Problem description
Keystone tokens have some restricted lifetime. After the user token has expired, any request initiated by Glance which needs a valid user token will fail. This causes the original user’s request to also fail, even though the token was originally valid when passed to Glance.
This this spec intends to address the specific case where a token expires during image upload causing the call to the registry to set the image state ‘active’ to fail:
User requests image-upload.
Keystone Middleware accepts the request and passes the request to Glance.
Glance passes all required data to glance_store.
glance_store uploads an image but it takes a lot of time (more than token expiration time)
Glance sends a request to registry to change image status.
Keystone Middleware rejects the request because user token has expired.
As a result the image never transitions to ‘active’ status and so isn’t usable.
Increasing the token expiration time doesn’t seem to be a good long-term solution.
Full spec: https://specs.openstack.org/openstack/glance-specs/specs/mitaka/glance-trusts.html
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2017:1245