diff options
| author | Tim Burke <tim.burke@gmail.com> | 2020-05-13 10:30:30 -0700 |
|---|---|---|
| committer | Tim Burke <tim.burke@gmail.com> | 2020-05-27 15:17:09 -0700 |
| commit | 257a7185a8d5fdc11d91058f1735fa4273719aa9 (patch) | |
| tree | b3d9d6ae6db4693a2688906a0a5dc23f93cefb07 | |
| parent | 5840efe1d62d67735e6986512a66ddd1991fd60d (diff) | |
| download | python-swiftclient-257a7185a8d5fdc11d91058f1735fa4273719aa9.tar.gz | |
Application credential support follow-up
Following the recent v3applicationcredentials patch, if you have your
environment variables set up to work with python-openstackclient using
swiftclient's v1password plugin, swiftclient won't work:
$ env | egrep '^(OS|ST)_'
ST_KEY=testing
ST_USER=test:tester
OS_AUTH_URL=http://saio/auth/v1.0
ST_AUTH=http://saio/auth/v1.0
OS_USERNAME=test:tester
OS_AUTH_TYPE=v1password
OS_PASSWORD=testing
$ openstack object store account show
+------------+----------------------------+
| Field | Value |
+------------+----------------------------+
| Account | AUTH_test |
| Bytes | 0 |
| Containers | 11 |
| Objects | 0 |
+------------+----------------------------+
$ swift stat
Only "v3applicationcredential" is supported for --os-auth-type
We don't really want to allow (and mostly ignore) arbitrary OS_AUTH_TYPE
values, though -- there are a whole bunch of plugins we don't remotely
support. But it seems OK to allow any of the password plugins; while we
won't actually use them (currently), we provide roughly equivalent
functionality.
Handful of other drive-bys:
* Use a None sentinel to determine whether keystoneauth1 is installed
instead of trying to catch a NameError.
* Clarify error state when keystoneauth1 is not installed.
* Fix a typo: "sses" -> "sess".
Change-Id: Id7ea9c3ea8278ae86a04d057a472a8f8a87b8eae
Related-Change: I9190e5e7e24b6a741970fa0d0ac792deccf73d25
| -rw-r--r-- | swiftclient/client.py | 29 | ||||
| -rwxr-xr-x | swiftclient/shell.py | 10 | ||||
| -rw-r--r-- | test/unit/test_shell.py | 2 |
3 files changed, 24 insertions, 17 deletions
diff --git a/swiftclient/client.py b/swiftclient/client.py index 67440dd..0aba629 100644 --- a/swiftclient/client.py +++ b/swiftclient/client.py @@ -62,7 +62,7 @@ except ImportError: def createLock(self): self.lock = None -ksexceptions = ksclient_v2 = ksclient_v3 = None +ksexceptions = ksclient_v2 = ksclient_v3 = ksa_v3 = None try: from keystoneclient import exceptions as ksexceptions # prevent keystoneclient warning us that it has no log handlers @@ -72,8 +72,8 @@ except ImportError: pass try: from keystoneclient.v3 import client as ksclient_v3 - from keystoneauth1.identity import v3 - from keystoneauth1 import session + from keystoneauth1.identity import v3 as ksa_v3 + from keystoneauth1 import session as ksa_session from keystoneauth1 import exceptions as ksauthexceptions except ImportError: pass @@ -627,22 +627,27 @@ variables to be set or overridden with -A, -U, or -K.''') filter_kwargs['attr'] = 'region' filter_kwargs['filter_value'] = os_options['region_name'] - if os_options.get('auth_type') == 'v3applicationcredential': - try: - v3 - except NameError: + if os_options.get('auth_type') and os_options['auth_type'] not in ( + 'password', 'v2password', 'v3password', + 'v3applicationcredential'): + raise ClientException( + 'Swiftclient currently only supports v3applicationcredential ' + 'for auth_type') + elif os_options.get('auth_type') == 'v3applicationcredential': + if ksa_v3 is None: raise ClientException('Auth v3applicationcredential requires ' - 'python-keystoneclient>=2.0.0') + 'keystoneauth1 package; consider upgrading ' + 'to python-keystoneclient>=2.0.0') try: - auth = v3.ApplicationCredential( + auth = ksa_v3.ApplicationCredential( auth_url=auth_url, application_credential_secret=os_options.get( 'application_credential_secret'), application_credential_id=os_options.get( 'application_credential_id')) - sses = session.Session(auth=auth) - token = sses.get_token() + sess = ksa_session.Session(auth=auth) + token = sess.get_token() except ksauthexceptions.Unauthorized: msg = 'Unauthorized. Check application credential id and secret.' raise ClientException(msg) @@ -650,7 +655,7 @@ variables to be set or overridden with -A, -U, or -K.''') raise ClientException('Authorization Failure. %s' % err) try: - endpoint = sses.get_endpoint_data(service_type=service_type, + endpoint = sess.get_endpoint_data(service_type=service_type, endpoint_type=endpoint_type, **filter_kwargs) diff --git a/swiftclient/shell.py b/swiftclient/shell.py index 0fef755..b129d63 100755 --- a/swiftclient/shell.py +++ b/swiftclient/shell.py @@ -1651,7 +1651,12 @@ def parse_args(parser, args, enforce_requires=True): return options, args if enforce_requires: - if options['os_auth_type'] == 'v3applicationcredential': + if options['os_auth_type'] and options['os_auth_type'] not in ( + 'password', 'v1password', 'v2password', 'v3password', + 'v3applicationcredential'): + exit('Only "v3applicationcredential" is supported for ' + '--os-auth-type') + elif options['os_auth_type'] == 'v3applicationcredential': if not (options['os_application_credential_id'] and options['os_application_credential_secret']): exit('Auth version 3 (application credential) requires ' @@ -1659,9 +1664,6 @@ def parse_args(parser, args, enforce_requires=True): 'OS_APPLICATION_CREDENTIAL_SECRET to be set or ' 'overridden with --os-application-credential-id and ' '--os-application-credential-secret respectively.') - elif options['os_auth_type']: - exit('Only "v3applicationcredential" is supported for ' - '--os-auth-type') elif options['auth_version'] == '3': if not options['auth']: exit('Auth version 3 requires OS_AUTH_URL to be set or ' diff --git a/test/unit/test_shell.py b/test/unit/test_shell.py index 3c08218..f94e5e2 100644 --- a/test/unit/test_shell.py +++ b/test/unit/test_shell.py @@ -2721,7 +2721,7 @@ class TestParsing(TestBase): str(cm.exception)) os_opts = { - "auth_type": "v3password", + "auth_type": "v3oidcpassword", "application_credential_id": "proejct_id", "application_credential_secret": "secret", "auth_url": "http://example.com:5000/v3"} |