diff --git a/openstackclient/common/client_config.py b/openstackclient/common/client_config.py
index 895909e97c..30286df8af 100644
--- a/openstackclient/common/client_config.py
+++ b/openstackclient/common/client_config.py
@@ -16,6 +16,7 @@
import logging
from os_client_config import config
+from os_client_config import exceptions as occ_exceptions
LOG = logging.getLogger(__name__)
@@ -182,6 +183,14 @@ class OSC_Config(config.OpenStackConfig):
LOG.debug("auth_config_hook(): %s" % config)
return config
+ def load_auth_plugin(self, config):
+ """Get auth plugin and validate args"""
+
+ loader = self._get_auth_loader(config)
+ config = self._validate_auth(config, loader)
+ auth_plugin = loader.load_from_options(**config['auth'])
+ return auth_plugin
+
def _validate_auth_ksc(self, config, cloud, fixed_argparse=None):
"""Old compatibility hack for OSC, no longer needed/wanted"""
return config
@@ -192,6 +201,8 @@ class OSC_Config(config.OpenStackConfig):
plugin_options = loader.get_options()
+ msgs = []
+ prompt_options = []
for p_opt in plugin_options:
# if it's in config, win, move it and kill it from config dict
# if it's in config.auth but not in config we're good
@@ -202,6 +213,16 @@ class OSC_Config(config.OpenStackConfig):
winning_value = self._find_winning_auth_value(
p_opt, config['auth'])
+ # if the plugin tells us that this value is required
+ # then error if it's doesn't exist now
+ if not winning_value and p_opt.required:
+ msgs.append(
+ 'Missing value {auth_key}'
+ ' required for auth plugin {plugin}'.format(
+ auth_key=p_opt.name, plugin=config.get('auth_type'),
+ )
+ )
+
# Clean up after ourselves
for opt in [p_opt.name] + [o.name for o in p_opt.deprecated]:
opt = opt.replace('-', '_')
@@ -224,6 +245,13 @@ class OSC_Config(config.OpenStackConfig):
p_opt.dest not in config['auth'] and
self._pw_callback is not None
):
+ # Defer these until we know all required opts are present
+ prompt_options.append(p_opt)
+
+ if msgs:
+ raise occ_exceptions.OpenStackConfigException('\n'.join(msgs))
+ else:
+ for p_opt in prompt_options:
config['auth'][p_opt.dest] = self._pw_callback(p_opt.prompt)
return config
diff --git a/openstackclient/common/clientmanager.py b/openstackclient/common/clientmanager.py
index 57423aed6b..23c35a3b28 100644
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@@ -60,6 +60,26 @@ class ClientManager(clientmanager.ClientManager):
self._cacert = self.cacert
self._insecure = not self.verify
+ def setup_auth(self):
+ """Set up authentication"""
+
+ if self._auth_setup_completed:
+ return
+
+ # NOTE(dtroyer): Validate the auth args; this is protected with 'if'
+ # because openstack_config is an optional argument to
+ # CloudConfig.__init__() and we'll die if it was not
+ # passed.
+ if self._cli_options._openstack_config is not None:
+ self._cli_options._openstack_config._pw_callback = \
+ shell.prompt_for_password
+ self._cli_options._auth = \
+ self._cli_options._openstack_config.load_auth_plugin(
+ self._cli_options.config,
+ )
+
+ return super(ClientManager, self).setup_auth()
+
def is_network_endpoint_enabled(self):
"""Check if the network endpoint is enabled"""
diff --git a/openstackclient/shell.py b/openstackclient/shell.py
index 26147be999..3971b6ef4a 100644
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@@ -140,12 +140,11 @@ class OpenStackShell(shell.OpenStackShell):
# First, throw away what has already been done with o-c-c and
# use our own.
try:
- cc = cloud_config.OSC_Config(
+ self.cloud_config = cloud_config.OSC_Config(
override_defaults={
'interface': None,
'auth_type': self._auth_type,
},
- pw_func=shell.prompt_for_password,
)
except (IOError, OSError) as e:
self.log.critical("Could not read clouds.yaml configuration file")
@@ -154,9 +153,13 @@ class OpenStackShell(shell.OpenStackShell):
if not self.options.debug:
self.options.debug = None
- self.cloud = cc.get_one_cloud(
+
+ # NOTE(dtroyer): Need to do this with validate=False to defer the
+ # auth plugin handling to ClientManager.setup_auth()
+ self.cloud = self.cloud_config.get_one_cloud(
cloud=self.options.cloud,
argparse=self.options,
+ validate=False,
)
# Then, re-create the client_manager with the correct arguments
@@ -165,6 +168,33 @@ class OpenStackShell(shell.OpenStackShell):
api_version=self.api_version,
)
+ def prepare_to_run_command(self, cmd):
+ """Set up auth and API versions"""
+
+ # TODO(dtroyer): Move this to osc-lib
+ # NOTE(dtroyer): If auth is not required for a command, force fake
+ # token auth so KSA plugins are happy
+
+ kwargs = {}
+ if not cmd.auth_required:
+ # Build fake token creds to keep ksa and o-c-c hushed
+ kwargs['auth_type'] = 'token_endpoint'
+ kwargs['auth'] = {}
+ kwargs['auth']['token'] = 'x'
+ kwargs['auth']['url'] = 'x'
+
+ # Validate auth options
+ self.cloud = self.cloud_config.get_one_cloud(
+ cloud=self.options.cloud,
+ argparse=self.options,
+ validate=True,
+ **kwargs
+ )
+ # Push the updated args into ClientManager
+ self.client_manager._cli_options = self.cloud
+
+ return super(OpenStackShell, self).prepare_to_run_command(cmd)
+
def main(argv=None):
if argv is None: