yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #14471
[Bug 1273988] Re: keystoneclient requires --pass to create user while keystone doesn't
I don't think this is necessarily a Keystone bug since it is following
the Identity API spec, which defines 'password' as an optional parameter
when creating a user.
python-keystoneclient V3 also follows the Identity API V3 spec according
to this code: https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/v3/users.py#L48
python-keystoneclient V2.0 doesn't follow the spec and requires
password on user create.
https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/v2_0/users.py#L89
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1273988
Title:
keystoneclient requires --pass to create user while keystone doesn't
Status in OpenStack Identity (Keystone):
Invalid
Status in Python client library for Keystone:
New
Bug description:
name is required in REST API, but CLI requires an extra argument
--pass
# uname -a
Linux havana 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
# keystone-manage --version
2013.2
# keystone --version
0.3.2
# curl -i -X POST http://160.132.0.17:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: ac60d12b5b6c668f726a" -d '{"user": {"name": "test-create"}}'
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 92
Date: Wed, 29 Jan 2014 07:27:09 GMT
{"user": {"enabled": true, "name": "test-create", "id":
"f23d8e2835a0491db1f13a313446768d"}}
# keystone user-create --name test-create
Expecting to find string in password. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400)
if keystone cli supports creating an user without pass, we can update
that user's password by:
# keystone user-password-update test-create --pass xxx
to verify this solution:
# keystone user-role-add --user test-create --tenant admin --role admin # can be other tenant and role
# keystone --os-username test-create --os-password xxx --os-tenant-name admin user-get test-create
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| enabled | True |
| id | f23d8e2835a0491db1f13a313446768d |
| name | test-create |
+----------+----------------------------------+
the problem is that
# keystone --debug user-create --name test-create
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
REQ: curl -i -X POST http://160.132.0.17:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: ac60d12b5b6c668f726a"
REQ BODY: {"user": {"email": null, "password": null, "enabled": true, "name": "test-create", "tenantId": null}}
RESP: [400] CaseInsensitiveDict({'date': 'Wed, 29 Jan 2014 07:43:58 GMT', 'vary': 'X-Auth-Token', 'content-length': '236', 'content-type': 'application/json'})
RESP BODY: {"error": {"message": "Expecting to find string in password. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
the server side can bare pass attribute is not set, but cannot accept
it is None....
we can fix this via set --pass to SUPRESS or update the server side
validation to treat None as not set and leave it blank in db backend,
I would prefer fix both side, since some user may claim such problem
when he try to send a rest.json={..., 'pass': null} to server.
ref:
https://github.com/openstack/keystone/blob/2013.2.1/keystone/common/utils.py#L100
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1273988/+subscriptions
References
