Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1477128

Summary: openstack client do not accept { in password
Product: Red Hat OpenStack Reporter: KOSAL RAJ I <kiyyappa>
Component: python-os-client-configAssignee: Julie Pichon <jpichon>
Status: CLOSED EOL QA Contact: Shai Revivo <srevivo>
Severity: medium Docs Contact:
Priority: medium    
Version: 11.0 (Ocata)CC: apevec, jdennis, jpichon, jraju, jschluet, lhh, nkinder, nlevinki, sathlang, srevivo
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-os-client-config-1.26.0-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1477126
: 1593636 (view as bug list) Environment:
Last Closed: 2018-06-28 10:26:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1477126    
Bug Blocks: 1593636    

Description KOSAL RAJ I 2017-08-01 09:57:45 UTC 
+++ This bug was initially created as a clone of Bug #1477126 +++

Description of problem:
openstack client do not accept { in password

Version-Release number of selected component (if applicable):
RHOSP 11

How reproducible:
Create a user with password containing { and add them in a project.

Steps to Reproduce:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[stack@instack ~]$ openstack --debug --os-auth-type password --os-password 's6{nLuU=A' token issue
START with options: [u'--debug', u'--os-auth-type', u'password', u'--os-password', u's6{nLuU=A', u'token', u'issue']
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', aodh_endpoint='', auth_type=u'password', auth_url='http://10.11.48.187:5000/v2.0', authorization_code='', cacert=None, cert='', client_id='', client_secret='***', cloud='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, inspector_api_version='1', inspector_url=None, interface='', key='', log_file=None, murano_url='', old_profile=None, openid_scope='', os_alarming_api_version='2', os_application_catalog_api_version='1', os_baremetal_api_version='1.6', os_beta_command=False, os_compute_api_version='', os_container_infra_api_version='1', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_metrics_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='2', os_tripleoclient_api_version='1', os_volume_api_version='', os_workflow_api_version='2', passcode='', password=***'s6{nLuU=A', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='proj1', protocol='', redirect_uri='', region_name='', roles='', timing=False, token='***', trust_id='', url='', user='', user_domain_id='', user_domain_name='', user_id='', username='user1', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': u'password', 'beta_command': False, 'tripleoclient_api_version': '1', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'metrics_api_version': '1', 'data_processing_api_version': '1.1', 'inspector_api_version': '1', 'auth_url': 'http://10.11.48.187:5000/v2.0', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'username': 'user1', 'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': '1.6', 'queues_api_version': '2', 'auth': {'project_name': 'proj1'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', 'application_catalog_api_version': '1', 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'alarming_api_version': '2', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 135, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format

END return value: 1
[stack@instack ~]$ 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Actual results:
unmatched '{' in format

Expected results:
should receive the token.

Additional info:

And here are the client packages:
user@host$ rpm -qa | grep keystone
python-keystoneclient-3.10.0-1.el7ost.noarch
openstack-keystone-11.0.0-5.el7ost.noarch
python-keystoneauth1-2.18.0-1.el7ost.noarch
puppet-keystone-10.3.0-2.el7ost.noarch
python-keystone-11.0.0-5.el7ost.noarch
python-keystonemiddleware-4.14.0-1.el7ost.noarch
Comment 1 John Dennis 2017-12-05 20:15:15 UTC 
I'll be submitting a proposed patch upstream momentarily, let's see how the review goes ...
Comment 2 John Dennis 2017-12-05 20:30:26 UTC 
proposed upstream patch: https://review.openstack.org/#/c/525744/
Comment 3 Julie Pichon 2018-06-08 15:42:37 UTC 
Backport to 11 is still needed as this affects all openstack commands, not just token issue. "undercloud upgrade" executes several openstack client commands that would fail during FFU if the user set a password containing a curly bracket while on OSP10.

$ export OS_PASSWORD=T{est
$ openstack project show
unmatched '{' in format
Comment 4 Julie Pichon 2018-06-20 09:14:14 UTC 
Hi Sofer, I was talking about this bug with someone who told me the undercloud never actually is OSP11 during FFU and so this shouldn't be a problem, but that doesn't match my understanding of the process. Would you mind confirming? Basically all 'openstack' commands will fail if there are curly brackets in the password, at the moment it is fixed in OSP10 and Pike & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on the safe side regarding FFU.
Comment 5 Sofer Athlan-Guyot 2018-06-20 09:52:31 UTC 
Hi Julie,

(In reply to Julie Pichon from comment #4)
> Hi Sofer, I was talking about this bug with someone who told me the
> undercloud never actually is OSP11 during FFU and so this shouldn't be a
> problem, but that doesn't match my understanding of the process. Would you
> mind confirming?

I confirm that your understanding is right.  We do 3 undercloud upgrade one after the other in order to bring the undercloud to Queens.  See the details there http://logs.openstack.org/92/549892/33/check/build-openstack-sphinx-docs/d4577ca/html/install/post_deployment/fast_forward_upgrade.html#undercloud-ffu-upgrade (lastest rendering of this review https://review.openstack.org/549892)

> Basically all 'openstack' commands will fail if there are
> curly brackets in the password, at the moment it is fixed in OSP10 and Pike
> & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on
> the safe side regarding FFU.

That would be great.  Thanks for noticing.
Comment 6 Julie Pichon 2018-06-20 10:56:04 UTC 
Thanks!
Comment 10 Julie Pichon 2018-06-28 10:26:47 UTC 
As OSP11 is EOL and this bug may only affect a minor subset of FFU users, this will be handled as a documentation note instead (cf bug 1596114).