Bug 1284690 - [RFE] Enable Authentication for url resources
[RFE] Enable Authentication for url resources
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-glance (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
low Severity low
: ---
: 13.0 (Queens)
Assigned To: Cyril Roelandt
nlevinki
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-23 17:31 EST by Eric Rich
Modified: 2017-03-15 09:29 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
scohen: needinfo+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1518712 None None None Never

  None (edit)
Description Eric Rich 2015-11-23 17:31:00 EST
Description of problem:

This is a clone of https://bugs.launchpad.net/heat/+bug/1518712 asking that Image Resources or URI endpoints be accessible using "authentication".

Version-Release number of selected component (if applicable): 7.0/8.0


Additional info:

Only two of the images on http://docs.openstack.org/image-guide/content/ch_obtaining_images.html#cirros-images are publicly accessible.
Comment 2 Zane Bitter 2015-12-02 17:16:13 EST
Looking at the requests code, it appears to already handle reading the HTTP BasicAuth information from the URL. Can we close this as not a bug?
Comment 3 Eric Rich 2015-12-03 10:48:32 EST
I am using the following Heat template:

~~~
heat_template_version: 2014-10-16

description: A hot template for provisioning an Glance Image

parameters:

  image_name:
    type: string
    default: "Fedora23"

  container_format:
    type: string
    default: "bare"
    constraints:
      - allowed_values: [ "ami", "ari", "aki", "bare", "ova", "ovf"]

  disk_format:
    type: string
    default: "qcow2"
    constraints:
      - allowed_values: [ "ami", "ari", "aki", "vhd", "vmdk", "raw", "qcow2", "vdi", "iso" ]

  location:
    type: string
    #default: "http://erich:test@OPENSTACK.redhat.com/private/Fedora-Cloud-Base-23-20151030.x86_64.qcow2"
    #default: "http://OPENSTACK.redhat.com/private/Fedora-Cloud-Base-23-20151030.x86_64.qcow2"
    default: "https://download.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.qcow2"

  public:
    type: boolean
    default: false

  protected:
    type: boolean
    default: false

  disk_min:
    type: number
    default: 0

  ram_min:
    type: number
    default: 0

resources:

  image:
    type: OS::Glance::Image
    properties:
      container_format: {get_param: container_format}
      disk_format: {get_param: disk_format}
      is_public: {get_param: public}
      location: {get_param: location}
      min_disk: {get_param: disk_min}
      min_ram: {get_param: ram_min}
      name: {get_param: image_name}
      protected: {get_param: protected}

outputs:
 image_name:
    description: Image Name
    value: { get_param: image_name}
~~~

And as an example the following httpd configuration: 

~~~
Alias "/private" "/var/www/test/"
<Directory /var/www/test/>
#<Location "/private">
    #DocumentRoot "/var/www/test/"
    AuthType Basic
    AuthName "Secure"
    AuthBasicProvider file
    AuthUserFile /etc/httpd/test_password
    Order allow,deny
    Allow from all
    Require valid-user
#</Location>
</Directory>
# htpasswd -c /etc/httpd/test_password erich
~~~

With this in place all variations of the location allow for the stack to be created (complete), however only the 3rd (the uncommented) options actually creates an image that is usable.
Comment 4 Zane Bitter 2015-12-03 11:29:57 EST
OK, this is nothing to do with Heat, which just passes the URL straight to Glance's create_image API.
Comment 5 Stephen Gordon 2016-06-09 14:52:38 EDT
Bulk update to reflect scope of Red Hat OpenStack Platform 9 and Red Hat OpenStack Platform does not include this issue (No pm_ack+).

Note You need to log in before you can comment on or make changes to this bug.