Keystone token expiration time too short

Can you provide logs from one of these failures? More details would also be helpful (Fuel version, how big of an image are you uploading, etc.).

Fuel 5.0.1

The environment impacted was using Swift as the backend for Glance. When an 100GB image was uploaded to Glance, it took more than an hour. Glance would stop just around the hour mark with this error:

ClientException: put_object('glance', 'xxx', ...) failure and no ability to reset contents for reupload.

On the Swift logs, the corresponding operation failed with a token authorization error. Smaller images that uploaded in less time worked just fine.

Hi, Ian.
Could you, please, attach diagnostic snapshot to this bug?

Perhaps, the description given in the comment #2 should be enough for confirmation of this bug, even if diagnostic logs snapshot cannot be provided for some reason. Please do not expire this bug as incomplete

I think this bug is Invalid for FUEL project and should be fixed in OpenStack code - there is no point in increasing token life limit as it actually does not solve the problem - Client should request token again if it expired. Otherwise we introduce major security flaw here allowing someone to steal and use a token for a long time

According to discussion with glance contributors - this is not FUEL bug, but rather swift client bug. Removing fuel project from it.

My understanding is that this is indeed some swift-related issue. Glance is not aware about internal swift communication: it just makes a single call to swift and pushes a data stream to it. At the moment when the code is made the token is valid. Its invalidation during the long request should be addressed within swift.

As i understand Glance uploads (maybe via Swift client) large files by chunks. Every new chunk it is the new connection to the Swift authenticated using token. Thus when glance trying to upload next chunk using token which already expired then authentication fails

Glance should get new token when trying to upload new chunk. As I understand, it will be implemented in the future versions of glance driver