New config datalad.credentials.force-ask to force interactive credential updates

[mih]

This change introduces a new configuration setting:

 % datalad x-configuration
 ...
 # Force (re-)entry of credentials
 # Should DataLad prompt for credential (re-)entry? This can be used to
 # update previously stored credentials.
 datalad.credentials.force-ask=False
 ...

It enables seamless updates of stored credentials. Importantly, users
are no longer required to learn where credentials are stored, and how to
update them in that store. It makes instructions provided in the
handbook on how to learn python keyring superfluous. Credential
updates are simply entered at the same place where the original
credentials were provided.

This is not a perfect solution (can get messy when there are a
number of credentials involved in a single datalad operation, and only a
single one needs updating), but it addresses a substantial usability
issue for a broad range of use cases in a straightforward manner.

Besides being compatible with the usual ways of DataLad configuration
handling, this also works for plain git-annex calls that trigger
DataLad's credential handling, e.g.:

git -c datalad.credentials.force-ask=no annex get T1w_acpc_dc.nii.gz

Fixes #5775

This is related to #396 by addressing the "update" use case.

[bpoldrack]

Looks straight forward to me.

[codecov]

Codecov Report

Merging #5777 (461d7cc) into master (9ff9ce3) will decrease coverage by 2.01%.
The diff coverage is 100.00%.

❗ Current head 461d7cc differs from pull request most recent head 70c8056. Consider uploading reports for the commit 70c8056 to get more accurate results

@@            Coverage Diff             @@
##           master    #5777      +/-   ##
==========================================
- Coverage   90.62%   88.60%   -2.02%     
==========================================
  Files         309      306       -3     
  Lines       42381    42356      -25     
==========================================
- Hits        38406    37531     -875     
- Misses       3975     4825     +850     

Impacted Files	Coverage Δ
datalad/distribution/get.py	97.90% <ø> (ø)
datalad/distribution/tests/test_get.py	100.00% <ø> (ø)
datalad/interface/common_cfg.py	100.00% <ø> (ø)
datalad/cmd_protocols.py	94.44% <100.00%> (-5.56%)	⬇️
datalad/distribution/tests/test_publish.py	100.00% <100.00%> (ø)
datalad/distribution/tests/test_update.py	98.95% <100.00%> (-1.05%)	⬇️
datalad/downloaders/credentials.py	85.63% <100.00%> (+0.16%)	⬆️
datalad/downloaders/tests/test_credentials.py	100.00% <100.00%> (ø)
datalad/plugin/wtf.py	0.00% <0.00%> (-100.00%)	⬇️
datalad/plugin/addurls.py	0.00% <0.00%> (-100.00%)	⬇️
... and 82 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9ff9ce3...70c8056. Read the comment docs.

[yarikoptic]

can't lookup atm, but I think we contemplated a command like datalad credentials which would list known providers/credentials and interface forced re-entry. But I guess it is orthogonal/complimentary to this PR, which in general I do not mind, but haven't thought yet about possible corner cases etc.

edit 20210715: found it #4981 (comment)

[mih]

OK, I will put this back in draft mode. It does not work: parallel operation!

git -c datalad.credential.force-ask=yes annex get -J2 T1w_acpc_dc.nii.gz ribbon.nii.gz

asks twice.

Conceptual issue in PR

[mih]

So thinking about this for a bit more. It might just be a matter of documenting that parallel operations and this flag do not work conveniently with each other. Any other solution would yield in a undesirably complex entangling of credential queries and download (or other) operations.

A legitimate Q is whether this is worth pursuing at all, rather than implementing #5777 (comment) (credential command): I think it is, because a big problem is the identification of the relevant credentials that need an update. With a get call this is relatively straightforward. But the credential naming implemented by DataLad is completely opaque right now, and not even communicated to the use upon initial storage in a credential store. On top of that come the problem that the effective credential store can change over time and with configuration.

Bottom line: I think this is a useful feature, even with a coming credential command.

[christian-monch]

[...]
Bottom line: I think this is a useful feature, even with a coming credential command.

Without going into technical details, I agree with the rationale given here. Especially since the credential command might not be here before a few months have passed

[bpoldrack]

Bottom line: I think this is a useful feature, even with a coming credential command.

I tend to agree, but it may need reconsideration of config naming. We have command specific configs like datalad.clone.something. If we are introducing datalad.credential.some and then later a command credential, then the config better be something that makes sense for that command to respect or not for the config to not "conflict" in the first place.
Not quite sure how to avoid future user confusion.

The feature itself seems to be worthwhile with or w/o the command, though.

[mih]

I tend to agree, but it may need reconsideration of config naming. We have command specific configs like datalad.clone.something. If we are introducing datalad.credential.some and then later a command credential, then the config better be something that makes sense for that command to respect or not for the config to not "conflict" in the first place.
Not quite sure how to avoid future user confusion.

Do you have a suggestion for a change?

[yarikoptic]

I tend to agree, but it may need reconsideration of config naming. We have command specific configs like datalad.clone.something. If we are introducing datalad.credential.some and then later a command credential, then the config better be something that makes sense for that command to respect or not for the config to not "conflict" in the first place.
Not quite sure how to avoid future user confusion.

Do you have a suggestion for a change?

make it datalad.credentials config and datalad credentials command. At least until some brave soul would do big UI RF towards something like #4539 (comment) . More argumentation is above

[mih]

Bowed to the majority of expressed opinions, and force-pushed an amendment that renames the config setting to plural.

[mih]

Took out of draft mode, ready to merge. Test failure is unrelated #5794

[yarikoptic]

I think it might be worth to tune up PR title to become more specific, before merge

[mih]

Title is updated.