can't get authentication with os-token and os-url

what auth_url are you providing when making the call?

>what auth_url are you providing when making the call?
->why do you ask this question? When I made the call. I didn' use the auth_url.

 before I executed [neutron --os-token $token --os-url http://controller:9696 net-list], I got token and set it to $token.
 I got token by the next
 [root@compute01 ~l]# token=`curl -si -d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"domain":{"name":"Default"},"name":"admin","password":"fnst1234"}}}}}' -H "Content-type: application/json" http://controller:35357/v3/auth/tokens| awk '/X-Subject-Token/ {print $2}'`

In fact,When I read the code of /usr/lib/python2.6/site-packages/neutronclient/shell.py, I found the problem :
On juno neutronclient,it does not support to get authentication only with os-token and os-url because no matter whether we set os-token or not, it woud try to get token by username and password. but in my call I didn't set the username and password, so it failed.

however, on icehouse neutronclient, this problem does not exist.

RE: Eugene Nikanorov (enikanorov) wrote on 2015-05-04:

juno version neutronclient neutronclient/shell.py
-------------------------------------
    def authenticate_user(self):
 if self.options.os_auth_strategy == 'keystone':
            if self.options.os_token or self.options.os_url:
                # Token flow auth takes priority
                if not self.options.os_token:
                    raise exc.CommandError(
                        _("You must provide a token via"
                          " either --os-token or env[OS_TOKEN]"))

                if not self.options.os_url:
                    raise exc.CommandError(
                        _("You must provide a service URL via"
                          " either --os-url or env[OS_URL]"))
            else:
                ........
        else: # not keystone
            ......

        auth_session = self._get_keystone_session()
-------------------------------------

icehouse version neutronclient neutronclient/shell.py
-------------------------------------
    def authenticate_user(self):
        if self.options.os_auth_strategy == 'keystone':
            if self.options.os_token or self.options.os_url:
                # Token flow auth takes priority
                if not self.options.os_token:
                    raise exc.CommandError(
                        _("You must provide a token via"
                          " either --os-token or env[OS_TOKEN]"))

                if not self.options.os_url:
                    raise exc.CommandError(
                        _("You must provide a service URL via"
                          " either --os-url or env[OS_URL]"))
            else:
                ......
        else: # not keystone
            ......

        auth_session = None
        auth = None
        if self.options.os_token:
            auth_session = None
            auth = None
        else:
            auth_session = self._get_keystone_session()
            auth = auth_session.auth
-------------------------------------

in icehouse version, if os_token has been given, auth_session is no longer need to get.

but in juno version, have not this judge, so call the '_get_keystone_session''_discover_auth_versions', but parameter value(auth_url) is not provided, so the error happens.

the key is whether or not we should have the judge "if self.options.os_token:".

This is a regression when we introduced SessionClient from keystoneclient.
When "neutron" command is invoked from CLI, SessionClient is used.
At now we only use keystoneclient.auth.identity.v2.Password and this identity class uses only password/auth_url information.
We need to use keystonclient.auth.identity.v2.Token (or generic.Token) if os_token and os_url are provided.
This is what novaclient does for the same case.

Note that this does not affect python neutronclient library in most cases.
At the moment, in most cases, neutronclient library still uses HTTPClient instead of SessionClient.

Ok，Thank you very much

Fix proposed to branch: master
Review: https://review.openstack.org/221594

I contacted the current author and he has no time to move it forward.
If you take this, the proposed review would be helpful.

I will take it if nobody picks it up.

Fix proposed to branch: master
Review: https://review.openstack.org/263337

Change abandoned by Doug Wiegley (<email address hidden>) on branch: master
Review: https://review.openstack.org/221594
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Fix proposed to branch: master
Review: https://review.openstack.org/267020

Reviewed: https://review.openstack.org/263337
Committed: https://git.openstack.org/cgit/openstack/python-neutronclient/commit/?id=0740766467a3c8de0bf9d03689158a86591bd506
Submitter: Jenkins
Branch: master

commit 0740766467a3c8de0bf9d03689158a86591bd506
Author: Jaspinder <email address hidden>
Date: Mon Jan 4 05:08:41 2016 -0600

    fix: can't get authentication with os-token and os-url

    Currently, there is no way to authenticate a user
    through Neutron CLI by just using endpoint and token
    authentication. This simple fix will at least allow
    for that to be permitted.

    Change-Id: Ia7d285af224ef225aa20f83d7d4c87b81aac58ed
    Closes-Bug: 1450414

This issue was fixed in the openstack/python-neutronclient 4.1.0 release.

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/267020
Reason: Please address this issue in the openstackclient (if it's not already fixed there). The neutronclient is deprecated.