openstack: fix project-scoped with project name

[kshtsk]

Fix openstack project-scoped with project name token authentication

Description

The project-scoped with project name should include
project domain id instead user domain name in scope
section according to current openstack API, example:

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "ee4dfb6e5540447cb3741905149d9b6e",
                    "password": "devstacker"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "id": "default"
                },
                "name": "admin"
            }
        }
    }
}

Status

work in progress

Checklist (tick everything that applies)

• Code linting (required, can be done after the PR checks)
• Documentation
• Tests
• ICLA (required for bigger changes)

[codecov-io]

Codecov Report

Merging #1367 into trunk will increase coverage by <.01%.
The diff coverage is 80%.

@@            Coverage Diff             @@
##            trunk    #1367      +/-   ##
==========================================
+ Coverage   86.34%   86.34%   +<.01%     
==========================================
  Files         372      372              
  Lines       76156    76161       +5     
  Branches     6971     6972       +1     
==========================================
+ Hits        65755    65761       +6     
+ Misses       7605     7604       -1     
  Partials     2796     2796

Impacted Files	Coverage Δ
libcloud/test/common/test_openstack_identity.py	98.07% <ø> (ø)	⬆️
libcloud/common/openstack_identity.py	77.15% <100%> (+0.03%)	⬆️
libcloud/common/openstack.py	83.24% <75%> (-0.18%)	⬇️
libcloud/test/compute/test_upcloud.py	91.39% <0%> (+1.32%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ba65fab...0104418. Read the comment docs.

[Kami]

Thanks for the contribution.

This looks reasonable.

Should we fall back to including name in the request if id is not specified (aka for backward compatibility reasons or similar)?

[kshtsk]

Should we fall back to including name in the request if id is not specified (aka for backward compatibility reasons or similar)?

Which name? The project name is left, this patch is fixing a mistake where user "domain name" was used in place of project "domain name", I don't believe this code ever worked. Btw, using both project domain name and project domain id at a same time does not work for me.

You can use either 'project domain name' or 'project domain id' in project's scope.

[kshtsk]

Hm, small correction, one can use both project domain name and project domain id at a time, or any of them according to openstack/keystone:keystone/auth/schema.py file:

        'scope': {
.
.
.
            'type': ['object', 'string'],
            'properties': {
                'project': {
                    'type': 'object',
                    'properties': {
                        'name': {'type': 'string', },
                        'id': {'type': 'string', },
                        'domain': {
                            'type': 'object',
                            'properties': {
                                'id': {'type': 'string', },
                                'name': {'type': 'string', },
                            },
                        },
                    },
                },

and later

    if scope is not None and isinstance(scope, dict):
        project = scope.get('project')
        if project is not None:
            if 'id' not in project and 'name' not in project:
                msg = _(
                    'Invalid input for field scope/project: '
                    'id or name must be present.')
                raise exception.SchemaValidationError(detail=msg)
            domain = project.get('domain')
            if domain is not None:
                if 'id' not in domain and 'name' not in domain:
                    msg = _(
                        'Invalid input for field scope/project/domain: '
                        'id or name must be present.')
                    raise exception.SchemaValidationError(detail=msg)

Nevertheless there is no ex_ parameter for project domain name in libcloud.
And as I said earlier authentication user domain name should have never been used as project domain name.

[kshtsk]

@Kami could you please advise what should I do next to proceed with PR?

[Kami]

@kshtsk Thanks for the clarification.

I will look at it (and try to test it) and if everything looks OK, merge it into trunk.

[Kami]

Merged into trunk.

Thanks for the contribution 👍

[toabctl]

@Kami could we get a new release on pypi with this fix soon, please? that would make our life easier :)

[Kami]

@toabctl There is no currently no ETA for the next release yet (might take some time since there are some other larger changes in trunk and some other larger changes still need to land), but in the mean time you can use version from git "git+https://github.com/apache/libcloud.git@trunk@egg=apache-libcloud".