config: Load additional options for v3multifactor

As the name would suggest, 'v3multifactor' uses multiple factors for authentication. As a result, we need to register the configuration options for each required auth method. If we don't do this, we won't move the required configuration options for auth out of the top level config object into the 'auth' key. This affects users who are configuring via environment variables or config options. Normally registering of configuration options is handled by the 'MultiFactor.load_from_options' [1][2] method but there doesn't appear to be a way to "register" the auth methods without actually loading the plugin. As a result, if we encounter this auth type then we need to do this registration of extra options manually. There's a probably a TODO for keystoneauth to provide a mechanism for this but I don't know what that would look like right now. [1] https://github.com/openstack/keystoneauth/blob/5.1.2/keystoneauth1/loading/_plugins/identity/v3.py#L332-L340 [2] https://github.com/openstack/keystoneauth/blob/5.1.2/keystoneauth1/loading/_plugins/identity/v3.py#L323-L329 Change-Id: I1f02133be373fa1f8facfd016586395fa2379a3e Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Story: 2010661 Task: 47714
2023-03-24 15:38:06 +00:00 · 2023-03-24 15:38:06 +00:00 · dff6625fe6
commit dff6625fe6
parent 76724972cb
2 changed files with 31 additions and 1 deletions
--- a/openstack/config/loader.py
+++ b/openstack/config/loader.py
@ -933,7 +933,25 @@ class OpenStackConfig:
            # That it does not exist in keystoneauth is irrelvant- it not
            # doing what they want causes them sorrow.
            config['auth_type'] = 'admin_token'
-        return loading.get_plugin_loader(config['auth_type'])
+
+        loader = loading.get_plugin_loader(config['auth_type'])
+
+        # As the name would suggest, v3multifactor uses multiple factors for
+        # authentication. As a result, we need to register the configuration
+        # options for each required auth method. Normally, this is handled by
+        # the 'MultiFactor.load_from_options' method but there doesn't appear
+        # to be a way to "register" the auth methods without actually loading
+        # the plugin. As a result, if we encounter this auth type then we need
+        # to do this registration of extra options manually.
+        # FIXME(stephenfin): We need to provide a mechanism to extend the
+        # options in keystoneauth1.loading._plugins.identity.v3.MultiAuth
+        # without calling 'load_from_options'.
+        if config['auth_type'] == 'v3multifactor':
+            # We use '.get' since we can't be sure this key is set yet -
+            # validation happens later, in _validate_auth
+            loader._methods = config.get('auth_methods')
+
+        return loader

    def _validate_auth(self, config, loader):
        # May throw a keystoneauth1.exceptions.NoMatchingPlugin
--- a/releasenotes/notes/fix-os_auth_type-v3multifactor-049cf52573d9e00e.yaml
+++ b/releasenotes/notes/fix-os_auth_type-v3multifactor-049cf52573d9e00e.yaml
@ -0,0 +1,12 @@
+---
+fixes:
+  - |
+    It is now possible to configure ``v3multifactor`` auth type using
+    environment variables. For example:
+
+        export OS_AUTH_TYPE=v3multifactor
+        export OS_AUTH_METHODS=v3password,v3totp
+        export OS_USERNAME=admin
+        export OS_PASSWORD=password
+        export OS_PASSCODE=12345
+        openstack server list