On Thu, 2021-01-28 at 12:38 +0000, Sean Mooney wrote:
On Thu, 2021-01-28 at 07:59 +0000, Taltavull Jean-Francois wrote:
-----Original Message----- From: Sean Mooney <smooney@redhat.com> Sent: mardi, 26 janvier 2021 20:01 To: openstack-discuss@lists.openstack.org Subject: Re: Strange behaviour of OSC in keystone MFA context
On Tue, 2021-01-26 at 17:46 +0000, Taltavull Jean-Francois wrote:
Hello,
I'm experiencing the following strange behavior of openstack CLI with os- auth-methods option (most parameters are defined in clouds.yaml):
$ openstack token issue --os-auth-type v3multifactor --os-auth-methods password,totp
--os-auth-methods does not appear to be a standard part of osc infact i cant find it in any openstack repo with
i think this is the implemtaions https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth 1/loading/_plugins/identity/v3.py#L303-L340
this presumable is where it generates teh optins
options.extend([ loading.Opt( 'auth_methods', required=True, help="Methods to authenticate with."), ])
if i do openstack help --os-auth-type v3multifactor it does show up with the following text
--os-auth-methods <auth-auth-methods> With v3multifactor: Methods to authenticate with. (Env: OS_AUTH_METHODS)
that does not say much but
https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth 1/tests/unit/identity/test_identity_v3.py#L762-L800 implies its a list
with that said there are no test for multifactor as far as i can see like this one https://opendev.org/openstack/python- openstackclient/src/branch/master/openstackclient/tests/functional/common/t est_args.py#L66-L79
there also does not seam too be a release note declaring support.
so while keystone auth support multi factor im not sure that osc actully does
i specpec that the fild type is not correct and it is indeed been parsed as a string instead of a list of stirng field. it might be fixable via keystoneauth but it proably need osc support and testing.
The plugin p could not be found
Note that "p" is the first letter of "password". It looks like the option parser handled "password,totp" as a string instead of as a list of strings.
Version of openstack CLI is 5.4.0.
Any idea ?
Thanks !
Jean-François
Thanks for your answer Sean.
What can I do on my end to get things done ? well unfortunetly i do not work on keystone or osc i just saw your mail while i was waiting for some tests to finish running.
with that said i have upstaed the subject to include both projects so hopefully that will get the attention of those that can help.
The definition for those opts can be found at [1]. As Sean thought it might be, that is using the default type defined in the parent 'Opt' class of 'str' [2]. We don't expose argparse's 'action' parameter that would allow us to use the 'append' action, so you'd have to fix this by parsing whatever the user provided after the fact. I suspect you could resolve the immediate issue by changing this line [3] from: self._methods = kwargs['auth_methods'] to: self._methods = kwargs['auth_methods'].split(',') However, I assume there's likely more to this issue. I don't have an environment to hand to validate this fix, unfortunately. If you do manage to test that change and it works, I'd be happy to help you in getting a patch proposed to 'keystoneauth'. Hope this helps, Stephen [1] https://github.com/openstack/keystoneauth/blob/4.3.0/keystoneauth1/loading/_... [2] https://github.com/openstack/keystoneauth/blob/4.3.0/keystoneauth1/loading/o... [3] https://github.com/openstack/keystoneauth/blob/4.3.0/keystoneauth1/loading/_...
Jean-François