5 files changed, 28 insertions, 49 deletions
diff --git a/doc/source/backwards-incompatible.rst b/doc/source/backwards-incompatible.rst
index 00b314a5..f86cfce4 100644
--- a/doc/source/backwards-incompatible.rst
+++ b/doc/source/backwards-incompatible.rst
@@ -13,8 +13,25 @@ deprecation warnings that indicate the new commands (or options) to use.
 Commands labeled as a beta according to :doc:`command-beta` are exempt from
 this backwards incompatible change handling.
 
-List of Backwards Incompatible Changes
-======================================
+Backwards Incompatible Changes
+==============================
+
+Release 3.0
+-----------
+
+1. Remove the ``osc_password`` authentication plugin.
+
+  This was the 'last-resort' plugin default that worked around an old default
+  Keystone configuration for the ``admin_endpoint`` and ``public_endpoint``.
+
+  * In favor of: ``password``
+  * As of: 3.0
+  * Removed in: n/a
+  * Bug: n/a
+  * Commit: https://review.openstack.org/332938
+
+Releases Before 3.0
+-------------------
 
 1. Rename command `openstack project usage list`
 
diff --git a/openstackclient/api/auth.py b/openstackclient/api/auth.py
index d5412594..0c82fe9b 100644
--- a/openstackclient/api/auth.py
+++ b/openstackclient/api/auth.py
@@ -86,7 +86,7 @@ def select_auth_plugin(options):
             auth_plugin_name = 'v2password'
         else:
             # let keystoneclient figure it out itself
-            auth_plugin_name = 'osc_password'
+            auth_plugin_name = 'password'
     elif options.auth.get('token'):
         if options.identity_api_version == '3':
             auth_plugin_name = 'v3token'
@@ -98,7 +98,7 @@ def select_auth_plugin(options):
     else:
         # The ultimate default is similar to the original behaviour,
         # but this time with version discovery
-        auth_plugin_name = 'osc_password'
+        auth_plugin_name = 'password'
     LOG.debug("Auth plugin %s selected", auth_plugin_name)
     return auth_plugin_name
 
diff --git a/openstackclient/api/auth_plugin.py b/openstackclient/api/auth_plugin.py
index 56dc4de5..dc47a688 100644
--- a/openstackclient/api/auth_plugin.py
+++ b/openstackclient/api/auth_plugin.py
@@ -16,9 +16,7 @@
 import logging
 
 from keystoneauth1 import loading
-from keystoneauth1.loading._plugins.identity import generic as ksa_password
 from keystoneauth1 import token_endpoint
-from six.moves.urllib import parse as urlparse
 
 from openstackclient.i18n import _
 
@@ -65,45 +63,3 @@ class TokenEndpoint(loading.BaseLoader):
             ),
         ]
         return options
-
-
-class OSCGenericPassword(ksa_password.Password):
-    """Auth plugin hack to work around broken Keystone configurations
-
-    The default Keystone configuration uses http://localhost:xxxx in
-    admin_endpoint and public_endpoint and are returned in the links.href
-    attribute by the version routes.  Deployments that do not set these
-    are unusable with newer keystoneclient version discovery.
-
-    """
-
-    def create_plugin(self, session, version, url, raw_status=None):
-        """Handle default Keystone endpoint configuration
-
-        Build the actual API endpoint from the scheme, host and port of the
-        original auth URL and the rest from the returned version URL.
-        """
-
-        ver_u = urlparse.urlparse(url)
-
-        # Only hack this if it is the default setting
-        if ver_u.netloc.startswith('localhost'):
-            auth_u = urlparse.urlparse(self.auth_url)
-            # from original auth_url: scheme, netloc
-            # from api_url: path, query (basically, the rest)
-            url = urlparse.urlunparse((
-                auth_u.scheme,
-                auth_u.netloc,
-                ver_u.path,
-                ver_u.params,
-                ver_u.query,
-                ver_u.fragment,
-            ))
-            LOG.debug('Version URL updated: %s', url)
-
-        return super(OSCGenericPassword, self).create_plugin(
-            session=session,
-            version=version,
-            url=url,
-            raw_status=raw_status,
-        )
diff --git a/releasenotes/notes/remove-osc_password-0767ac78267ef114.yaml b/releasenotes/notes/remove-osc_password-0767ac78267ef114.yaml
new file mode 100644
index 00000000..5d288bea
--- /dev/null
+++ b/releasenotes/notes/remove-osc_password-0767ac78267ef114.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - With the change to use keystoneauth plugins the OpenStackClient-specific
+    ``osc_password`` authentication plugin has been removed.  The visible
+    difference should only be in the behaviour with poorly configured clouds
+    with old default Keystone values for admin_endpoint and public_endpoint
+    as seen in the version details returned in a GET to the root ('/') route.
diff --git a/setup.cfg b/setup.cfg
index 5e26d38d..44dd616a 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -28,7 +28,6 @@ console_scripts =
 
 keystoneauth1.plugin =
     token_endpoint = openstackclient.api.auth_plugin:TokenEndpoint
-    osc_password = openstackclient.api.auth_plugin:OSCGenericPassword
 
 openstack.cli =
     command_list = openstackclient.common.module:ListCommand