diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2016-06-15 16:26:35 +0000 |
---|---|---|
committer | Steve Martinelli <s.martinelli@gmail.com> | 2016-06-17 12:37:15 -0400 |
commit | fe0c8e955be0331aef9cc6847c9bddc43ce66d92 (patch) | |
tree | bb9597a1f0a1417ec5cd19f984c99eeb32f693d8 /openstackclient/common/clientmanager.py | |
parent | 1464c8a23755f70bb60ed37abe1edf5c7e0b7203 (diff) | |
download | python-openstackclient-fe0c8e955be0331aef9cc6847c9bddc43ce66d92.tar.gz |
Do not prompt for scope options with default scoped tokens
This changes the scope validation to occur after a token has already
been created.
Previous flow:
1. Validate authentication options.
2. Validate authorization options if the command requires a scope.
3. Create a token (using authentication + authorization options)
4. Run command.
This means that scope was being checked, even if a default scope was
applied in step 3 by Keystone.
New flow:
1. Validate authentication options.
2. Create token (using authentication + authorization options)
3 Validate authorization options if the command requires a scope and
the token is not scoped.
4. Run command.
Change-Id: Idae368a11249f425b14b891fc68b4176e2b3e981
Closes-Bug: 1592062
Diffstat (limited to 'openstackclient/common/clientmanager.py')
-rw-r--r-- | openstackclient/common/clientmanager.py | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/openstackclient/common/clientmanager.py b/openstackclient/common/clientmanager.py index 04f624d0..5dbfb417 100644 --- a/openstackclient/common/clientmanager.py +++ b/openstackclient/common/clientmanager.py @@ -140,10 +140,8 @@ class ClientManager(object): # prior to dereferrencing auth_ref. self._auth_setup_completed = False - def setup_auth(self, required_scope=True): - """Set up authentication - - :param required_scope: indicate whether a scoped token is required + def setup_auth(self): + """Set up authentication. This is deferred until authentication is actually attempted because it gets in the way of things that do not require auth. @@ -157,9 +155,8 @@ class ClientManager(object): self.auth_plugin_name = auth.select_auth_plugin(self._cli_options) # Basic option checking to avoid unhelpful error messages - auth.check_valid_auth_options(self._cli_options, - self.auth_plugin_name, - required_scope=required_scope) + auth.check_valid_authentication_options(self._cli_options, + self.auth_plugin_name) # Horrible hack alert...must handle prompt for null password if # password auth is requested. @@ -229,6 +226,20 @@ class ClientManager(object): self._auth_setup_completed = True + def validate_scope(self): + if self._auth_ref.project_id is not None: + # We already have a project scope. + return + if self._auth_ref.domain_id is not None: + # We already have a domain scope. + return + + # We do not have a scoped token (and the user's default project scope + # was not implied), so the client needs to be explicitly configured + # with a scope. + auth.check_valid_authorization_options(self._cli_options, + self.auth_plugin_name) + @property def auth_ref(self): """Dereference will trigger an auth if it hasn't already""" |