-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration of username for index without enabling index #12543
Comments
Is using |
I haven't found a spelling which lets this work (it was something I tried). I agree that this feels like it would be a good solution if it could work alongside keyring. For clarity: while From what I can tell, pip is able to use either Looking in the code:
Do you have any insight into why netrc and keyring are kept so separate (despite being right next to each other in the code)? |
No idea. |
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I opted not to write a new test for this, as the existing [test_prompt_for_keyring_if_needed](https://github.com/pypa/pip/blob/86b8b23c1eaaac5c420a28519daf91de830f1182/tests/functional/test_install_config.py#L392) feels sufficient to me. TODO/need feedback: - I haven't implemented any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. This feature was added quite recently (jaraco/keyring@7830a64 landed in keyring v25.2.0). It looks like there's an older `getcreds` subcommand which we could probably feature detect as well. I personally would inclined to keep things simple and only support the latest version of the `keyring` cli, but I will gladly implement whatever y'all think is best. - Should I add a news entry about this?
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I opted not to write a new test for this, as the existing [test_prompt_for_keyring_if_needed](https://github.com/pypa/pip/blob/86b8b23c1eaaac5c420a28519daf91de830f1182/tests/functional/test_install_config.py#L392) feels sufficient to me. TODO/need feedback: - I haven't implemented any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. This feature was added quite recently (jaraco/keyring@7830a64 landed in keyring v25.2.0). It looks like there's an older `getcreds` subcommand which we could probably feature detect as well. I personally would inclined to keep things simple and only support the latest version of the `keyring` cli, but I will gladly implement whatever y'all think is best. - Should I add a news entry about this?
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I opted not to write a new test for this, as the existing [test_prompt_for_keyring_if_needed](https://github.com/pypa/pip/blob/86b8b23c1eaaac5c420a28519daf91de830f1182/tests/functional/test_install_config.py#L392) feels sufficient to me. TODO/need feedback: - I haven't implemented any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. This feature was added quite recently (jaraco/keyring@7830a64 landed in keyring v25.2.0). It looks like there's an older `getcreds` subcommand which we could probably feature detect as well. I personally would inclined to keep things simple and only support the latest version of the `keyring` cli, but I will gladly implement whatever y'all think is best.
IMO, adding more configuration options feels wrong to me, as keyring does have support for retrieving both a password and a username. @PeterJCLaw, would #12748 solve your issue? |
Yup, #12748 definitely looks like it could help with this, thanks! Agree that's a neater solution overall too. |
This fixes pypa#12543 (and probably pypa#12661). Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I had to rework the existing tests quite a bit to fit with this new behavior, as it's now OK to ask for a username/password for an index even if you don't have a username. This is why `KeyringSubprocessResult` now subclasses `KeyringModuleV2`. While I was in here, I opted to remove the "fixtures" values from `KeyringModuleV2` by introducing this new `add_credential` contextmanager. IMO, they were hurting the readability of our tests: you had to jump around quite a bit to see what the contents of the keyring would be during our tests. It also forced all our tests to play nicely with the same fixtures values, which IMO was an unnecessary constraint. Note: per the discussion [here](pypa#12748 (comment)), I've opted not to implement any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. For the record, this feature was added in jaraco/keyring@7830a64, which landed in keyring v25.2.0.
This fixes pypa#12543. Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I had to rework the existing tests quite a bit to fit with this new behavior, as it's now OK to ask for a username/password for an index even if you don't have a username. This is why `KeyringSubprocessResult` now subclasses `KeyringModuleV2`. While I was in here, I opted to remove the "fixtures" values from `KeyringModuleV2` by introducing this new `add_credential` contextmanager. IMO, they were hurting the readability of our tests: you had to jump around quite a bit to see what the contents of the keyring would be during our tests. It also forced all our tests to play nicely with the same fixtures values, which IMO was an unnecessary constraint. Note: per the discussion [here](pypa#12748 (comment)), I've opted not to implement any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. For the record, this feature was added in jaraco/keyring@7830a64, which landed in keyring v25.2.0.
This fixes pypa#12543. Somewhat confusingly, when using using `PIP_KEYRING_PROVIDER=import`, pip was able to fetch both a username and a password from keyring, but when using `PIP_KEYRING_PROVIDER=subprocess`, it needed the username. I had to rework the existing tests quite a bit to fit with this new behavior, as it's now OK to ask for a username/password for an index even if you don't have a username. This is why `KeyringSubprocessResult` now subclasses `KeyringModuleV2`. While I was in here, I opted to remove the "fixtures" values from `KeyringModuleV2` by introducing this new `add_credential` contextmanager. IMO, they were hurting the readability of our tests: you had to jump around quite a bit to see what the contents of the keyring would be during our tests. It also forced all our tests to play nicely with the same fixtures values, which IMO was an unnecessary constraint. Note: per the discussion [here](pypa#12748 (comment)), I've opted not to implement any "feature detection" to see if the `keyring` subprocess supports `--mode=creds`. For the record, this feature was added in jaraco/keyring@7830a64, which landed in keyring v25.2.0.
What's the problem this feature will solve?
I'm using
keyring
(with Google's plugin and to access Google Artifact Registry) via subprocess, which unfortunately means that pip doesn't get back a username. Currently this also means that one of pip/keyring prompts for a username as part ofpip install --extra-index-url https://private.pypi.example/simple/
.As noted in #11971, this setup currently requires that the username (
oauth2accesstoken
) be included in the--extra-index-url
.I would like to be able to configure what username should be used (ideally globally) for a given index, without making
pip
then also enabling that index globally.I am aware that the username can be specified in the
--extra-index-url
, however that isn't fully compatible with other tools.Describe the solution you'd like
It would be great if there was a way to configure what username should be used for a given index without also telling pip to use that index everywhere.
The discussion at #11823 (comment) around a
default-key-ring-user
option feels like it would work for this case, though I don't feel strongly about that particular approach. (If we did go that way I'd suggestdefault-keyring-user
as thekeyring
package name is not hyphenated)Alternative Solutions
I'm semi working around this by setting a username in
--extra-index-url https://username@private.pypi.example/simple/
, however this doesn't seem to be an expected approach and causes issues for other tools. Notably GitHub Dependabot's config for private PyPIs refuses urls which have a username in them (and in my case I actually need to use a different username for Dependabot anyway) and will thus add the non-username spelling to my requirements files. This workaround therefore only partially works.Additional context
It looks like #11827 previously discussed this as part of a wider set of changes, though I'm not clear what the status of that is.
It's clear others are hitting similar issues with subprocess keyring which this feels like it would solve -- #11971 for example.
Code of Conduct
The text was updated successfully, but these errors were encountered: