Fix keystone v3 token auth #528
Conversation
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
05bb111
to
dc00bd6
Compare
|
In the second patch I enabled scoped token auth as in: provider, err := openstack.AuthenticatedClient(gophercloud.AuthOptions{
IdentityEndpoint: "https://.../v3/",
TokenID: "abcd...1234",
DomainID: "default",
TenantName: tenant,
})which is documented at http://developer.openstack.org/api-ref-identity-v3.html#authenticateTokenScoped |
|
The second patch looks good. For the first, v3 auth sets the Token here. Instead of |
Create seems to be supposed to be able to reauthenticate existing clients, using token cached in You can think of Although with my patches all tests pass, I think we should replace proposed with and move it out of the switch. |
|
Disregard the suggestion of moving it out of the switch: v2 client already processes |
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
dc00bd6
to
43ade91
Compare
|
I moved the original proposal to https://github.com/orivej/gophercloud/tree/openstack-identity-v3-pass-tokenid%401 and improved the first patch by relocating token assignment into |
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
2 times, most recently
from
5b259d7
to
e18873e
Compare
|
Rebased onto master, combined into one commit, and added a test that covers the addition to |
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
e18873e
to
1a23ff6
Compare
|
Updated ErrMissingPassword message. |
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
1969e66
to
1a23ff6
Compare
|
The coverage decreases because |
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
1a23ff6
to
16193fd
Compare
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
16193fd
to
bb30330
Compare
|
I have moved the new test into |
orivej
force-pushed
the
openstack-identity-v3-pass-tokenid
branch
from
5befda5
to
3d6ab64
Compare
| @@ -30,16 +31,17 @@ func AuthOptionsFromEnv() (gophercloud.AuthOptions, error) { | |||
| tenantName := os.Getenv("OS_TENANT_NAME") | |||
| domainID := os.Getenv("OS_DOMAIN_ID") | |||
| domainName := os.Getenv("OS_DOMAIN_NAME") | |||
| tokenID := os.Getenv("OS_TOKEN") | |||
There was a problem hiding this comment.
Can you help me understand the use-case for this? Since tokens are presumably ephemeral, why would we want to load them from an environment variable? And if a user has set OS_TOKEN, what then when the token inevitably expires?
There was a problem hiding this comment.
https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html says that OAuth tokens
Provide the ability for identity users to delegate roles to third party consumers via the OAuth 1.0a specification. Requires v3.0+ of the Identity API. An OAuth-derived token will provide a means of acting on behalf of the authorizing user.
They can be revoked by the user or expire (which is optional), after which they are meant to no longer provide authorization to perform on behalf of the user.
|
LGTM. +2 |
Currently keystone v3 client ignores TokenID in AuthOptions and the code like this
fails with an error
You must provide a password to authenticatebecauseoptions.TokenIDis never checked. (keystone v2 client checks it inToTokenCreateMap.) This patch lets authentication succeed.I am new to the codebase and do not understand if this issue should be fixed like this, and I would also appreciate help in writing a test.