', log_file=None, murano_url='', old_profile=None, openid_scope='', os_alarming_api_version='2', os_application_catalog_api_version='1', os_baremetal_api_version='1.6', os_beta_command=False, os_compute_api_version='', os_container_infra_api_version='1', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_metrics_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='2', os_tripleoclient_api_version='1', os_volume_api_version='', os_workflow_api_version='2', passcode='', password=***'s6{nLuU=A', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='proj1', protocol='', redirect_uri='', region_name='', roles='', timing=False, token='***', trust_id='', url='', user='', user_domain_id='', user_domain_name='', user_id='', username='user1', verbose_level=3, verify=None) Auth plugin password selected auth_config_hook(): {'auth_type': u'password', 'beta_command': False, 'tripleoclient_api_version': '1', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'metrics_api_version': '1', 'data_processing_api_version': '1.1', 'inspector_api_version': '1', 'auth_url': 'http://10.11.48.187:5000/v2.0', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'username': 'user1', 'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': '1.6', 'queues_api_version': '2', 'auth': {'project_name': 'proj1'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', 'application_catalog_api_version': '1', 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'alarming_api_version': '2', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}} unmatched '{' in format Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run self.initialize_app(remainder) File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app super(OpenStackShell, self).initialize_app(argv) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app argparse=self.options, File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud **kwargs File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud config[key] = value.format(**config) ValueError: unmatched '{' in format Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 135, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run self.initialize_app(remainder) File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app super(OpenStackShell, self).initialize_app(argv) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app argparse=self.options, File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud **kwargs File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud config[key] = value.format(**config) ValueError: unmatched '{' in format END return value: 1 [stack@instack ~]$ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Actual results: unmatched '{' in format Expected results: should receive the token. Additional info: And here are the client packages: user@host$ rpm -qa | grep keystone python-keystoneclient-3.10.0-1.el7ost.noarch openstack-keystone-11.0.0-5.el7ost.noarch python-keystoneauth1-2.18.0-1.el7ost.noarch puppet-keystone-10.3.0-2.el7ost.noarch python-keystone-11.0.0-5.el7ost.noarch python-keystonemiddleware-4.14.0-1.el7ost.noarch
I'll be submitting a proposed patch upstream momentarily, let's see how the review goes ...
proposed upstream patch: https://review.openstack.org/#/c/525744/
Backport to 11 is still needed as this affects all openstack commands, not just token issue. "undercloud upgrade" executes several openstack client commands that would fail during FFU if the user set a password containing a curly bracket while on OSP10. $ export OS_PASSWORD=T{est $ openstack project show unmatched '{' in format
Hi Sofer, I was talking about this bug with someone who told me the undercloud never actually is OSP11 during FFU and so this shouldn't be a problem, but that doesn't match my understanding of the process. Would you mind confirming? Basically all 'openstack' commands will fail if there are curly brackets in the password, at the moment it is fixed in OSP10 and Pike & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on the safe side regarding FFU.
Hi Julie, (In reply to Julie Pichon from comment #4) > Hi Sofer, I was talking about this bug with someone who told me the > undercloud never actually is OSP11 during FFU and so this shouldn't be a > problem, but that doesn't match my understanding of the process. Would you > mind confirming? I confirm that your understanding is right. We do 3 undercloud upgrade one after the other in order to bring the undercloud to Queens. See the details there http://logs.openstack.org/92/549892/33/check/build-openstack-sphinx-docs/d4577ca/html/install/post_deployment/fast_forward_upgrade.html#undercloud-ffu-upgrade (lastest rendering of this review https://review.openstack.org/549892) > Basically all 'openstack' commands will fail if there are > curly brackets in the password, at the moment it is fixed in OSP10 and Pike > & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on > the safe side regarding FFU. That would be great. Thanks for noticing.
Thanks!
As OSP11 is EOL and this bug may only affect a minor subset of FFU users, this will be handled as a documentation note instead (cf bug 1596114).