add --keyring-provider flag to configure keyring-based authentication
#2592
Conversation
tdyas
changed the title
--with-extra-pip-arg flag--with-extra-pip-arg flag
|
The "./dtox.sh -e py38-pip22_3_1-integration --shard 2/2" shard failure is bitrot from 11/11 addressed here: #2595 |
With |
tests/test_pip.py
Outdated
| @@ -415,16 +415,21 @@ def test_keyring_provider( | |||
| download_dir = os.path.join(str(tmpdir), "downloads") | |||
| assert not os.path.exists(download_dir) | |||
|
|
|||
| with ENV.patch(PIP_KEYCHAIN_PROVIDER="invalid") as env, environment_as(**env): | |||
| assert "invalid" == os.environ["PIP_KEYCHAIN_PROVIDER"] | |||
| with ENV.patch(PIP_KEYRING_PROVIDER="invalid") as env, environment_as(**env): | |||
There was a problem hiding this comment.
I'm not sure if you've seen /home/jsirois/dev/pex-tool/pex/tests/integration/test_keyring_support.py, but its probably what you eventually want to amend to test the "import" + --extra-pip-requirement and "subprocess" + PATH means of hooking the keyring provider.
There was a problem hiding this comment.
Couldn't I just update that test to use the new --keyring-provider option instead of the existing --use-pip-config option? (Or paramterize the test to try both methods?)
There was a problem hiding this comment.
~the latter is exactly what I was suggesting, yes.
There was a problem hiding this comment.
Hopefully you've noticed though how tortured the very concept of a keyring provider is. There is a nasty bootstrap problem for any locked down org.
There was a problem hiding this comment.
Yeah, the whole shebang is a marvelous house of cards. The work in Pants using this support focuses on --keyring-provider=subprocess with a trampoline keyring script so Pants won't need to bootstrap keyring PyPi at all.
There was a problem hiding this comment.
Absolutely. I'll hint you 1st: how do you think Pex implements --pip-version any-not-vendored-version?
There was a problem hiding this comment.
The answer to that is fairly obvious and I'm sure you've already forehead smacked. That said, solving is thornier. I already had to deal with how to bootstrap --pip-version any-not-vendored-version here:
Lines 290 to 305 in 3361e79
The context there is using a new enough Python (3.12+) where distutils is gone from the stdlib and vendored Pip fails as a result. In that situation I had to find another way to bootstrap a specific Pip version without using vendored Pip. So, basically, iff using the current python to python -mvenv nets a venv with a Pip new enough to support --keyring-provider, the thorny bootstrap can be just the thorny problem you described, solved with --keyring-provider subprocess and some pre-arranged provider on the PATH. If not, you have an even thornier bootstrap problem than you expected.
There was a problem hiding this comment.
Following up a little more, --keyring-provider was added for Pip 23.1. Python 3.10.15 and older come with ensurepip that yield at most Pip 23.0.1; so you can only count on Python>=3.11.4 (3.11 only hit bundled Pip>=23.1 here: python/cpython#103752) for bootstrapping any --pip-version >= 23.1 with --keyring-provider being passed as part of the bootstrap process.
There was a problem hiding this comment.
I think the intended user of my Pants change will be just fine with Python >= 3.11.4. Is that enough to ensure bootstrap of a pip supporting --keyring-provider though? I assume the pip bootstrap happens with the user Python chosen by Pants and not the Pants-specific PBS Python used by scie-pants?
There was a problem hiding this comment.
I think the intended user of my Pants change will be just fine with Python >= 3.11.4. Is that enough to ensure bootstrap of a pip supporting --keyring-provider though?
Not with the code as-it-is, since the python -mvenv ... bootstrap trick is not used as aggressively as it could be. That code pointer I gave does highlight the existing mechanism though which should point the way to using it more aggressively.
In short though, knowing which version of Python you have is clearly trivial; then using that to fail fast or move forward with bootstrapping Pip via -mvenv and passing --keyring-provider after that is definitely in the realm of just putting in the work.
As I mentioned below though, I'll think on this whole situation a bit and report back. There may be some better way than either this or picking a random new Pip to vendor (then can't live without it feature with bootstrapping issue comes up in a newer Pip and surely vendoring a 3rd version is a no go, etc...).
tdyas
changed the title
--with-extra-pip-arg flag--keyring-provider flag
|
@jsirois: Would you be amenable if I submitted an upgrade of the vendored pip in Pex? Is it feasible or desirable to do so? I.e., what should I know about that solution path which I probably do not currently know? |
|
I would not. Hard rules are not breaking people and the current vendored Pip is the last version to support 2.7; so it has to stay. I'll think on a solution a bit more over the next few days and report if I can concoct anything. |
What about vendoring two versions of pip? Keep the existing vendored pip for Python 2.7 compatibility and then vendor a newer pip (with for example Pex can then (1) offer the choice of the newer vendored pip via an option and/or (2) use the newer vendored copy by default instead of the older vendored copy except where Python 2.7 is involved (in which case the existing vendored copy would be the default). Thoughts? |
I'm definitely not a fan. I thought I was going to have to do this to support Python 3.12 a year or two ago and worked up the Like I said, I'm going to think on this a bit and report back. |
|
Ok, so @tdyas, I think your particular problem is solved by existing means if you just plumb fail fast code here to reject Lines 244 to 249 in 50ff75a Line 322 in 50ff75a The bootstrap Pip will be 24.2, the version of Pip that ships with PBS Python 3.12.7. Since Pip 23.1 is the magic version sprouting I've already lightly pushed Pants to switch away from the Pex PEX to the Pex PEX scies since those scies embed psutil which makes the new AFAICT that's a basic solution that leaves open even better solutions going forward that cover more than just Pants' use case (i.e.: making this all tractable for Pex installed in a venv users too). For example, I'm much less worried about binary size with the Pex PEX scies since they are already large - dominated by the embedded CPython distribution size - and those scies might be able to embed keyring wheels in the future such that keyring comes pre-installed when Pip 1st runs. Then, at least, the default keyring providers would be ready to go. Only users of custom keyring providers would still have bootstrap issues to wrestle with. |
|
I tried the macOS/x86 SCIE. Apple really does not like unsigned binaries. Opened #2621 to discuss. |
|
@jsirois: Any advice on the CI failure at https://github.com/pex-tool/pex/actions/runs/12720783453/job/35462921525?pr=2592#step:5:5585 for |
|
Before looking deeply, is this question coming with the fact Pex generally bootstraps newer Pips using vendored Pip 20.3.4 understood / remembered from earlier conversations? |
Potentially. Then my question becomes, how do I exclude use of the option under test (i.e., |
|
1st, proof: Search that line for 20.3.4. |
So yes, it was installing the newer |
IIUC this is not a test issue to be fixed but a production issue to be fixed. Fix prod and test just works. So, in prod, that option can only be emitted for versions of Pip that support it. Presumably you're not conditionally emitting the option. That said, the fact the option is conditional means the bootstrapping Pip will not be using a keyring provider, which is an issue. I feel like we've been around this loop before? |
|
Given this test failure, seems like this test will either need a manually-bootstrapped Pip version or (most likely) just restrict to running with Pip v23.1 and higher? |
Tom, can you fill in |
Filled in. https://github.com/pex-tool/pex/actions/runs/12752942699/job/35543486671?pr=2592#step:5:1947 |
|
@tdyas I am super duper confused.
Those two are unrelated. Is one of your two links wrong? Skipping past 20 questions perhaps: And so the corresponding question makes no sense. Presumably you want to test both branches of your new code - the branch that injects the arg and the branch that does not and warns. |
Sorry will fix link after I get back from my walk to clear my head of these very code weeds. |
Good point. And that is the failing test. Will update. (I running both macOS and Linux laptops on this PR and pasted link from wrong machine.) |
|
CI tests are passing now. Marked ready for review. I added a few questions around what sort of documentation this needs to have. |
tdyas
changed the title
--keyring-provider flag--keyring-provider flag to configure keyring-based authentication
|
CI failed due to an infrastructure error in downloading. https://github.com/pex-tool/pex/actions/runs/12790796085/job/35657416561#step:5:2870 Weirdly, I don't see an option in the GitHub Actions UI for the build to retry just the failed job. |
|
Thanks @tdyas. I'm going to get a PEP-723 locking feature banged out this afternoon which will also include the release prep for 2.29.0 which will include this change. |
|
Ok, now released in 2.29.0: https://github.com/pex-tool/pex/releases/tag/v2.29.0 |
Thanks! |
Add a
--keyring-providerflag to allow Pex callers to configure Pip to use a keyring provider without the need to loosen the Pip isolated mode entirely as would be done if--use-pip-configwere passed.