Configuration of username for index without enabling index #12543
Labels
Comments
PeterJCLaw
added
S: needs triage
1 task
|
Is using |
I haven't found a spelling which lets this work (it was something I tried). I agree that this feels like it would be a good solution if it could work alongside keyring. For clarity: while From what I can tell, pip is able to use either Looking in the code:
Do you have any insight into why netrc and keyring are kept so separate (despite being right next to each other in the code)? |
|
No idea. |
jfly
added a commit
to jfly/pip
that referenced
this issue
Jun 5, 2024
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I opted not to write a new test for this, as the existing [test_prompt_for_keyring_if_needed](https://github.com/pypa/pip/blob/86b8b23c1eaaac5c420a28519daf91de830f1182/tests/functional/test_install_config.py#L392) feels sufficient to me. TODO/need feedback: - I haven't implemented any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. This feature was added quite recently (jaraco/keyring@7830a64 landed in keyring v25.2.0). It looks like there's an older `getcreds` subcommand which we could probably feature detect as well. I personally would inclined to keep things simple and only support the latest version of the `keyring` cli, but I will gladly implement whatever y'all think is best. - Should I add a news entry about this?
jfly
added a commit
to jfly/pip
that referenced
this issue
Jun 5, 2024
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I opted not to write a new test for this, as the existing [test_prompt_for_keyring_if_needed](https://github.com/pypa/pip/blob/86b8b23c1eaaac5c420a28519daf91de830f1182/tests/functional/test_install_config.py#L392) feels sufficient to me. TODO/need feedback: - I haven't implemented any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. This feature was added quite recently (jaraco/keyring@7830a64 landed in keyring v25.2.0). It looks like there's an older `getcreds` subcommand which we could probably feature detect as well. I personally would inclined to keep things simple and only support the latest version of the `keyring` cli, but I will gladly implement whatever y'all think is best. - Should I add a news entry about this?
jfly
added a commit
to jfly/pip
that referenced
this issue
Jun 5, 2024
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I opted not to write a new test for this, as the existing [test_prompt_for_keyring_if_needed](https://github.com/pypa/pip/blob/86b8b23c1eaaac5c420a28519daf91de830f1182/tests/functional/test_install_config.py#L392) feels sufficient to me. TODO/need feedback: - I haven't implemented any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. This feature was added quite recently (jaraco/keyring@7830a64 landed in keyring v25.2.0). It looks like there's an older `getcreds` subcommand which we could probably feature detect as well. I personally would inclined to keep things simple and only support the latest version of the `keyring` cli, but I will gladly implement whatever y'all think is best.
This was referenced Jun 5, 2024
|
IMO, adding more configuration options feels wrong to me, as keyring does have support for retrieving both a password and a username. @PeterJCLaw, would #12748 solve your issue? |
|
Yup, #12748 definitely looks like it could help with this, thanks! Agree that's a neater solution overall too. |
jfly
added a commit
to jfly/pip
that referenced
this issue
Aug 21, 2024
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I had to rework the existing tests quite a bit to fit with this new behavior, as it's now OK to ask for a username/password for an index even if you don't have a username. This is why `KeyringSubprocessResult` now subclasses `KeyringModuleV2`. While I was in here, I opted to remove the "fixtures" values from `KeyringModuleV2` by introducing this new `add_credential` contextmanager. IMO, they were hurting the readability of our tests: you had to jump around quite a bit to see what the contents of the keyring would be during our tests. It also forced all our tests to play nicely with the same fixtures values, which IMO was an unnecessary constraint. Note: per the discussion [here](pypa#12748 (comment)), I've opted not to implement any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. For the record, this feature was added in jaraco/keyring@7830a64, which landed in keyring v25.2.0.
jfly
added a commit
to jfly/pip
that referenced
this issue
Aug 21, 2024
This fixes pypa#12543. Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I had to rework the existing tests quite a bit to fit with this new behavior, as it's now OK to ask for a username/password for an index even if you don't have a username. This is why `KeyringSubprocessResult` now subclasses `KeyringModuleV2`. While I was in here, I opted to remove the "fixtures" values from `KeyringModuleV2` by introducing this new `add_credential` contextmanager. IMO, they were hurting the readability of our tests: you had to jump around quite a bit to see what the contents of the keyring would be during our tests. It also forced all our tests to play nicely with the same fixtures values, which IMO was an unnecessary constraint. Note: per the discussion [here](pypa#12748 (comment)), I've opted not to implement any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. For the record, this feature was added in jaraco/keyring@7830a64, which landed in keyring v25.2.0.
jfly
added a commit
to jfly/pip
that referenced
this issue
Aug 21, 2024
This fixes pypa#12543. Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I had to rework the existing tests quite a bit to fit with this new behavior, as it's now OK to ask for a username/password for an index even if you don't have a username. This is why `KeyringSubprocessResult` now subclasses `KeyringModuleV2`. While I was in here, I opted to remove the "fixtures" values from `KeyringModuleV2` by introducing this new `add_credential` contextmanager. IMO, they were hurting the readability of our tests: you had to jump around quite a bit to see what the contents of the keyring would be during our tests. It also forced all our tests to play nicely with the same fixtures values, which IMO was an unnecessary constraint. Note: per the discussion [here](pypa#12748 (comment)), I've opted not to implement any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. For the record, this feature was added in jaraco/keyring@7830a64, which landed in keyring v25.2.0.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem this feature will solve?
I'm using
keyring(with Google's plugin and to access Google Artifact Registry) via subprocess, which unfortunately means that pip doesn't get back a username. Currently this also means that one of pip/keyring prompts for a username as part ofpip install --extra-index-url https://private.pypi.example/simple/.As noted in #11971, this setup currently requires that the username (
oauth2accesstoken) be included in the--extra-index-url.I would like to be able to configure what username should be used (ideally globally) for a given index, without making
pipthen also enabling that index globally.I am aware that the username can be specified in the
--extra-index-url, however that isn't fully compatible with other tools.Describe the solution you'd like
It would be great if there was a way to configure what username should be used for a given index without also telling pip to use that index everywhere.
The discussion at #11823 (comment) around a
default-key-ring-useroption feels like it would work for this case, though I don't feel strongly about that particular approach. (If we did go that way I'd suggestdefault-keyring-useras thekeyringpackage name is not hyphenated)Alternative Solutions
I'm semi working around this by setting a username in
--extra-index-url https://[email protected]/simple/, however this doesn't seem to be an expected approach and causes issues for other tools. Notably GitHub Dependabot's config for private PyPIs refuses urls which have a username in them (and in my case I actually need to use a different username for Dependabot anyway) and will thus add the non-username spelling to my requirements files. This workaround therefore only partially works.Additional context
It looks like #11827 previously discussed this as part of a wider set of changes, though I'm not clear what the status of that is.
It's clear others are hitting similar issues with subprocess keyring which this feels like it would solve -- #11971 for example.
Code of Conduct
The text was updated successfully, but these errors were encountered: