Glance

Glance scrubber doesn't work when registry operates in trusted-auth mode

Bug #1439666 reported by Hemanth Makkapati on 2015-04-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Hemanth Makkapati	Glance 11.0.0 "liberty"

Bug Description

When glance regisry is deployed in trusted-auth mode, it doesn't authenticate[0] but populates the context based on the identity headers sent[1]. When the context is populated it is elevated to admin context, required for scrubber[2], based on the roles sent in identity headers[3].

When Glance scrubber attempts to talk to registry, it needs to send the appropriate admin role to gain admin context especially when the registry is deployed in trusted-auth mode. Without this, scrubber will fail with 401 every time it runs.

[0]https://github.com/openstack/glance/blob/master/etc/glance-registry-paste.ini#L13
[1]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L77
[2]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/scrubber.py#L326-L328
[3]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L117

Hemanth Makkapati (hemanth-makkapati) on 2015-04-02

Changed in glance:
assignee:	nobody → Hemanth Makkapati (hemanth-makkapati)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-02: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/170104

Changed in glance:
status:	New → In Progress

Nikhil Komawar (nikhil-komawar) on 2015-04-02

Changed in glance:
importance:	Undecided → High
tags:	added: kilo-rc-potential

Thierry Carrez (ttx) on 2015-04-30

tags:

removed: kilo-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-14: Fix merged to glance (master)

Reviewed: https://review.openstack.org/170104
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=dcbf54672ccd8a197caf4041095763c00455c7dc
Submitter: Jenkins
Branch: master

commit dcbf54672ccd8a197caf4041095763c00455c7dc
Author: Hemanth Makkapati <email address hidden>
Date: Wed Apr 1 23:19:06 2015 -0400

Scrubber to communicate with trustedauth registry

    Glance scrubber needs admin context when attempting to talk to
    registry to list, update and delete images. However, when registry
    is deployed in trusted-auth mode, appropriate admin role is required
    to gain admin context on registry.

Closes-bug: #1439666

Change-Id: I5ff68ef8f30e73642889f8e4cde7ba06628cb0e5

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-26

Changed in glance:
milestone:	none → liberty-rc1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in glance:
milestone:	liberty-rc1 → 11.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.