1293472 – [RFE][glance] Implement trust support for Glance images

Bug 1293472 - [RFE][glance] Implement trust support for Glance images [NEEDINFO]

Summary: [RFE][glance] Implement trust support for Glance images

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-glance
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Upstream M1
Target Release:	11.0 (Ocata)
Assignee:	Cyril Roelandt
QA Contact:	Avi Avraham
Docs Contact:	Don Domingo
URL:	https://blueprints.launchpad.net/glan...
Whiteboard:	upstream_milestone_none upstream_defi...
Depends On:
Blocks:	1341956
TreeView+	depends on / blocked

Reported:	2015-12-21 20:13 UTC by Sean Cohen
Modified:	2017-05-17 19:25 UTC (History)
CC List:	11 users (show)
Fixed In Version:	openstack-glance-14.0.0-2.el7ost
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-17 19:25:49 UTC
Flags:	scohen: needinfo+ lbopf: needinfo? (cyril)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1245	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory	2017-05-17 23:01:50 UTC
OpenStack gerrit	241986	None	None	None	2016-09-14 10:30:51 UTC

Description Sean Cohen 2015-12-21 20:13:25 UTC

Problem description

Keystone tokens have some restricted lifetime. After the user token has expired, any request initiated by Glance which needs a valid user token will fail. This causes the original user’s request to also fail, even though the token was originally valid when passed to Glance.

This this spec intends to address the specific case where a token expires during image upload causing the call to the registry to set the image state ‘active’ to fail:

    User requests image-upload.
    Keystone Middleware accepts the request and passes the request to Glance.
    Glance passes all required data to glance_store.
    glance_store uploads an image but it takes a lot of time (more than token expiration time)
    Glance sends a request to registry to change image status.
    Keystone Middleware rejects the request because user token has expired.

As a result the image never transitions to ‘active’ status and so isn’t usable.

Increasing the token expiration time doesn’t seem to be a good long-term solution.

Full spec: https://specs.openstack.org/openstack/glance-specs/specs/mitaka/glance-trusts.html

Comment 2 Mike McCune 2016-03-28 22:35:49 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 8 Avi Avraham 2017-02-13 06:48:03 UTC

Missing RPM version that includes this fix.

Comment 10 Cyril Roelandt 2017-03-20 18:07:51 UTC

@Avi: the target is 11.0 (Ocata), so I believe this should be available in 14.0.0-2.

Comment 13 errata-xmlrpc 2017-05-17 19:25:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245

Note You need to log in before you can comment on or make changes to this bug.