Open Stack

On Thu, 2021-01-28 at 12:38 +0000, Sean Mooney wrote:
> On Thu, 2021-01-28 at 07:59 +0000, Taltavull Jean-Francois wrote:
> > > -----Original Message-----
> > > From: Sean Mooney <smooney at redhat.com>
> > > Sent: mardi, 26 janvier 2021 20:01
> > > To: openstack-discuss at lists.openstack.org
> > > Subject: Re: Strange behaviour of OSC in keystone MFA context
> > > 
> > > On Tue, 2021-01-26 at 17:46 +0000, Taltavull Jean-Francois wrote:
> > > > Hello,
> > > > 
> > > > I'm experiencing the following strange behavior of openstack CLI with os-
> > > auth-methods option (most parameters are defined in clouds.yaml):
> > > > 
> > > > $ openstack token issue --os-auth-type v3multifactor --os-auth-methods
> > > > password,totp
> > > > 
> > > --os-auth-methods does not appear to be a standard part of osc infact i cant
> > > find it in any openstack repo with
> > > 
> > > i think this is the implemtaions
> > > https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth
> > > 1/loading/_plugins/identity/v3.py#L303-L340
> > > 
> > > this presumable is where it generates teh optins
> > > 
> > >   options.extend([
> > >             loading.Opt(
> > >                 'auth_methods',
> > >                 required=True,
> > >                 help="Methods to authenticate with."),
> > >         ])
> > > 
> > > 
> > > if i do openstack help --os-auth-type v3multifactor it does show up with the
> > > following text
> > > 
> > > --os-auth-methods <auth-auth-methods>
> > >                         With v3multifactor: Methods to authenticate with. (Env:
> > > OS_AUTH_METHODS)
> > > 
> > > that does not say much but
> > > 
> > > https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth
> > > 1/tests/unit/identity/test_identity_v3.py#L762-L800
> > > implies its a list
> > > 
> > > with that said there are no test for multifactor as far as i can see like this one
> > > https://opendev.org/openstack/python-
> > > openstackclient/src/branch/master/openstackclient/tests/functional/common/t
> > > est_args.py#L66-L79
> > > 
> > > there also does not seam too be a release note declaring support.
> > > 
> > > so while keystone auth support multi factor im not sure that osc actully does
> > > 
> > > i specpec that the fild type is not correct and it is indeed been parsed as a string
> > > instead of a list of stirng field.
> > > it might be fixable via keystoneauth but  it proably need osc support and testing.
> > > 
> > > > The plugin p could not be found
> > > > 
> > > > Note that "p" is the first letter of "password". It looks like the option parser
> > > handled "password,totp" as a string instead of as a list of strings.
> > > > 
> > > > Version of openstack CLI is 5.4.0.
> > > > 
> > > > Any idea ?
> > > > 
> > > > Thanks !
> > > > 
> > > > Jean-François
> > 
> > Thanks for your answer Sean.
> > 
> > What can I do on my end to get things done ?
> well unfortunetly i do not work on keystone or osc i just saw your mail while i was waiting for some tests to finish running.
> 
> with that said i have upstaed the subject to include both projects so hopefully that will get the attention of those that can help.

The definition for those opts can be found at [1]. As Sean thought it might be,
that is using the default type defined in the parent 'Opt' class of 'str' [2].
We don't expose argparse's 'action' parameter that would allow us to use the
'append' action, so you'd have to fix this by parsing whatever the user provided
after the fact. I suspect you could resolve the immediate issue by changing this
line [3] from:

  self._methods = kwargs['auth_methods']

to:

  self._methods = kwargs['auth_methods'].split(',')

However, I assume there's likely more to this issue. I don't have an environment
to hand to validate this fix, unfortunately.

If you do manage to test that change and it works, I'd be happy to help you in
getting a patch proposed to 'keystoneauth'.

Hope this helps,
Stephen

[1] https://github.com/openstack/keystoneauth/blob/4.3.0/keystoneauth1/loading/_plugins/identity/v3.py#L316-L330
[2] https://github.com/openstack/keystoneauth/blob/4.3.0/keystoneauth1/loading/opts.py#L65
[3] https://github.com/openstack/keystoneauth/blob/4.3.0/keystoneauth1/loading/_plugins/identity/v3.py#L338

> > 
> > Jean-François