Moving authentication from keystoneclient to keystoneauth

Currently OpenStackClient uses keystoneclient for authentication. This change will update OpenStackClient to use keystoneauth for authentication. All dependant test have been updated. Updating how auth_ref is set in the tests to use KSA fixtures had some racy side-effects. The user_role_list tests failed when they picked up an auth_ref that was a fixture. This exposed a weakness in ListUserRole that needed to be fixed at the same time re handling of unscoped tokens and options. Change-Id: I4ddb2dbbb3bf2ab37494468eaf65cef9213a6e00 Closes-Bug: 1533369
2016-02-04 16:45:38 +00:00 · 2016-02-04 16:45:38 +00:00 · 6ae0d2e8a5
commit 6ae0d2e8a5
parent ada6abb30e
18 changed files with 330 additions and 146 deletions
--- a/openstackclient/api/auth.py
+++ b/openstackclient/api/auth.py
@ -16,15 +16,12 @@
 import argparse
 import logging
-import stevedore
+from keystoneauth1.loading import base
 from keystoneclient.auth import base
 from openstackclient.common import exceptions as exc
 from openstackclient.common import utils
 from openstackclient.i18n import _
 LOG = logging.getLogger(__name__)
 # Initialize the list of Authentication plugins early in order
@ -37,15 +34,10 @@ OPTIONS_LIST = {}
 def get_plugin_list():
    """Gather plugin list and cache it"""
    global PLUGIN_LIST
    if PLUGIN_LIST is None:
-        PLUGIN_LIST = stevedore.ExtensionManager(
+        PLUGIN_LIST = base.get_available_plugin_names()
            base.PLUGIN_NAMESPACE,
            invoke_on_load=False,
            propagate_map_exceptions=True,
        )
    return PLUGIN_LIST
@ -55,8 +47,9 @@ def get_options_list():
    global OPTIONS_LIST
    if not OPTIONS_LIST:
-        for plugin in get_plugin_list():
+        for plugin_name in get_plugin_list():
-            for o in plugin.plugin.get_options():
+            plugin_options = base.get_plugin_options(plugin_name)
            for o in plugin_options:
                os_name = o.dest.lower().replace('_', '-')
                os_env_name = 'OS_' + os_name.upper().replace('-', '_')
                OPTIONS_LIST.setdefault(
@ -66,7 +59,7 @@ def get_options_list():
                # help texts if they vary from one auth plugin to another
                # also the text rendering is ugly in the CLI ...
                OPTIONS_LIST[os_name]['help'] += 'With %s: %s\n' % (
-                    plugin.name,
+                    plugin_name,
                    o.help,
                )
    return OPTIONS_LIST
@ -83,7 +76,7 @@ def select_auth_plugin(options):
    if options.auth.get('url') and options.auth.get('token'):
        # service token authentication
        auth_plugin_name = 'token_endpoint'
-    elif options.auth_type in [plugin.name for plugin in PLUGIN_LIST]:
+    elif options.auth_type in PLUGIN_LIST:
        # A direct plugin name was given, use it
        auth_plugin_name = options.auth_type
    elif options.auth.get('username'):
@ -115,7 +108,7 @@ def build_auth_params(auth_plugin_name, cmd_options):
    auth_params = dict(cmd_options.auth)
    if auth_plugin_name:
        LOG.debug('auth_type: %s', auth_plugin_name)
-        auth_plugin_class = base.get_plugin_class(auth_plugin_name)
+        auth_plugin_loader = base.get_plugin_loader(auth_plugin_name)
        # grab tenant from project for v2.0 API compatibility
        if auth_plugin_name.startswith("v2"):
            if 'project_id' in auth_params:
@ -127,12 +120,12 @@ def build_auth_params(auth_plugin_name, cmd_options):
    else:
        LOG.debug('no auth_type')
        # delay the plugin choice, grab every option
-        auth_plugin_class = None
+        auth_plugin_loader = None
        plugin_options = set([o.replace('-', '_') for o in get_options_list()])
        for option in plugin_options:
            LOG.debug('fetching option %s', option)
            auth_params[option] = getattr(cmd_options.auth, option, None)
-    return (auth_plugin_class, auth_params)
+    return (auth_plugin_loader, auth_params)
 def check_valid_auth_options(options, auth_plugin_name, required_scope=True):
@ -188,7 +181,7 @@ def build_auth_plugins_option_parser(parser):
    authentication plugin.
    """
-    available_plugins = [plugin.name for plugin in get_plugin_list()]
+    available_plugins = list(get_plugin_list())
    parser.add_argument(
        '--os-auth-type',
        metavar='<auth-type>',
--- a/openstackclient/api/auth_plugin.py
+++ b/openstackclient/api/auth_plugin.py
@ -18,13 +18,13 @@ import logging
 from oslo_config import cfg
 from six.moves.urllib import parse as urlparse
-from keystoneclient.auth.identity.generic import password as ksc_password
+from keystoneauth1.loading._plugins import admin_token as token_endpoint
-from keystoneclient.auth import token_endpoint
+from keystoneauth1.loading._plugins.identity import generic as ksa_password
 LOG = logging.getLogger(__name__)
-class TokenEndpoint(token_endpoint.Token):
+class TokenEndpoint(token_endpoint.AdminToken):
    """Auth plugin to handle traditional token/endpoint usage
    Implements the methods required to handle token authentication
@ -36,20 +36,15 @@ class TokenEndpoint(token_endpoint.Token):
    is for bootstrapping the Keystone database.
    """
-    def __init__(self, url, token, **kwargs):
+    def load_from_options(self, url, token):
        """A plugin for static authentication with an existing token
        :param string url: Service endpoint
        :param string token: Existing token
        """
-        super(TokenEndpoint, self).__init__(endpoint=url,
+        return super(TokenEndpoint, self).load_from_options(endpoint=url,
                                                            token=token)
    def get_auth_ref(self, session, **kwargs):
        # Stub this method for compatibility
        return None
    @classmethod
    def get_options(self):
        options = super(TokenEndpoint, self).get_options()
@ -65,7 +60,7 @@ class TokenEndpoint(token_endpoint.Token):
        return options
-class OSCGenericPassword(ksc_password.Password):
+class OSCGenericPassword(ksa_password.Password):
    """Auth plugin hack to work around broken Keystone configurations
    The default Keystone configuration uses http://localhost:xxxx in
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@ -269,7 +269,7 @@ class ClientManager(object):
            endpoint = self.auth_ref.service_catalog.url_for(
                service_type=service_type,
                region_name=region_name,
-                endpoint_type=interface,
+                interface=interface,
            )
        else:
            # Get the passed endpoint directly from the auth plugin
--- a/openstackclient/identity/v2_0/catalog.py
+++ b/openstackclient/identity/v2_0/catalog.py
@ -16,6 +16,7 @@
 import six
 from openstackclient.common import command
 from openstackclient.common import exceptions
 from openstackclient.common import utils
 from openstackclient.i18n import _
@ -41,13 +42,14 @@ class ListCatalog(command.Lister):
    def take_action(self, parsed_args):
-        # This is ugly because if auth hasn't happened yet we need
+        # Trigger auth if it has not happened yet
-        # to trigger it here.
+        auth_ref = self.app.client_manager.auth_ref
-        sc = self.app.client_manager.session.auth.get_auth_ref(
+        if not auth_ref:
-            self.app.client_manager.session,
+            raise exceptions.AuthorizationFailure(
-        ).service_catalog
+                "Only an authorized user may issue a new token."
            )
-        data = sc.get_data()
+        data = auth_ref.service_catalog.catalog
        columns = ('Name', 'Type', 'Endpoints')
        return (columns,
                (utils.get_dict_properties(
@ -72,14 +74,15 @@ class ShowCatalog(command.ShowOne):
    def take_action(self, parsed_args):
-        # This is ugly because if auth hasn't happened yet we need
+        # Trigger auth if it has not happened yet
-        # to trigger it here.
+        auth_ref = self.app.client_manager.auth_ref
-        sc = self.app.client_manager.session.auth.get_auth_ref(
+        if not auth_ref:
-            self.app.client_manager.session,
+            raise exceptions.AuthorizationFailure(
-        ).service_catalog
+                "Only an authorized user may issue a new token."
            )
        data = None
-        for service in sc.get_data():
+        for service in auth_ref.service_catalog.catalog:
            if (service.get('name') == parsed_args.service or
                    service.get('type') == parsed_args.service):
                data = service
@ -91,6 +94,6 @@ class ShowCatalog(command.ShowOne):
        if not data:
            self.app.log.error(_('service %s not found\n') %
                               parsed_args.service)
-            return ([], [])
+            return ((), ())
        return zip(*sorted(six.iteritems(data)))
--- a/openstackclient/identity/v2_0/role.py
+++ b/openstackclient/identity/v2_0/role.py
@ -231,16 +231,17 @@ class ListUserRole(command.Lister):
        # Project and user are required, if not included in command args
        # default to the values used for authentication.  For token-flow
        # authentication they must be included on the command line.
-        if not parsed_args.project:
+        if (not parsed_args.project and
-            if self.app.client_manager.auth_ref:
+                self.app.client_manager.auth_ref.project_id):
            parsed_args.project = auth_ref.project_id
-            else:
+        if not parsed_args.project:
            msg = _("Project must be specified")
            raise exceptions.CommandError(msg)
-        if not parsed_args.user:
+
-            if self.app.client_manager.auth_ref:
+        if (not parsed_args.user and
                self.app.client_manager.auth_ref.user_id):
            parsed_args.user = auth_ref.user_id
-            else:
+        if not parsed_args.user:
            msg = _("User must be specified")
            raise exceptions.CommandError(msg)
--- a/openstackclient/identity/v2_0/token.py
+++ b/openstackclient/identity/v2_0/token.py
@ -18,6 +18,7 @@
 import six
 from openstackclient.common import command
 from openstackclient.common import exceptions
 from openstackclient.i18n import _
@ -32,11 +33,21 @@ class IssueToken(command.ShowOne):
        return parser
    def take_action(self, parsed_args):
        auth_ref = self.app.client_manager.auth_ref
        if not auth_ref:
            raise exceptions.AuthorizationFailure(
                "Only an authorized user may issue a new token.")
-        token = self.app.client_manager.auth_ref.service_catalog.get_token()
+        data = {}
-        if 'tenant_id' in token:
+        if auth_ref.auth_token:
-            token['project_id'] = token.pop('tenant_id')
+            data['id'] = auth_ref.auth_token
-        return zip(*sorted(six.iteritems(token)))
+        if auth_ref.expires:
            data['expires'] = auth_ref.expires
        if auth_ref.project_id:
            data['project_id'] = auth_ref.project_id
        if auth_ref.user_id:
            data['user_id'] = auth_ref.user_id
        return zip(*sorted(six.iteritems(data)))
 class RevokeToken(command.Command):
--- a/openstackclient/identity/v3/catalog.py
+++ b/openstackclient/identity/v3/catalog.py
@ -16,6 +16,7 @@
 import six
 from openstackclient.common import command
 from openstackclient.common import exceptions
 from openstackclient.common import utils
 from openstackclient.i18n import _
@ -36,13 +37,14 @@ class ListCatalog(command.Lister):
    def take_action(self, parsed_args):
-        # This is ugly because if auth hasn't happened yet we need
+        # Trigger auth if it has not happened yet
-        # to trigger it here.
+        auth_ref = self.app.client_manager.auth_ref
-        sc = self.app.client_manager.session.auth.get_auth_ref(
+        if not auth_ref:
-            self.app.client_manager.session,
+            raise exceptions.AuthorizationFailure(
-        ).service_catalog
+                "Only an authorized user may issue a new token."
            )
-        data = sc.get_data()
+        data = auth_ref.service_catalog.catalog
        columns = ('Name', 'Type', 'Endpoints')
        return (columns,
                (utils.get_dict_properties(
@ -67,14 +69,15 @@ class ShowCatalog(command.ShowOne):
    def take_action(self, parsed_args):
-        # This is ugly because if auth hasn't happened yet we need
+        # Trigger auth if it has not happened yet
-        # to trigger it here.
+        auth_ref = self.app.client_manager.auth_ref
-        sc = self.app.client_manager.session.auth.get_auth_ref(
+        if not auth_ref:
-            self.app.client_manager.session,
+            raise exceptions.AuthorizationFailure(
-        ).service_catalog
+                "Only an authorized user may issue a new token."
            )
        data = None
-        for service in sc.get_data():
+        for service in auth_ref.service_catalog.catalog:
            if (service.get('name') == parsed_args.service or
                    service.get('type') == parsed_args.service):
                data = dict(service)
@ -86,6 +89,6 @@ class ShowCatalog(command.ShowOne):
        if not data:
            self.app.log.error(_('service %s not found\n') %
                               parsed_args.service)
-            return ([], [])
+            return ((), ())
        return zip(*sorted(six.iteritems(data)))
--- a/openstackclient/identity/v3/token.py
+++ b/openstackclient/identity/v3/token.py
@ -174,13 +174,23 @@ class IssueToken(command.ShowOne):
        return parser
    def take_action(self, parsed_args):
-        if not self.app.client_manager.auth_ref:
+        auth_ref = self.app.client_manager.auth_ref
        if not auth_ref:
            raise exceptions.AuthorizationFailure(
                _("Only an authorized user may issue a new token."))
-        token = self.app.client_manager.auth_ref.service_catalog.get_token()
+
-        if 'tenant_id' in token:
+        data = {}
-            token['project_id'] = token.pop('tenant_id')
+        if auth_ref.auth_token:
-        return zip(*sorted(six.iteritems(token)))
+            data['id'] = auth_ref.auth_token
        if auth_ref.expires:
            data['expires'] = auth_ref.expires
        if auth_ref.project_id:
            data['project_id'] = auth_ref.project_id
        if auth_ref.user_id:
            data['user_id'] = auth_ref.user_id
        if auth_ref.domain_id:
            data['domain_id'] = auth_ref.domain_id
        return zip(*sorted(six.iteritems(data)))
 class RevokeToken(command.Command):
--- a/openstackclient/tests/common/test_clientmanager.py
+++ b/openstackclient/tests/common/test_clientmanager.py
@ -17,11 +17,11 @@ import json as jsonutils
 import mock
 from requests_mock.contrib import fixture
-from keystoneclient.auth.identity import v2 as auth_v2
+from keystoneauth1.access import service_catalog
-from keystoneclient import service_catalog
+from keystoneauth1.identity import v2 as auth_v2
 from keystoneauth1 import token_endpoint
 from openstackclient.api import auth
 from openstackclient.api import auth_plugin
 from openstackclient.common import clientmanager
 from openstackclient.common import exceptions as exc
 from openstackclient.tests import fakes
@ -29,7 +29,6 @@ from openstackclient.tests import utils
 API_VERSION = {"identity": "2.0"}
 AUTH_REF = {'version': 'v2.0'}
 AUTH_REF.update(fakes.TEST_RESPONSE_DICT['access'])
 SERVICE_CATALOG = service_catalog.ServiceCatalogV2(AUTH_REF)
@ -126,7 +125,7 @@ class TestClientManager(utils.TestCase):
        )
        self.assertIsInstance(
            client_manager.auth,
-            auth_plugin.TokenEndpoint,
+            token_endpoint.Token,
        )
        self.assertFalse(client_manager._insecure)
        self.assertTrue(client_manager._verify)
@ -205,11 +204,14 @@ class TestClientManager(utils.TestCase):
        )
        self.assertTrue(client_manager._insecure)
        self.assertFalse(client_manager._verify)
        # These need to stick around until the old-style clients are gone
        self.assertEqual(
-            AUTH_REF,
+            AUTH_REF.pop('version'),
-            client_manager.auth_ref,
+            client_manager.auth_ref.version,
        )
        self.assertEqual(
            fakes.to_unicode_dict(AUTH_REF),
            client_manager.auth_ref._data['access'],
        )
        self.assertEqual(
            dir(SERVICE_CATALOG),
@ -296,9 +298,10 @@ class TestClientManager(utils.TestCase):
    def _select_auth_plugin(self, auth_params, api_version, auth_plugin_name):
        auth_params['auth_type'] = auth_plugin_name
        auth_params['identity_api_version'] = api_version
        client_manager = clientmanager.ClientManager(
            cli_options=FakeOptions(**auth_params),
-            api_version=API_VERSION,
+            api_version={"identity": api_version},
            verify=True
        )
        client_manager.setup_auth()
--- a/openstackclient/tests/fakes.py
+++ b/openstackclient/tests/fakes.py
@ -50,6 +50,21 @@ TEST_RESPONSE_DICT_V3.set_project_scope()
 TEST_VERSIONS = fixture.DiscoveryList(href=AUTH_URL)
 def to_unicode_dict(catalog_dict):
    """Converts dict to unicode dict
    """
    if isinstance(catalog_dict, dict):
        return {to_unicode_dict(key): to_unicode_dict(value)
                for key, value in catalog_dict.items()}
    elif isinstance(catalog_dict, list):
        return [to_unicode_dict(element) for element in catalog_dict]
    elif isinstance(catalog_dict, str):
        return catalog_dict + u""
    else:
        return catalog_dict
 class FakeStdout(object):
    def __init__(self):
--- a/openstackclient/tests/identity/v2_0/fakes.py
+++ b/openstackclient/tests/identity/v2_0/fakes.py
@ -17,6 +17,9 @@ import copy
 import mock
 import uuid
 from keystoneauth1 import access
 from keystoneauth1 import fixture
 from openstackclient.tests import fakes
 from openstackclient.tests import utils
@ -109,6 +112,43 @@ ENDPOINT = {
 }
 def fake_auth_ref(fake_token, fake_service=None):
    """Create an auth_ref using keystoneauth's fixtures"""
    token_copy = copy.deepcopy(fake_token)
    token_copy['token_id'] = token_copy.pop('id')
    token = fixture.V2Token(**token_copy)
    # An auth_ref is actually an access info object
    auth_ref = access.create(body=token)
    # Create a service catalog
    if fake_service:
        service = token.add_service(
            fake_service['type'],
            fake_service['name'],
        )
        # TODO(dtroyer): Add an 'id' element to KSA's _Service fixure
        service['id'] = fake_service['id']
        for e in fake_service['endpoints']:
            # KSA's _Service fixture copies publicURL to internalURL and
            # adminURL if they do not exist.  Soooo helpful...
            internal = e.get('internalURL', None)
            admin = e.get('adminURL', None)
            region = e.get('region_id') or e.get('region', '<none>')
            endpoint = service.add_endpoint(
                public=e['publicURL'],
                internal=internal,
                admin=admin,
                region=region,
            )
            # ...so undo that helpfulness
            if not internal:
                endpoint['internalURL'] = None
            if not admin:
                endpoint['adminURL'] = None
    return auth_ref
 class FakeIdentityv2Client(object):
    def __init__(self, **kwargs):
--- a/openstackclient/tests/identity/v2_0/test_catalog.py
+++ b/openstackclient/tests/identity/v2_0/test_catalog.py
@ -14,6 +14,7 @@
 import mock
 from openstackclient.identity.v2_0 import catalog
 from openstackclient.tests.identity.v2_0 import fakes as identity_fakes
 from openstackclient.tests import utils
@ -49,7 +50,7 @@ class TestCatalog(utils.TestCommand):
        super(TestCatalog, self).setUp()
        self.sc_mock = mock.MagicMock()
-        self.sc_mock.service_catalog.get_data.return_value = [
+        self.sc_mock.service_catalog.catalog.return_value = [
            self.fake_service,
        ]
@ -74,6 +75,13 @@ class TestCatalogList(TestCatalog):
        self.cmd = catalog.ListCatalog(self.app, None)
    def test_catalog_list(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@ -82,7 +90,6 @@ class TestCatalogList(TestCatalog):
        # returns a tuple containing the column names and an iterable
        # containing the data to be listed.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.service_catalog.get_data.assert_called_with()
        self.assertEqual(self.columns, columns)
        datalist = ((
@ -117,9 +124,12 @@ class TestCatalogList(TestCatalog):
                },
            ],
        }
-        self.sc_mock.service_catalog.get_data.return_value = [
+        auth_ref = identity_fakes.fake_auth_ref(
-            fake_service,
+            identity_fakes.TOKEN,
-        ]
+            fake_service=fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
@ -129,7 +139,6 @@ class TestCatalogList(TestCatalog):
        # returns a tuple containing the column names and an iterable
        # containing the data to be listed.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.service_catalog.get_data.assert_called_with()
        self.assertEqual(self.columns, columns)
        datalist = ((
@ -151,6 +160,13 @@ class TestCatalogShow(TestCatalog):
        self.cmd = catalog.ShowCatalog(self.app, None)
    def test_catalog_show(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.UNSCOPED_TOKEN,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = [
            'compute',
        ]
@ -163,7 +179,6 @@ class TestCatalogShow(TestCatalog):
        # returns a two-part tuple with a tuple of column names and a tuple of
        # data to be shown.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.service_catalog.get_data.assert_called_with()
        collist = ('endpoints', 'id', 'name', 'type')
        self.assertEqual(collist, columns)
--- a/openstackclient/tests/identity/v2_0/test_role.py
+++ b/openstackclient/tests/identity/v2_0/test_role.py
@ -26,6 +26,13 @@ from openstackclient.tests.identity.v2_0 import fakes as identity_fakes
 class TestRole(identity_fakes.TestIdentityv2):
    fake_service = copy.deepcopy(identity_fakes.SERVICE)
    fake_service['endpoints'] = [
        {
            'publicURL': identity_fakes.ENDPOINT['publicurl'],
        },
    ]
    def setUp(self):
        super(TestRole, self).setUp()
@ -41,6 +48,13 @@ class TestRole(identity_fakes.TestIdentityv2):
        self.roles_mock = self.app.client_manager.identity.roles
        self.roles_mock.reset_mock()
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
 class TestRoleAdd(TestRole):
@ -320,7 +334,14 @@ class TestUserRoleList(TestRole):
        # Get the command object to test
        self.cmd = role.ListUserRole(self.app, None)
-    def test_user_role_list_no_options(self):
+    def test_user_role_list_no_options_unscoped_token(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.UNSCOPED_TOKEN,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@ -332,11 +353,7 @@ class TestUserRoleList(TestRole):
            parsed_args,
        )
-    def test_user_role_list_no_options_def_creds(self):
+    def test_user_role_list_no_options_scoped_token(self):
        auth_ref = self.app.client_manager.auth_ref = mock.MagicMock()
        auth_ref.project_id.return_value = identity_fakes.project_id
        auth_ref.user_id.return_value = identity_fakes.user_id
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@ -361,7 +378,14 @@ class TestUserRoleList(TestRole):
        ), )
        self.assertEqual(datalist, tuple(data))
-    def test_user_role_list_project(self):
+    def test_user_role_list_project_unscoped_token(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.UNSCOPED_TOKEN,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        self.projects_mock.get.return_value = fakes.FakeResource(
            None,
            copy.deepcopy(identity_fakes.PROJECT_2),
@ -375,18 +399,26 @@ class TestUserRoleList(TestRole):
        ]
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
-        # This argument combination should raise a CommandError
+        # In base command class Lister in cliff, abstract method take_action()
-        self.assertRaises(
+        # returns a tuple containing the column names and an iterable
-            exceptions.CommandError,
+        # containing the data to be listed.
-            self.cmd.take_action,
+        columns, data = self.cmd.take_action(parsed_args)
-            parsed_args,
+
        self.roles_mock.roles_for_user.assert_called_with(
            identity_fakes.user_id,
            identity_fakes.PROJECT_2['id'],
        )
-    def test_user_role_list_project_def_creds(self):
+        self.assertEqual(columns, columns)
-        auth_ref = self.app.client_manager.auth_ref = mock.MagicMock()
+        datalist = ((
-        auth_ref.project_id.return_value = identity_fakes.project_id
+            identity_fakes.role_id,
-        auth_ref.user_id.return_value = identity_fakes.user_id
+            identity_fakes.role_name,
            identity_fakes.PROJECT_2['name'],
            identity_fakes.user_name,
        ), )
        self.assertEqual(datalist, tuple(data))
    def test_user_role_list_project_scoped_token(self):
        self.projects_mock.get.return_value = fakes.FakeResource(
            None,
            copy.deepcopy(identity_fakes.PROJECT_2),
--- a/openstackclient/tests/identity/v2_0/test_token.py
+++ b/openstackclient/tests/identity/v2_0/test_token.py
@ -24,10 +24,9 @@ class TestToken(identity_fakes.TestIdentityv2):
    def setUp(self):
        super(TestToken, self).setUp()
-        # Get a shortcut to the Service Catalog Mock
+        # Get a shortcut to the Auth Ref Mock
-        self.sc_mock = mock.Mock()
+        self.ar_mock = mock.PropertyMock()
-        self.app.client_manager.auth_ref = mock.Mock()
+        type(self.app.client_manager).auth_ref = self.ar_mock
        self.app.client_manager.auth_ref.service_catalog = self.sc_mock
 class TestTokenIssue(TestToken):
@ -35,10 +34,15 @@ class TestTokenIssue(TestToken):
    def setUp(self):
        super(TestTokenIssue, self).setUp()
        self.sc_mock.get_token.return_value = identity_fakes.TOKEN
        self.cmd = token.IssueToken(self.app, None)
    def test_token_issue(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@ -48,12 +52,10 @@ class TestTokenIssue(TestToken):
        # data to be shown.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.get_token.assert_called_with()
        collist = ('expires', 'id', 'project_id', 'user_id')
        self.assertEqual(collist, columns)
        datalist = (
-            identity_fakes.token_expires,
+            auth_ref.expires,
            identity_fakes.token_id,
            identity_fakes.project_id,
            identity_fakes.user_id,
@ -61,8 +63,11 @@ class TestTokenIssue(TestToken):
        self.assertEqual(datalist, data)
    def test_token_issue_with_unscoped_token(self):
-        # make sure we return an unscoped token
+        auth_ref = identity_fakes.fake_auth_ref(
-        self.sc_mock.get_token.return_value = identity_fakes.UNSCOPED_TOKEN
+            identity_fakes.UNSCOPED_TOKEN,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
@ -71,12 +76,14 @@ class TestTokenIssue(TestToken):
        # DisplayCommandBase.take_action() returns two tuples
        columns, data = self.cmd.take_action(parsed_args)
-        self.sc_mock.get_token.assert_called_with()
+        collist = (
-
+            'expires',
-        collist = ('expires', 'id', 'user_id')
+            'id',
            'user_id',
        )
        self.assertEqual(collist, columns)
        datalist = (
-            identity_fakes.token_expires,
+            auth_ref.expires,
            identity_fakes.token_id,
            identity_fakes.user_id,
        )
--- a/openstackclient/tests/identity/v3/fakes.py
+++ b/openstackclient/tests/identity/v3/fakes.py
@ -13,8 +13,12 @@
 #   under the License.
 #
 import copy
 import mock
 from keystoneauth1 import access
 from keystoneauth1 import fixture
 from openstackclient.tests import fakes
 from openstackclient.tests import utils
@ -419,6 +423,36 @@ OAUTH_VERIFIER = {
 }
 def fake_auth_ref(fake_token, fake_service=None):
    """Create an auth_ref using keystoneauth's fixtures"""
    token_copy = copy.deepcopy(fake_token)
    token_id = token_copy.pop('id')
    token = fixture.V3Token(**token_copy)
    # An auth_ref is actually an access info object
    auth_ref = access.create(
        body=token,
        auth_token=token_id,
    )
    # Create a service catalog
    if fake_service:
        service = token.add_service(
            fake_service['type'],
            fake_service['name'],
        )
        # TODO(dtroyer): Add an 'id' element to KSA's _Service fixure
        service['id'] = fake_service['id']
        for e in fake_service['endpoints']:
            region = e.get('region_id') or e.get('region', '<none>')
            service.add_endpoint(
                e['interface'],
                e['url'],
                region=region,
            )
    return auth_ref
 class FakeAuth(object):
    def __init__(self, auth_method_class=None):
--- a/openstackclient/tests/identity/v3/test_catalog.py
+++ b/openstackclient/tests/identity/v3/test_catalog.py
@ -14,6 +14,7 @@
 import mock
 from openstackclient.identity.v3 import catalog
 from openstackclient.tests.identity.v3 import fakes as identity_fakes
 from openstackclient.tests import utils
@ -50,7 +51,7 @@ class TestCatalog(utils.TestCommand):
        super(TestCatalog, self).setUp()
        self.sc_mock = mock.MagicMock()
-        self.sc_mock.service_catalog.get_data.return_value = [
+        self.sc_mock.service_catalog.catalog.return_value = [
            self.fake_service,
        ]
@ -69,6 +70,13 @@ class TestCatalogList(TestCatalog):
        self.cmd = catalog.ListCatalog(self.app, None)
    def test_catalog_list(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN_WITH_PROJECT_ID,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@ -77,7 +85,6 @@ class TestCatalogList(TestCatalog):
        # returns a tuple containing the column names and an iterable
        # containing the data to be listed.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.service_catalog.get_data.assert_called_with()
        collist = ('Name', 'Type', 'Endpoints')
        self.assertEqual(collist, columns)
@ -101,6 +108,13 @@ class TestCatalogShow(TestCatalog):
        self.cmd = catalog.ShowCatalog(self.app, None)
    def test_catalog_show(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN_WITH_PROJECT_ID,
            fake_service=self.fake_service,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = [
            'compute',
        ]
@ -113,7 +127,6 @@ class TestCatalogShow(TestCatalog):
        # returns a two-part tuple with a tuple of column names and a tuple of
        # data to be shown.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.service_catalog.get_data.assert_called_with()
        collist = ('endpoints', 'id', 'name', 'type')
        self.assertEqual(collist, columns)
--- a/openstackclient/tests/identity/v3/test_token.py
+++ b/openstackclient/tests/identity/v3/test_token.py
@ -24,10 +24,9 @@ class TestToken(identity_fakes.TestIdentityv3):
    def setUp(self):
        super(TestToken, self).setUp()
-        # Get a shortcut to the Service Catalog Mock
+        # Get a shortcut to the Auth Ref Mock
-        self.sc_mock = mock.Mock()
+        self.ar_mock = mock.PropertyMock()
-        self.app.client_manager.auth_ref = mock.Mock()
+        type(self.app.client_manager).auth_ref = self.ar_mock
        self.app.client_manager.auth_ref.service_catalog = self.sc_mock
 class TestTokenIssue(TestToken):
@ -38,23 +37,25 @@ class TestTokenIssue(TestToken):
        self.cmd = token.IssueToken(self.app, None)
    def test_token_issue_with_project_id(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN_WITH_PROJECT_ID,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
        self.sc_mock.get_token.return_value = \
            identity_fakes.TOKEN_WITH_PROJECT_ID
        # In base command class ShowOne in cliff, abstract method take_action()
        # returns a two-part tuple with a tuple of column names and a tuple of
        # data to be shown.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.get_token.assert_called_with()
        collist = ('expires', 'id', 'project_id', 'user_id')
        self.assertEqual(collist, columns)
        datalist = (
-            identity_fakes.token_expires,
+            auth_ref.expires,
            identity_fakes.token_id,
            identity_fakes.project_id,
            identity_fakes.user_id,
@ -62,45 +63,53 @@ class TestTokenIssue(TestToken):
        self.assertEqual(datalist, data)
    def test_token_issue_with_domain_id(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.TOKEN_WITH_DOMAIN_ID,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
        self.sc_mock.get_token.return_value = \
            identity_fakes.TOKEN_WITH_DOMAIN_ID
        # In base command class ShowOne in cliff, abstract method take_action()
        # returns a two-part tuple with a tuple of column names and a tuple of
        # data to be shown.
        columns, data = self.cmd.take_action(parsed_args)
        self.sc_mock.get_token.assert_called_with()
        collist = ('domain_id', 'expires', 'id', 'user_id')
        self.assertEqual(collist, columns)
        datalist = (
            identity_fakes.domain_id,
-            identity_fakes.token_expires,
+            auth_ref.expires,
            identity_fakes.token_id,
            identity_fakes.user_id,
        )
        self.assertEqual(datalist, data)
    def test_token_issue_with_unscoped(self):
        auth_ref = identity_fakes.fake_auth_ref(
            identity_fakes.UNSCOPED_TOKEN,
        )
        self.ar_mock = mock.PropertyMock(return_value=auth_ref)
        type(self.app.client_manager).auth_ref = self.ar_mock
        arglist = []
        verifylist = []
        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
        self.sc_mock.get_token.return_value = \
            identity_fakes.UNSCOPED_TOKEN
        # DisplayCommandBase.take_action() returns two tuples
        columns, data = self.cmd.take_action(parsed_args)
-        self.sc_mock.get_token.assert_called_with()
+        collist = (
-
+            'expires',
-        collist = ('expires', 'id', 'user_id')
+            'id',
            'user_id',
        )
        self.assertEqual(collist, columns)
        datalist = (
-            identity_fakes.token_expires,
+            auth_ref.expires,
            identity_fakes.token_id,
            identity_fakes.user_id,
        )
--- a/setup.cfg
+++ b/setup.cfg
@ -26,7 +26,7 @@ packages =
 console_scripts =
    openstack = openstackclient.shell:main
-keystoneclient.auth.plugin =
+keystoneauth1.plugin =
    token_endpoint = openstackclient.api.auth_plugin:TokenEndpoint
    osc_password = openstackclient.api.auth_plugin:OSCGenericPassword