Bug 1293472 - [RFE][glance] Implement trust support for Glance images
Summary: [RFE][glance] Implement trust support for Glance images
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-glance
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M1
: 11.0 (Ocata)
Assignee: Cyril Roelandt
QA Contact: Avi Avraham
Don Domingo
URL: https://blueprints.launchpad.net/glan...
Whiteboard: upstream_milestone_none upstream_defi...
Depends On:
Blocks: 1341956
TreeView+ depends on / blocked
Reported: 2015-12-21 20:13 UTC by Sean Cohen
Modified: 2021-06-30 01:39 UTC (History)
11 users (show)

Fixed In Version: openstack-glance-14.0.0-2.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2017-05-17 19:25:49 UTC
Target Upstream Version:
scohen: needinfo+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 241986 0 None None None 2016-09-14 10:30:51 UTC
Red Hat Product Errata RHEA-2017:1245 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 23:01:50 UTC

Description Sean Cohen 2015-12-21 20:13:25 UTC
Problem description

Keystone tokens have some restricted lifetime. After the user token has expired, any request initiated by Glance which needs a valid user token will fail. This causes the original user’s request to also fail, even though the token was originally valid when passed to Glance.

This this spec intends to address the specific case where a token expires during image upload causing the call to the registry to set the image state ‘active’ to fail:

    User requests image-upload.
    Keystone Middleware accepts the request and passes the request to Glance.
    Glance passes all required data to glance_store.
    glance_store uploads an image but it takes a lot of time (more than token expiration time)
    Glance sends a request to registry to change image status.
    Keystone Middleware rejects the request because user token has expired.

As a result the image never transitions to ‘active’ status and so isn’t usable.

Increasing the token expiration time doesn’t seem to be a good long-term solution.

Full spec: https://specs.openstack.org/openstack/glance-specs/specs/mitaka/glance-trusts.html

Comment 2 Mike McCune 2016-03-28 22:35:49 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 8 Avi Avraham 2017-02-13 06:48:03 UTC
Missing RPM version that includes this fix.

Comment 10 Cyril Roelandt 2017-03-20 18:07:51 UTC
@Avi: the target is 11.0 (Ocata), so I believe this should be available in 14.0.0-2.

Comment 13 errata-xmlrpc 2017-05-17 19:25:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.