1 files changed, 42 insertions, 29 deletions

diff --git a/openstackclient/common/clientmanager.py b/openstackclient/common/clientmanager.py
index 974936f8..c4307919 100644
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@@ -56,14 +56,14 @@ class ClientManager(object):
 
     def __init__(
         self,
-        auth_options,
+        cli_options,
         api_version=None,
         verify=True,
         pw_func=None,
     ):
         """Set up a ClientManager
 
-        :param auth_options:
+        :param cli_options:
             Options collected from the command-line, environment, or wherever
         :param api_version:
             Dict of API versions: key is API name, value is the version
@@ -77,31 +77,57 @@ class ClientManager(object):
             returns a string containing the password
         """
 
+        self._cli_options = cli_options
+        self._api_version = api_version
+        self._pw_callback = pw_func
+        self._url = self._cli_options.os_url
+        self._region_name = self._cli_options.os_region_name
+
+        self.timing = self._cli_options.timing
+
+        self._auth_ref = None
+        self.session = None
+
+        # verify is the Requests-compatible form
+        self._verify = verify
+        # also store in the form used by the legacy client libs
+        self._cacert = None
+        if isinstance(verify, bool):
+            self._insecure = not verify
+        else:
+            self._cacert = verify
+            self._insecure = False
+
+        # Get logging from root logger
+        root_logger = logging.getLogger('')
+        LOG.setLevel(root_logger.getEffectiveLevel())
+
+    def setup_auth(self):
+        """Set up authentication
+
+        This is deferred until authentication is actually attempted because
+        it gets in the way of things that do not require auth.
+        """
+
         # If no auth type is named by the user, select one based on
         # the supplied options
-        self.auth_plugin_name = auth.select_auth_plugin(auth_options)
+        self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
 
         # Basic option checking to avoid unhelpful error messages
-        auth.check_valid_auth_options(auth_options, self.auth_plugin_name)
+        auth.check_valid_auth_options(self._cli_options, self.auth_plugin_name)
 
         # Horrible hack alert...must handle prompt for null password if
         # password auth is requested.
         if (self.auth_plugin_name.endswith('password') and
-                not auth_options.os_password):
-            auth_options.os_password = pw_func()
+                not self._cli_options.os_password):
+            self._cli_options.os_password = self.pw_callback()
 
         (auth_plugin, self._auth_params) = auth.build_auth_params(
             self.auth_plugin_name,
-            auth_options,
+            self._cli_options,
         )
 
-        self._url = auth_options.os_url
-        self._region_name = auth_options.os_region_name
-        self._api_version = api_version
-        self._auth_ref = None
-        self.timing = auth_options.timing
-
-        default_domain = auth_options.os_default_domain
+        default_domain = self._cli_options.os_default_domain
         # NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
         # present, then do not change the behaviour. Otherwise, set the
         # PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
@@ -125,20 +151,6 @@ class ClientManager(object):
         elif 'tenant_name' in self._auth_params:
             self._project_name = self._auth_params['tenant_name']
 
-        # verify is the Requests-compatible form
-        self._verify = verify
-        # also store in the form used by the legacy client libs
-        self._cacert = None
-        if isinstance(verify, bool):
-            self._insecure = not verify
-        else:
-            self._cacert = verify
-            self._insecure = False
-
-        # Get logging from root logger
-        root_logger = logging.getLogger('')
-        LOG.setLevel(root_logger.getEffectiveLevel())
-
         LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
         self.auth = auth_plugin.load_from_options(**self._auth_params)
         # needed by SAML authentication
@@ -146,7 +158,7 @@ class ClientManager(object):
         self.session = session.Session(
             auth=self.auth,
             session=request_session,
-            verify=verify,
+            verify=self._verify,
         )
 
         return
@@ -155,6 +167,7 @@ class ClientManager(object):
     def auth_ref(self):
         """Dereference will trigger an auth if it hasn't already"""
         if not self._auth_ref:
+            self.setup_auth()
             LOG.debug("Get auth_ref")
             self._auth_ref = self.auth.get_auth_ref(self.session)
         return self._auth_ref