Clone comment: This is already merged upstream on stable/pike ( https://review.openstack.org/#/c/574243/ ), but as the bug can affect FFU under certain circumstances, creating this downstream clone to make sure we have the patch in OSP12 soon. +++ This bug was initially created as a clone of Bug #1477128 +++ +++ This bug was initially created as a clone of Bug #1477126 +++ Description of problem: openstack client do not accept { in password Version-Release number of selected component (if applicable): RHOSP 11 How reproducible: Create a user with password containing { and add them in a project. Steps to Reproduce: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [stack@instack ~]$ openstack --debug --os-auth-type password --os-password 's6{nLuU=A' token issue START with options: [u'--debug', u'--os-auth-type', u'password', u'--os-password', u's6{nLuU=A', u'token', u'issue'] options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', aodh_endpoint='', auth_type=u'password', auth_url='http://10.11.48.187:5000/v2.0', authorization_code='', cacert=None, cert='', client_id='', client_secret='***', cloud='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, inspector_api_version='1', inspector_url=None, interface='', key='', log_file=None, murano_url='', old_profile=None, openid_scope='', os_alarming_api_version='2', os_application_catalog_api_version='1', os_baremetal_api_version='1.6', os_beta_command=False, os_compute_api_version='', os_container_infra_api_version='1', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_metrics_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='2', os_tripleoclient_api_version='1', os_volume_api_version='', os_workflow_api_version='2', passcode='', password=***'s6{nLuU=A', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='proj1', protocol='', redirect_uri='', region_name='', roles='', timing=False, token='***', trust_id='', url='', user='', user_domain_id='', user_domain_name='', user_id='', username='user1', verbose_level=3, verify=None) Auth plugin password selected auth_config_hook(): {'auth_type': u'password', 'beta_command': False, 'tripleoclient_api_version': '1', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'metrics_api_version': '1', 'data_processing_api_version': '1.1', 'inspector_api_version': '1', 'auth_url': 'http://10.11.48.187:5000/v2.0', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'username': 'user1', 'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': '1.6', 'queues_api_version': '2', 'auth': {'project_name': 'proj1'}, 'default_domain': 'default', 'debug': True, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': u'***', 'application_catalog_api_version': '1', 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'status': u'active', 'alarming_api_version': '2', u'container_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}} unmatched '{' in format Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run self.initialize_app(remainder) File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app super(OpenStackShell, self).initialize_app(argv) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app argparse=self.options, File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud **kwargs File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud config[key] = value.format(**config) ValueError: unmatched '{' in format Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 135, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 250, in run self.initialize_app(remainder) File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 133, in initialize_app super(OpenStackShell, self).initialize_app(argv) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 395, in initialize_app argparse=self.options, File "/usr/lib/python2.7/site-packages/osc_lib/cli/client_config.py", line 168, in get_one_cloud **kwargs File "/usr/lib/python2.7/site-packages/os_client_config/config.py", line 1113, in get_one_cloud config[key] = value.format(**config) ValueError: unmatched '{' in format END return value: 1 [stack@instack ~]$ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Actual results: unmatched '{' in format Expected results: should receive the token. Additional info: And here are the client packages: user@host$ rpm -qa | grep keystone python-keystoneclient-3.10.0-1.el7ost.noarch openstack-keystone-11.0.0-5.el7ost.noarch python-keystoneauth1-2.18.0-1.el7ost.noarch puppet-keystone-10.3.0-2.el7ost.noarch python-keystone-11.0.0-5.el7ost.noarch python-keystonemiddleware-4.14.0-1.el7ost.noarch --- Additional comment from John Dennis on 2017-12-05 15:15:15 EST --- I'll be submitting a proposed patch upstream momentarily, let's see how the review goes ... --- Additional comment from John Dennis on 2017-12-05 15:30:26 EST --- proposed upstream patch: https://review.openstack.org/#/c/525744/ --- Additional comment from Julie Pichon on 2018-06-08 11:42:37 EDT --- Backport to 11 is still needed as this affects all openstack commands, not just token issue. "undercloud upgrade" executes several openstack client commands that would fail during FFU if the user set a password containing a curly bracket while on OSP10. $ export OS_PASSWORD=T{est $ openstack project show unmatched '{' in format --- Additional comment from Julie Pichon on 2018-06-20 05:14:14 EDT --- Hi Sofer, I was talking about this bug with someone who told me the undercloud never actually is OSP11 during FFU and so this shouldn't be a problem, but that doesn't match my understanding of the process. Would you mind confirming? Basically all 'openstack' commands will fail if there are curly brackets in the password, at the moment it is fixed in OSP10 and Pike & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on the safe side regarding FFU. --- Additional comment from Sofer Athlan-Guyot on 2018-06-20 05:52:31 EDT --- Hi Julie, (In reply to Julie Pichon from comment #4) > Hi Sofer, I was talking about this bug with someone who told me the > undercloud never actually is OSP11 during FFU and so this shouldn't be a > problem, but that doesn't match my understanding of the process. Would you > mind confirming? I confirm that your understanding is right. We do 3 undercloud upgrade one after the other in order to bring the undercloud to Queens. See the details there http://logs.openstack.org/92/549892/33/check/build-openstack-sphinx-docs/d4577ca/html/install/post_deployment/fast_forward_upgrade.html#undercloud-ffu-upgrade (lastest rendering of this review https://review.openstack.org/549892) > Basically all 'openstack' commands will fail if there are > curly brackets in the password, at the moment it is fixed in OSP10 and Pike > & later upstream. I'm inclined to get the fix in OSP11 despite EOL to be on > the safe side regarding FFU. That would be great. Thanks for noticing.
Copying the doc text from clone (bug 1477126).
Verified: python-openstackclient-3.12.1-2.el7ost.noarch python-os-client-config-1.28.0-2.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3790