Keyring auth stopped working since 21.1

[ffissore]

Description

PR #8687 fixed issue #8090 by changing the default value of allow_keyring from True to False
This change, combined with google "artifact registry" returning 403 when calling it without proper headers, resulted in breaking our CI pipeline

Please consider adding 403 as another accepted "auth error" HTTP status code

Expected behavior

No response

pip version

21.1

Python version

3.7.9

OS

linux

How to Reproduce

1. Get package from a private google artifact registry repo
2. Then run pip install package-name
3. Despite having everything properly configured, pip is unable to download the package

Output

No response

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[sbidoul]

I'm tentatively adding this to 21.1.1 as this might be a regression.

[sbidoul]

Removing from 21.1.1 as the problem and the potential fix are not obvious and we need to get a bugfix release out soon.

@ffissore have you got feedback from Google ?

[ffissore]

Yes, they acknowledged the issue and will discuss how to handle this change in pip

[sjprice]

@ffissore & @sbidoul - as of today, this has bitten my team and I. We're keen to see resolved (either GAR or pip)!

[sjprice]

I got an update from Google, and it was marked as fixed last week:

Google has changed status code from 403 to 401 in case authentication fails which should make pip use keyring.

I would expect it to be available next week - day may vary depending on Google Cloud regions.

[looztra]

not sure it is enough. Now when I have a GAR declared in my pip.conf I get an auth prompt from the GAR.
So the keyrings.google-artifactregistry-auth has to be installed before declaring a GAR in pip.conf.
It worked previously :(

This is problematic in CI workflows, because when tox creates a new venv, if the pip.conf refers to a GAR, it cannot install dependencies as it does not have the keyrings.google-artifactregistry-auth yet.

@sjprice how did you contact "google"? By "google", do you mean the maintainers of the keyrings.google-artifactregistry-auth?

[looztra]

For the record, I found a workaround to make tox work but I think I should not have to use it:

• use a custom install_command:

[testenv]
install_command = {toxinidir}/path/to/tox_custom_install_command.sh {opts} {packages}

• tox_custom_install_command.sh content:

#!/usr/bin/env bash

PIP_CONFIG_FILE=/dev/null pip install --upgrade pip==21.1.1
PIP_CONFIG_FILE=/dev/null pip install 'keyring>=23.0.1'
PIP_CONFIG_FILE=/dev/null pip install 'keyrings.google-artifactregistry-auth>=0.0.2'
pip install "$@"

[ffissore]

I just got an update from google. They rolled out the change that makes their Artifact Registry return a 401 rather than a 403.
I tested it with the latest pip 21.1.1 and I confirm it works

[sbidoul]

Excellent news. Thanks for the follow-up, @ffissore.

Shall we then close this issue and associated PR ?

[ffissore]

At this point, I am good, but I don't know if other indexes are affected. You know more about the pip ecosystem: feel free to close both issue and PR

[sbidoul]

As we have not heard issues with other indexes, I'm going to close it, then.