python-openstackclient

--insecure is ignored if OS_CACERT env var is set

Bug #1447784 reported by Matthew Edmonds
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
High
Dean Troyer
python-openstackclient m12 "magnesium"

Bug Description

The --insecure argument means "Disable server certificate verification", so when that is specified it should make OS_CACERT irrelevant. But instead, we're seeing cert verification happen, despite --insecure, if/when OS_CACERT is set.

[root@myhost messages]# openstack --insecure token issue
+------------+------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------+
| expires | 2015-04-24T01:20:49.818650Z |
| id | af2776adeb0f434297b64f7bb527f439 |
| project_id | 79100354e9014eecb2811b11f6a7c09c |
| user_id | 0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9 |
+------------+------------------------------------------------------------------+
[root@myhost messages]# export OS_CACERT=blah
[root@myhost messages]# openstack --insecure token issue
ERROR: openstack SSL exception connecting to https://127.0.0.1:5000/v3/auth/tokens

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

This is similar to https://bugs.launchpad.net/python-openstackclient/+bug/1447704 but for different arguments.

Revision history for this message
Terry Howe (thowe-g) wrote :

I think we need to remove defaulting argparse stuff from the environment, it is the only way to tell the difference between a command line argument and something from the environment. I put this together https://review.openstack.org/#/c/172941/ which would solve this problem, but I'm not sure what the desired solution is.

Revision history for this message
Dean Troyer (dtroyer) wrote :

Terry, this is really a question of precedence, the same thing would happen using global options. ATM, --os-cacert overrides --insecure. This report argues for the opposite. The more I think about it, I think I agree that --insecure should have a higher precedence than --os-cacert.

Changed in python-openstackclient:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Jirayut Nimsaeng (winggundamth) wrote :

This bug impacts me also. It seems like openstackclient didn't respect --insecure. I have to use python-keystoneclient for work around for now

root@openstack-keystone:/# export OS_TENANT_NAME=admin
root@openstack-keystone:/# export OS_PROJECT_NAME=admin
root@openstack-keystone:/# export OS_USERNAME=admin
root@openstack-keystone:/# export OS_PASSWORD=adminpass
root@openstack-keystone:/# export OS_AUTH_URL=http://identity.example.com/v2.0

root@openstack-keystone:/# openstack --insecure user list
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
WARNING: openstackclient.shell Possible error authenticating: SSL exception connecting to https://identity.example.com/v2.0/tokens
ERROR: openstack SSL exception connecting to https://identity.example.com/v2.0/tokens

root@openstack-keystone:/# keystone user-list
Authorization Failed: SSL exception connecting to https://identity.example.com/v2.0/tokens

root@openstack-keystone:/# keystone --insecure user-list
+----------------------------------+-------+---------+---------------------------+
| id | name | enabled | email |
 +----------------------------------+-------+---------+---------------------------+
| 4e72838934e84002923439542b0b3e8e | admin | True | <email address hidden> |
 +----------------------------------+-------+---------+---------------------------+

Revision history for this message
Steve Martinelli (stevemar) wrote :

thanks for your feedback @winggundamth

Changed in python-openstackclient:
importance: Low → High
Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: none → m12
Revision history for this message
Dean Troyer (dtroyer) wrote :

I clearly am still doing something wrong here... the review: https://review.openstack.org/188417

Changed in python-openstackclient:
status: Confirmed → In Progress
assignee: nobody → Dean Troyer (dtroyer)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/188417
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=31d785ec6951a84f831ea3dfd49214c42ae4fd26
Submitter: Jenkins
Branch: master

commit 31d785ec6951a84f831ea3dfd49214c42ae4fd26
Author: Dean Troyer <email address hidden>
Date: Thu Jun 4 09:20:29 2015 -0500

    Allow --insecure to override --os-cacert

    Change --insecure to ignore the --os-cacert setting. This is a change
    from before where OSC followed the requests pattern of cacert taking
    priority.

    This logic is also introduced in os-client-config 1.3.0; we
    do not require that release yet so it is duplicated here for now.
    That change will come with the upcoming global options refactor.

    Closes-Bug: #1447784
    Change-Id: Iaa6d499ed0929c00a56dcd92a2017487c702774a

Changed in python-openstackclient:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-openstackclient (master)

Change abandoned by Steve Martinelli (<email address hidden>) on branch: master
Review: https://review.openstack.org/183567
Reason: refer to https://review.openstack.org/#/c/179367/

Steve Martinelli (stevemar)
Changed in python-openstackclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.