Glance scrubber doesn't work when registry operates in trusted-auth mode

Bug #1439666 reported by Hemanth Makkapati on 2015-04-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
High
Hemanth Makkapati

Bug Description

When glance regisry is deployed in trusted-auth mode, it doesn't authenticate[0] but populates the context based on the identity headers sent[1]. When the context is populated it is elevated to admin context, required for scrubber[2], based on the roles sent in identity headers[3].

When Glance scrubber attempts to talk to registry, it needs to send the appropriate admin role to gain admin context especially when the registry is deployed in trusted-auth mode. Without this, scrubber will fail with 401 every time it runs.

[0]https://github.com/openstack/glance/blob/master/etc/glance-registry-paste.ini#L13
[1]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L77
[2]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/scrubber.py#L326-L328
[3]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L117

Changed in glance:
assignee: nobody → Hemanth Makkapati (hemanth-makkapati)

Fix proposed to branch: master
Review: https://review.openstack.org/170104

Changed in glance:
status: New → In Progress
Changed in glance:
importance: Undecided → High
tags: added: kilo-rc-potential
Thierry Carrez (ttx) on 2015-04-30
tags: removed: kilo-rc-potential

Reviewed: https://review.openstack.org/170104
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=dcbf54672ccd8a197caf4041095763c00455c7dc
Submitter: Jenkins
Branch: master

commit dcbf54672ccd8a197caf4041095763c00455c7dc
Author: Hemanth Makkapati <email address hidden>
Date: Wed Apr 1 23:19:06 2015 -0400

    Scrubber to communicate with trustedauth registry

    Glance scrubber needs admin context when attempting to talk to
    registry to list, update and delete images. However, when registry
    is deployed in trusted-auth mode, appropriate admin role is required
    to gain admin context on registry.

    Closes-bug: #1439666

    Change-Id: I5ff68ef8f30e73642889f8e4cde7ba06628cb0e5

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-09-26
Changed in glance:
milestone: none → liberty-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in glance:
milestone: liberty-rc1 → 11.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers