cinder backend does not support domains other than default for the service user

Bug #1930299 reported by Pavlo Shchelokovskyy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glance_store
Undecided
Pavlo Shchelokovskyy

Bug Description

When configuring cinder backend in glance_store there are no options to specify the user domain and the project domain the service user belongs to and where it must authenticate.

https://opendev.org/openstack/glance_store/src/commit/04e5ead7c000211a4c10104ed2bb65c9df7681ae/glance_store/_drivers/cinder.py#L54-L351

This basically relies on default settings in cinderclient's legacy HTTPClient, and does not allow setting up service users and project in a separate Keystone domain, effectively the only possibility is 'default' domain.

Unfortunately, in this mode the v3.client.Client in the cinderclient has no way to pass this domain information either (although it is present down the stack)

https://opendev.org/openstack/python-cinderclient/src/commit/38e3f6c24984d8eca02397e2810fae1481d5b958/cinderclient/client.py#L732-L755
(no kwargs are passed from v3.client.Client to HTTPClient, even while HTTPClient has those domain kwargs)

so cinder driver in glance should utilize the newer SessionClient by constructing a keystoneauth Session and Identity plugin and passing those to cinderclient instead.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (master)
Changed in glance-store:
status: New → In Progress
Changed in glance-store:
assignee: nobody → Pavlo Shchelokovskyy (pshchelo)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (master)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/793826
Committed: https://opendev.org/openstack/glance_store/commit/4ea33139516250f32ba4e7d07eee0ed52352d0be
Submitter: "Zuul (22348)"
Branch: master

commit 4ea33139516250f32ba4e7d07eee0ed52352d0be
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Mon May 31 13:34:19 2021 +0000

    Allow any Keystone domain for cinder store

    add two new config options for cinder store

    - cinder_store_user_domain_name
    - cinder_store_project_domain_name

    that allow to set the internal user and project to Keystone domains
    other that the 'Default' one.

    Closes-Bug: #1930299
    Change-Id: I1d6c07b6c0e7e6a4da9adabaa026f024b64bb029

Changed in glance-store:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to glance_store (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/glance_store/+/799105

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance_store 2.6.0

This issue was fixed in the openstack/glance_store 2.6.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers