Improve user authentication handling

[nonhermitian]

Description

Work to make changes inline with #540.

• Add ability to create, read, and write to local qiskitrc file.
• Auto-register providers after registering once (if so desired).
• Register via env variables.
• Register automatically via Qconfig.py if in local dir.
• Update documentation.

Summary of Changes Made

• User credentials can now be stored in the qiskitrc file in the users HOME/.qiskit folder.
• Calling register() with no arguments loads credentials from a Qconfig.py file in the cwd, the env vars QE_TOKEN, QE_URL, QE_HUB, QE_GROUP, and QE_PROJECT, then finally qiskitrc, in that order.
• Provider base classes can now be named, and providers with the same name are not registered twice.
• Can modify the qiskitrc file using store, get, and remove _credentials functions.
• IBMQ provider is automatically named ibmq, where as the Q network provider is called qnet.
• Can register both IBMQ and Q Network providers at same time.
• Can remove a provider with new unregister() function.
• Can register single provider (if many exist) by doing register(provider_name='MY_PROVIDER').
• Added requires_ci test decorator for testing registration routines that would break a local users registration.

Motivation and Context

Make the end users life easier for registering providers.

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[ewinston]

Is this file only for internal use or is it meant to be edited by a user?

[nonhermitian]

Internal only.

[nonhermitian]

It holds the location of the qiskitrc file.

[nonhermitian]

Currently there is a function in the wrapper that will register any provider information found in the qiskitrc file, env variables, or a Qconfig.py file in the cwd:

load_local_credentials()

To get credentials into the qiskitrc file you must first register the information manually at set the new kwargs: store_credentials=True and auto_register=True. The first stores the info in qiskitrc while the second indicates that the user wants the registration to be done automatically at import. If auto_register=False, then the registration is done only when load_local_credentials is called.

[diego-plan9]

For the new files, can you adjust the license header so it follows the format recently introduced by #550 ?

# -*- coding: utf-8 -*-

# Copyright 2018, IBM.
#
# This source code is licensed under the Apache License, Version 2.0 found in
# the LICENSE.txt file in the root directory of this source tree.

# pylint: disable=something-only-if-there-is-no-other-way

"""
Description of the module ...
"""
from qiskit import ...

[nonhermitian]

Dropped 'make generating Qconfig.py easier' from the scope as our goal is to move away from them.

[nonhermitian]

@diego-plan9 , the online tests are not running for this PR. In order to test the API registration functions, I need to run the tests in CI only, otherwise I would kill the credentials on the users local machine.

[ajavadia]

why return all the _registered_names if nothing is passed as provider_name?
shouldn't you make the argument mandatory, since otherwise it doesn't make sense to call unregister?

[nonhermitian]

Yeah, I didn't want to make another function available_providers just to get the list to pass to unregister, so I did this. Perhaps I should just make the new function. In principle, it is possible for credentials to come from multiple locations, and they would not show up as stored credentials.

[diego-plan9]

It turned out to be a lengthy review - but the summary is that functionality-wise is looking great and covers the goals very nicely (in particular, thanks a lot for the effort in the documentation), and that with a bit more focus on the modularity and architecture aspects it will be even nicer! As a matter of fact, nearly all the comments are geared towards simplifying the implementation and "moving things around a bit" in the hopes of achieving a cleaner implementation that breaks it into finer pieces and fits better into the core - looking forward to the next round!

There is also the issue of the tests - I did not review them yet following the mention that they were a bit WIP at the moment, but I'm confident we can come up with a solution that allows them to run locally eventually.

[diego-plan9]

Nit: can we please avoid import xxx as yyy in general, for readability?

[nonhermitian]

QISKit already uses the following:

import numpy as np
import scipy.linalg as la
import scipy.sparse as sp
import scipy.sparse.csgraph as cs
import networkx as nx
from sympy import Number as N
from qiskit.qasm import _node as node
import ply.lex as lex
from . import _node as node
import ply.yacc as yacc
import matplotlib.pyplot as plt

why is my usage of the same functionality problematic?

[diego-plan9]

Again, for readability - in general they do not provide tangible benefits, but have the drawback add another level of indirection in the code, which hinders parsing the code at a glance. The examples you list are either references to other libraries (where some of them, as the numpy alias, are relatively widespread) with only three of them related to qiskit modules (and part of code that has not changed much since the beginning of the project).

[diego-plan9]

Can you add to the documentation the format of the .qiskitrc file (somewhere in the sphinx doc - I'm unsure about the best place, but as long as it is there we can move it around)?

And on that topic, can we rethink the format itself? It seems that currently it is allowing dicts and evaluating the contents back when needed, which might be not too well suited to our use case. What about simplifying it to just one value per key, as in:

[ibmq]
token=123456
url=http://foo

[somethingelse]
token=5678
url=http://bar
group=x
...

Since we don't really have much more use for the sections in the .qiskitrc currently, it would make it more straightforward when editing manually, and at the same time probably allow a cleaner and safer implementation.

[nonhermitian]

I originally did that but it is not very clean, and the minute we add other stuff to the file we run into trouble. Since we can store a dict, that seemed to be the cleanest way.

[delapuente]

It is preferable to have a default .qiskitrc file with a template discussing the options and syntax rather than forcing the user to take a look at the code.

[nonhermitian]

Again, I do not want them to see the file. I just want them to use the provided functions to register.

[diego-plan9]

Regardless of the configuration format, can we refactor this module to make it more pythonic, and simplify its usage - ideally be able to something like:

>  credentials = read_credentials_from_file()

{
   'acount1': {'token': 12345, 'url': 'http://fo'},
...
}
> credentials['account1']['token'] = 'mynewtoken'
> write_credentials_to_file(credentials)

or even go a bit further and have a proper credentials class. This way we can centralize the access to the qiskitrc file, and removing, updating, and checking credentials becomes simply modifiying the dict/class - for the intermediate functions (if needed) between reading and writing, also passing ConfigParser around would probably be a better approach than having to open and close the config file in several places.

This would also help for the environment variables case: if the function that checks for the environment variables returns the same structure, switching between them becomes simpler.

[diego-plan9]

Please note as well that the names (and the structure) used in the review as a whole are tentative - better names than the ones sketched on the comments are needed ™️

[nonhermitian]

You can already do what you are asking:

creds = get_credentials('ibmq')
creds['token'] = 'MY_NEW_TOKEN'
store_credentials(**creds, overwrite=True)

[diego-plan9]

It seems it cannot be done at the granularity level that was suggested in the comment, which was the important bit of it.

[diego-plan9]

Could you re-check if all these functions are really meant to be invoked directly by the end user? We should be careful about not adding too many things to the root qiskit namespace unless really needed.

[nonhermitian]

A good point, let me see what we really need to expose for average user.

[diego-plan9]

Can we refactor a bit this function as well, aiming for simplifying the original use case of the function (ie. the current functionality) and treat the case of a missing token in a more modularized form? Similar to:

def register(token=None, ...):
    if not token:
        token, url, hub, ... = _load_token(...)
    provider = provider(token, ...)

def _load_token(....):
    # try _load_token_from_qconfig(), _load_token_from_envs(), _load_token_from_qiskitrc()

The idea is again to try to better encapsulate the functionality and the complexity (perhaps even moving the token-finding-in-all-places functionality as a whole to the wrapper.configrc module, renaming in a more generic form).

[nonhermitian]

Yes, it can be cleaned up. I started adding functionality a bit hastily at the end.

[diego-plan9]

Would it be possible to make better use of qiskit-core/qiskit/wrapper/defaultqiskitprovider.py for keeping track of the registered backends and their names, instead of a global variable? Currently it uses a list of providers, but by extending it to a dict it seems it would simplify the handling of the providers names and split the functionality better - with the big benefit of having a single instance where that information is stored instead of global scope.

[nonhermitian]

The _settings does not keep track of the registered backends, it only is used for storing runtime variables. The backends are stored as usual, using the new Provider.name functionality to understand which are which.

[diego-plan9]

Can this variable contain a value other than ~/.qiskit/qiskitrc? In the usual spirit, if we can avoid having a global variable, other implementation would be preferred.

[nonhermitian]

It can be None. It is used not only to point to the qiskitrc file, but to tell the routines if it can not be found. It is set from None to the location of the qiskitrc file at runtime if it is there.

[diego-plan9]

Can we re-think the need for having a provider name as a required instance attribute? It seems the main reason for introducing the parameter is for helping with the changes of the implementation of register(), and by design the Base classes should ideally be as minimal as possible to avoid side effects and constraints - please see the note in IBMQProvider.

[nonhermitian]

You could, but then it would make other code more complicated as one would have to check for a provider name, or whether it even exists or not, and what to do in that case.

[delapuente]

It is preferable to keep the complexity outside the core to not increase coupling.

[nonhermitian]

What do you suggest doing if there are multiple IBMQ providers to register/unregister? I think people are fairly comfortable with the idea of a provider name.

[delapuente]

The solution depends on the specific use-case. For instance:

• If we don't allow several instances of the same provider, simply talking about them is wrong. There is no identity problem and you can always query type(provider).
• If we do allow several instances of the same provider, then they can be stored in a dictionary as @diego-plan9 suggested you: { "name": provider_instance }.

...

So, would you mind to clarify why do you need names so we can come up with the proper solution both meeting your needs and without introducing complexity?

[nonhermitian]

The whole point of the name is that we may have multiple IBMQProvider instances. It also simplifies iterating through the list of registered providers and simplifies the unregistration process.

[delapuente]

In that case, use @diego-plan9's name dictionary strategy instead. The DefaultQISKitProvider which is defined as a "meta provider" is intended to add extra functionality like the one you're suggesting. This solution would meet your API usage expectation without introducing extra complexity to the core.

[diego-plan9]

Following up on the comment in BaseProvider, I think this introduces some tiny yet undesirable side effects: in particular, makes provider_name to be effectively required when creating an IBMQProvider instance if using non-standard URLs without real benefits when using the provider directly - ie. the .name is only relevant for register() and their related functions, which compromises a bit the decoupling. It also seems that in this revision, it is possible for two instances to have the same name, which I'm not sure if it is by design and would require some clarification (ie. what is the relation between a provider and its name - always the same name, as happens with the LocalProvider, a default name but potentially dependent on the user needs, as in this one, etc?).

Instead of that - what about delegating the handling of provider names to DefaultQISKitProvider? It is arguably the purpose of that class, and it seems that by using a "dict of provider_name: Provider" there would be enough to cover the needs introduced by this PR and at the same time avoid introducing application-dependent changes in the base classes.

[nonhermitian]

The name is indeed used only to register and unregister at the moment. However, as discussed in our meeting, there could be cases where there are multiple IBMQProvider instances registered, and I need a way to address them, e.g. to unregister/register one and not the other. I demoed one such example of this.

If you can think of a better way to accomplish the same task, then I am curious to hear your suggestion.

[diego-plan9]

Very random thought: why do we want to restrict unregistering the core provider?

[nonhermitian]

Because we can not register it, and what would be the use case to remove the 'core' solvers?

[diego-plan9]

👍

[delapuente]

@nonhermitian the ideas in this PR are good and seems to simplify the registration process. Nevertheless, I don't see the point in adding name to the local and IBM Q providers. What is the use-case for that new functionality?

[delapuente]

It would be convenient to link IBM Q account with the actual URL and a complete example of how to pass these extra parameters.

[nonhermitian]

This is the same text that was there before, and is only of interest to hub members.

[delapuente]

Non-blocking although It is never late for clarifying the docs.

[delapuente]

Replace registed with registered.

[nonhermitian]

Good find.

[delapuente]

Documenting the new way of registering by providing three sections with exactly the same example can be misleading. The user can think there is an error in the example or something magic is happening behind the scenes. My recommendation is to introduce register() first saying it is an automatic method which will look for configuration in several origins according to an order, then introduce the origins in separate sections.

[nonhermitian]

Good point.

[delapuente]

This can cause security issues, let's name it more explicitly such as ssl_verification.

[nonhermitian]

That exact same text comes from the old register function.

[nonhermitian]

Again, this is just the old text.

[delapuente]

QuantumProgram instances should be agnostic of providers and so, we should not provide a default value for the provider_name parameter.

[nonhermitian]

I believe I forgot to remove this in the latest version. Will remove.

[delapuente]

Remove dead code or disable the test explicitly with unittest.skip

[nonhermitian]

True.

[delapuente]

It is preferable to have a default .qiskitrc file with a template discussing the options and syntax rather than forcing the user to take a look at the code.

[delapuente]

Actually, this is not a setting but shared state for the functions in _configrc.py. I'm not a friend of using OOP when it is not necessary, so a module works form me. This variable should be in _configrc.py as a module-level.

[nonhermitian]

I do not want the user to see the qiskitrc file at all. I want them to simply pass a token and possibly url to the store_credentials function, or register.

[delapuente]

I think this reply is misplaced but it is fair.

[delapuente]

Same here, this is related to _register.py only and so, it should live there.

[nonhermitian]

QISKIT_RC_FILE is used in several places. The other one can be moved.

[nonhermitian]

Actually REGISTER_CALLED is also used in three different modules.

[delapuente]

According to my search results of your branch, the name REGISTER_CALLED appears indeed in two different places (in addition to this file): _register.py and _wrapper.py whereas QISKIT_RC_FILE appears only in _settings.py. So, you can move QISKIT_RC_FILE there.

The problem with REGISTER_CALLED arises from the need for communicating between _wrapper.py and _register.py. This is one solution:

1. Move the registration code in _wrapper.py into another function _register_using_origin_chain. And make register function to delegate into this new function.
2. Move this function inside _register.py and adjust the imports in _wrapper.py.

Now all REGISTER_CALLED only appears in _register.py and you can turn the global variable into a module-level one inside _register.py.

[nonhermitian]

I can do this. It makes the old register function just a wrapper for one inside of _register but I am fine with that.

[nonhermitian]

Again, this is just the old text.

[delapuente]

Hi Paul,

Please, address the requested changes and clarify a couple of matters:

• The need of name so we can come up with an alternative not increasing the complexity of core classes.
• The use-case of unregister.

[delapuente]

Non-blocking although It is never late for clarifying the docs.

[delapuente]

Same here.

[nonhermitian]

1. What to do if multiple IBMQProviders are created. 2) How best to search through multiple registered providers [LocalProvider, IBMQProvider1, IBMQProvider2, ExternalProvider1,...] so that double registration can not happen, and we know which providers are loaded so that one or more may be unregistered. Unregister was requested elsewhere.

[delapuente]

The solution depends on the specific use-case. For instance:

• If we don't allow several instances of the same provider, simply talking about them is wrong. There is no identity problem and you can always query type(provider).
• If we do allow several instances of the same provider, then they can be stored in a dictionary as @diego-plan9 suggested you: { "name": provider_instance }.

...

So, would you mind to clarify why do you need names so we can come up with the proper solution both meeting your needs and without introducing complexity?

[delapuente]

I think this reply is misplaced but it is fair.

[nonhermitian]

@delapuente please fork my branch and make the stylistic changes you see fit. Also, @diego-plan9, as we were both assigned to this registration update task, please fork my branch, and make any changes you think need to be done.

[diego-plan9]

@delapuente please fork my branch and make the stylistic changes you see fit. Also, @diego-plan9, as we were both assigned to this registration update task, please fork my branch, and make any changes you think need to be done.

I'll go for it, as there are a number of issues still to be addressed. In the meantime, can you update on the current state of the tests - do you have a proposal or an implementation on how to get them back into shape?

[ajavadia]

Can we add one line to the CHANGELOG for this?

[diego-plan9]

Labeling as on hold, as mentioned in #584 .

[diego-plan9]

After discussion in private last week, I have proceeded retaking this PR and doing a bit of cleanup, as it had diverged quite a lot in regards to the recent changes (the register() changes in master were quite conflicting with the current status). For safety, I created a "backup" branch that has the same contents as this PR had just before this comment, and proceeded with squashing the ~70 at 20d12f0, which includes rebasing with current master.

In the hopes of being able to include the PR in 0.6, I went ahead and narrowed down the scope of this PR even further: the current plan is to "just" have a replacement of Qconfig.py, not supporting multiple accounts from the same provider at the moment - the idea is to have a solid and manageable foundation that supports the main use case, and in future PRs we can append more functionality and extend the support for more complex scenarios. I hope that it makes sense!

In b09e794b8b70769c5262776dffe6ac5b45f303cb some basic tests were added for the core functionality. I have taken off the on hold label and marked it again as [WIP], as there are still tweaks to the documentation to be made before completing this round of changes 🎉

[diego-plan9]

Taking the PR out of WIP, after tweaking up a bit the documentation to account for the latest changes and for the comments in the initial review .

[delapuente]

In general, it looks OK but I strongly encourage using module + class name to identify the providers.

There are some typos we should fix before merging, though.

[delapuente]

Non-blocking: it seems we are using soft wrapping so there is no need of manually breaking the lines. I think we should be consistent here.

[diego-plan9]

Actually we are not really using soft-wrapping in most of the README.md - and technically using line wrapping is more in line with the rest of the file (if I recall correctly, we did have full hard-wrapping for the file at one point in time, but lots of changes were made that resulted in the current mix). I'd love indeed to have it fully consistent one way or the other eventually, but seems out of the scope of this PR.

[delapuente]

Should we say "you don't need to do this more than once"?

[diego-plan9]

Hmm, I would expect that the reader knows that the steps in this whole section "Configure you API token" is to be done once (create account, create token, set it up, etc).

[delapuente]

I saw this explained later, it is fine.

[delapuente]

I would replace you can automatically load with QISKit will automatically load to highlight this is automatic.

[delapuente]

I think a single quotation ' is missing after PUT_YOUR_API_TOKEN_HERE. Isn't it?

[delapuente]

Can we call an identity(klass) function that encapsulates the calculus of the provider name?

[delapuente]

Can you add a blank line before the function?

[delapuente]

Non-blocking: I feel asserting on exception messages is brittle and I would prefer to provide a more specific exception class.

[delapuente]

Typo: replace overwritind with overwriting.

[delapuente]

I would break this test in several, one testing overwriting fails, another for testing failure implies no data is overwritten.

[delapuente]

Feel free to ignore this but you can simplify this pattern with:

@contextmanager
def mock_ibmq_provider():
  with patch.object(IBMQProvider, '_authenticate', return_value=None), path.object(IBMQProvider, '_discover_remote_backends', return_value={}):
    yield

[diego-plan9]

Thanks for the review, @delapuente ! I have addressed most of the concerns, focusing on the main one (the use of the full qualified name of the class as the account name) and the unusual amount of typos, leaving some of the comments for future iterations.

[delapuente]

Hi Diego, it looks great to me. Just the comment about the error but it's non-blocking. Nice work.

[delapuente]

I saw this explained later, it is fine.

[delapuente]

Non-blocking: We should not have production code depending on tests, I've opened #669 for addressing this.

[delapuente]

Should not it be a QISKitError?

[diego-plan9]

Hmm, I don't think so, since this exception raised in the test suite (actually before the tests), so the usual conventions for the qiskit module do not really apply.

[delapuente]

Agree.