Bug 1593636 - openstack client do not accept { in password
Summary: openstack client do not accept { in password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-os-client-config
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 12.0 (Pike)
Assignee: Julie Pichon
QA Contact: Shai Revivo
URL:
Whiteboard:
Depends On: 1477126 1477128
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-21 09:30 UTC by Julie Pichon
Modified: 2018-12-05 18:54 UTC (History)
14 users (show)

Fixed In Version: python-os-client-config-1.28.0-2.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, password values were subject to variable substitution using a syntax of matched braces {} to delimit the variable. Any variable syntax error in the password string, or unintended variable substitution would cause the password to fail. With this update, passwords are not subject to variable substitution and the client accepts passwords with any mix of braces.
Clone Of: 1477128
Environment:
Last Closed: 2018-12-05 18:54:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1635696 0 None None None 2018-06-21 09:30:22 UTC
OpenStack gerrit 574243 0 None None None 2018-06-21 09:30:22 UTC
Red Hat Product Errata RHBA-2018:3790 0 None None None 2018-12-05 18:54:52 UTC

Description Julie Pichon 2018-06-21 09:30:23 UTC
Clone comment: This is already merged upstream on stable/pike ( https://review.openstack.org/#/c/574243/ ), but as the bug can affect FFU under certain circumstances, creating this downstream clone to make sure we have the patch in OSP12 soon.

+++ This bug was initially created as a clone of Bug #1477128 +++
+++ This bug was initially created as a clone of Bug #1477126 +++

Description of problem:
openstack client do not accept { in password

Version-Release number of selected component (if applicable):
RHOSP 11

How reproducible:
Create a user with password containing { and add them in a project.

Steps to Reproduce:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[stack@instack ~]$ openstack --debug --os-auth-type password --os-password 's6{nLuU=A' token issue
START with options: [u'--debug', u'--os-auth-type', u'password', u'--os-password', u's6{nLuU=A', u'token', u'issue']
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', aodh_endpoint='', auth_type=u'password', auth_url='http://10.11.48.187:5000/v2.0', authorization_code='', cacert=None, cert='', client_id='', client_secret='***', cloud='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, inspector_api_version='1', inspector_url=None, interface='', key='', log_file=None, murano_url='', old_profile=None, openid_scope='', os_alarming_api_version='2', os_application_catalog_api_version='1', os_baremetal_api_version='1.6', os_beta_command=False, os_compute_api_version='', os_container_infra_api_version='1', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_metrics_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='2', os_tripleoclient_api_version='1', os_volume_api_version='', os_workflow_api_version='2', passcode='', password=***'s6{nLuU=A', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='proj1', protocol='', redirect_uri='', region_name='', roles='', timing=False, token='***', trust_id='', url='', user='', user_domain_id='', user_domain_name='', user_id='', username='user1', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': u'password', 'beta_command': False, 'tripleoclient_api_version': '1', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'metrics_api_version': '1', 'data_processing_api_version': '1.1', 'inspector_api_version': '1', 'auth_url': 'http://10.11.48.187:5000/v2.0', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'username': 'user1', 'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': '1.6', 'queues_api_version': '2', 'auth': {'project_name': 'proj1'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', 'application_catalog_api_version': '1', 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'alarming_api_version': '2', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 135, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run
    self.initialize_app(remainder)
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app
    super(OpenStackShell, self).initialize_app(argv)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app
    argparse=self.options,
  File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud
    **kwargs
  File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud
    config[key] = value.format(**config)
ValueError: unmatched '{' in format

END return value: 1
[stack@instack ~]$ 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Actual results:
unmatched '{' in format

Expected results:
should receive the token.

Additional info:

And here are the client packages:
user@host$ rpm -qa | grep keystone
python-keystoneclient-3.10.0-1.el7ost.noarch
openstack-keystone-11.0.0-5.el7ost.noarch
python-keystoneauth1-2.18.0-1.el7ost.noarch
puppet-keystone-10.3.0-2.el7ost.noarch
python-keystone-11.0.0-5.el7ost.noarch
python-keystonemiddleware-4.14.0-1.el7ost.noarch

--- Additional comment from John Dennis on 2017-12-05 15:15:15 EST ---

I'll be submitting a proposed patch upstream momentarily, let's see how the review goes ...

--- Additional comment from John Dennis on 2017-12-05 15:30:26 EST ---

proposed upstream patch: https://review.openstack.org/#/c/525744/

--- Additional comment from Julie Pichon on 2018-06-08 11:42:37 EDT ---

Backport to 11 is still needed as this affects all openstack commands, not just token issue. "undercloud upgrade" executes several openstack client commands that would fail during FFU if the user set a password containing a curly bracket while on OSP10.

$ export OS_PASSWORD=T{est
$ openstack project show
unmatched '{' in format

--- Additional comment from Julie Pichon on 2018-06-20 05:14:14 EDT ---

Hi Sofer, I was talking about this bug with someone who told me the undercloud never actually is OSP11 during FFU and so this shouldn't be a problem, but that doesn't match my understanding of the process. Would you mind confirming? Basically all 'openstack' commands will fail if there are curly brackets in the password, at the moment it is fixed in OSP10 and Pike & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on the safe side regarding FFU.

--- Additional comment from Sofer Athlan-Guyot on 2018-06-20 05:52:31 EDT ---

Hi Julie,

(In reply to Julie Pichon from comment #4)
> Hi Sofer, I was talking about this bug with someone who told me the
> undercloud never actually is OSP11 during FFU and so this shouldn't be a
> problem, but that doesn't match my understanding of the process. Would you
> mind confirming?

I confirm that your understanding is right.  We do 3 undercloud upgrade one after the other in order to bring the undercloud to Queens.  See the details there http://logs.openstack.org/92/549892/33/check/build-openstack-sphinx-docs/d4577ca/html/install/post_deployment/fast_forward_upgrade.html#undercloud-ffu-upgrade (lastest rendering of this review https://review.openstack.org/549892)

> Basically all 'openstack' commands will fail if there are
> curly brackets in the password, at the moment it is fixed in OSP10 and Pike
> & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on
> the safe side regarding FFU.

That would be great.  Thanks for noticing.

Comment 11 Julie Pichon 2018-11-28 09:44:52 UTC
Copying the doc text from clone (bug 1477126).

Comment 12 Udi Kalifon 2018-12-03 07:53:15 UTC
Verified: python-openstackclient-3.12.1-2.el7ost.noarch python-os-client-config-1.28.0-2.el7ost.noarch

Comment 14 errata-xmlrpc 2018-12-05 18:54:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3790


Note You need to log in before you can comment on or make changes to this bug.