python-openstackclient

condense credentials (ec2, v3, compute)

Bug #1409218 reported by Steve Martinelli
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-openstackclient
Won't Fix
Medium
Unassigned

Bug Description

Currently we have:

  os ec2 credentials
  os credential

and an un-implemented

  nova x509-cert-*

we should condense all three into the same command set, just:

  os credentials

I am thinking:

  os credential create
      [--type <ec2 | cert> --project <project> --user <user> --domain <domain> --data <blob>]
      [--x509 --private-key <filename> --x509-cert <filename>]

More info here: https://etherpad.openstack.org/p/credentials-osc

Revision history for this message
Dean Troyer (dtroyer) wrote :

I like the idea of --type x509. We can pick a default type, I'd like 'cert' from the wtf-is-it standpoint (ec2 and x509 are pretty clear).

The --data option should be a filename or '-' for stdin. If it is required, maybe even read from stdin if --data is not supplied for the correct type.

Changed in python-openstackclient:
importance: Undecided → High
status: New → Confirmed
milestone: none → m7
Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: m7 → m8
Steve Martinelli (stevemar)
Changed in python-openstackclient:
assignee: nobody → Steve Martinelli (stevemar)
OpenStack Infra (hudson-openstack)
Changed in python-openstackclient:
status: Confirmed → In Progress
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

Related patch: https://review.openstack.org/#/c/148466/

Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: m8 → m9
Revision history for this message
Dag Stenstad (dag-stenstad) wrote :

If you define "--type ec2", shouldn't really all arguments be optional? It should probably take the domain_id, user_id and project_id from the currently scoped token by default?

The typical consumer of Openstack services probably just wants to create an access key to use with Swift/S3 API or the Nova/EC2 API. And he/she problably have no idea on how to look up the various ID's needed, as there probably is no access to identity:list_domains/list_projects/list_users without special privileges.

Revision history for this message
Steve Martinelli (stevemar) wrote :

@dag-stenstad, agreed they should get retrieved from the auth session. Additionally, an admin may want to create ec2 cred for a non-admin account.

Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: m9 → m10
Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: m10 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-openstackclient (master)

Change abandoned by Steve Martinelli (<email address hidden>) on branch: master
Review: https://review.openstack.org/148466
Reason: abandon for now

Steve Martinelli (stevemar)
Changed in python-openstackclient:
status: In Progress → Triaged
assignee: Steve Martinelli (stevemar) → nobody
importance: High → Medium
Revision history for this message
Sean Perry (sean-perry-a) wrote :

Ticket 1418837 complains that the arguments to 'credential set' claim to be optional but in reality are required. The spec https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#credentials-v3credentials says they are required too.

I have a change proposed https://review.openstack.org/#/c/226922/ enforcing that user, type, and data (aka blob) are all required. Should ec2 work differently?

Artem Goncharov (gtema)
Changed in python-openstackclient:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.