OpenStack Shared File Systems Service (Manila)

glusterfs_native: manila host TLS identity forced to be unintuitive

Bug #1496833 reported by Ramana Raja on 2015-09-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	Medium	Ramana Raja	OpenStack Shared File Systems Service (Manila) 1.0.0 "liberty"

Bug Description

With the change https://review.openstack.org/#/c/215173/, glusterfs_native driver mounts the GlusterFS volume on the Manila host without disabling TLS authentication. This sets the requirement for Manila host to have TLS credentials to be setup to access the GlusterFS volume.

In the create_share_from_snapshot call, the share, a GlusterFS volume, that is created from snapshot needs to retain the the TLS identities (Common Names) of the GlusterFS servers an the Manila host to allow the volume to be used by the glusterfs_native driver. Presently, this is done by retaining identities that are prefixed by 'glusterfs-server'. So the Manila host is forced to be setup with a TLS certificate having a CN prefixed by 'glusterfs-server' to allow glusterfs_native driver to create a share from snapshot. It's not OK to set such an unintuitive constraint for the CN of the TLS certificate in the Manila host.

Ramana Raja (rraja) on 2015-09-17

Changed in manila:
assignee:	nobody → Ramana Raja (rraja)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-17: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/224846

Changed in manila:
status:	New → In Progress

Ben Swartzlander (bswartz) on 2015-09-17

Changed in manila:
milestone:	none → liberty-rc1
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2015-09-18

Changed in manila:
assignee:	Ramana Raja (rraja) → Valeriy Ponomaryov (vponomaryov)

Valeriy Ponomaryov (vponomaryov) on 2015-09-18

Changed in manila:
assignee:	Valeriy Ponomaryov (vponomaryov) → Ramana Raja (rraja)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-20: Fix merged to manila (master)

Reviewed: https://review.openstack.org/224846
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=69d06d7c5f1e398a7c0a508ea08afb38c057bc94
Submitter: Jenkins
Branch: master

commit 69d06d7c5f1e398a7c0a508ea08afb38c057bc94
Author: Ramana Raja <email address hidden>
Date: Thu Sep 17 23:04:41 2015 +0530

glusterfs_native: Hardwire Manila Host CN pattern

    Currently, the glusterfs_native driver can support
    create_share_from_snapshot API only if the Manila host's TLS
    certificate's common name(CN) is prefixed by 'glusterfs-server'. This
    constraint on the CN of the host is not acceptable. So fix this by
    hardwiring a Manila host CN pattern that allows the Manila host CN
    to have a more intuitive prefix, 'manila-host'.

Change-Id: Ibab27da4f9b28c6e7d2ef9c175d5decf5fa67ce4
Closes-Bug: #1496833

Changed in manila:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-22

Changed in manila:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in manila:
milestone:	liberty-rc1 → 1.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.