From fe0c8e955be0331aef9cc6847c9bddc43ce66d92 Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Wed, 15 Jun 2016 16:26:35 +0000 Subject: Do not prompt for scope options with default scoped tokens This changes the scope validation to occur after a token has already been created. Previous flow: 1. Validate authentication options. 2. Validate authorization options if the command requires a scope. 3. Create a token (using authentication + authorization options) 4. Run command. This means that scope was being checked, even if a default scope was applied in step 3 by Keystone. New flow: 1. Validate authentication options. 2. Create token (using authentication + authorization options) 3 Validate authorization options if the command requires a scope and the token is not scoped. 4. Run command. Change-Id: Idae368a11249f425b14b891fc68b4176e2b3e981 Closes-Bug: 1592062 --- openstackclient/api/auth.py | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'openstackclient/api') diff --git a/openstackclient/api/auth.py b/openstackclient/api/auth.py index b56035e4..0018e76e 100644 --- a/openstackclient/api/auth.py +++ b/openstackclient/api/auth.py @@ -128,12 +128,24 @@ def build_auth_params(auth_plugin_name, cmd_options): return (auth_plugin_loader, auth_params) -def check_valid_auth_options(options, auth_plugin_name, required_scope=True): - """Perform basic option checking, provide helpful error messages. - - :param required_scope: indicate whether a scoped token is required - - """ +def check_valid_authorization_options(options, auth_plugin_name): + """Validate authorization options, and provide helpful error messages.""" + if (options.auth.get('project_id') and not + options.auth.get('domain_id') and not + options.auth.get('domain_name') and not + options.auth.get('project_name') and not + options.auth.get('tenant_id') and not + options.auth.get('tenant_name')): + raise exc.CommandError(_( + 'Missing parameter(s): ' + 'Set either a project or a domain scope, but not both. Set a ' + 'project scope with --os-project-name, OS_PROJECT_NAME, or ' + 'auth.project_name. Alternatively, set a domain scope with ' + '--os-domain-name, OS_DOMAIN_NAME or auth.domain_name.')) + + +def check_valid_authentication_options(options, auth_plugin_name): + """Validate authentication options, and provide helpful error messages.""" msgs = [] if auth_plugin_name.endswith('password'): @@ -143,18 +155,6 @@ def check_valid_auth_options(options, auth_plugin_name, required_scope=True): if not options.auth.get('auth_url'): msgs.append(_('Set an authentication URL, with --os-auth-url,' ' OS_AUTH_URL or auth.auth_url')) - if (required_scope and not - options.auth.get('project_id') and not - options.auth.get('domain_id') and not - options.auth.get('domain_name') and not - options.auth.get('project_name') and not - options.auth.get('tenant_id') and not - options.auth.get('tenant_name')): - msgs.append(_('Set a scope, such as a project or domain, set a ' - 'project scope with --os-project-name, ' - 'OS_PROJECT_NAME or auth.project_name, set a domain ' - 'scope with --os-domain-name, OS_DOMAIN_NAME or ' - 'auth.domain_name')) elif auth_plugin_name.endswith('token'): if not options.auth.get('token'): msgs.append(_('Set a token with --os-token, OS_TOKEN or ' -- cgit v1.2.1