Bug 1293472

Summary: [RFE][glance] Implement trust support for Glance images
Product: Red Hat OpenStack Reporter: Sean Cohen <scohen>
Component: openstack-glanceAssignee: Cyril Roelandt <cyril>
Status: CLOSED ERRATA QA Contact: Avi Avraham <aavraham>
Severity: medium Docs Contact: Don Domingo <ddomingo>
Priority: medium    
Version: 7.0 (Kilo)CC: acanan, cyril, eglynn, fpercoco, jschluet, lbopf, nlevinki, pgrist, sclewis, scohen, srevivo
Target Milestone: Upstream M1Keywords: FutureFeature, TestOnly, Triaged
Target Release: 11.0 (Ocata)Flags: scohen: needinfo+
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/glance/+spec/trust-authentication
Whiteboard: upstream_milestone_none upstream_definition_approved upstream_status_needs-code-review
Fixed In Version: openstack-glance-14.0.0-2.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-17 19:25:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1341956    

Description Sean Cohen 2015-12-21 20:13:25 UTC 
Problem description

Keystone tokens have some restricted lifetime. After the user token has expired, any request initiated by Glance which needs a valid user token will fail. This causes the original user’s request to also fail, even though the token was originally valid when passed to Glance.

This this spec intends to address the specific case where a token expires during image upload causing the call to the registry to set the image state ‘active’ to fail:

    User requests image-upload.
    Keystone Middleware accepts the request and passes the request to Glance.
    Glance passes all required data to glance_store.
    glance_store uploads an image but it takes a lot of time (more than token expiration time)
    Glance sends a request to registry to change image status.
    Keystone Middleware rejects the request because user token has expired.

As a result the image never transitions to ‘active’ status and so isn’t usable.

Increasing the token expiration time doesn’t seem to be a good long-term solution.

Full spec: https://specs.openstack.org/openstack/glance-specs/specs/mitaka/glance-trusts.html
Comment 2 Mike McCune 2016-03-28 22:35:49 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 8 Avi Avraham 2017-02-13 06:48:03 UTC 
Missing RPM version that includes this fix.
Comment 10 Cyril Roelandt 2017-03-20 18:07:51 UTC 
@Avi: the target is 11.0 (Ocata), so I believe this should be available in 14.0.0-2.
Comment 13 errata-xmlrpc 2017-05-17 19:25:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245