Mirantis OpenStack

Glance re-authentication doesn't work when auth_plugin is not specified

Series 10.0.x
Bug #1576035

Bug #1576035 reported by Kairat Kushaev on 2016-04-28

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Status tracked in 10.0.x
10.0.x	Fix Committed	High	Dmitry Burmistrov	Mirantis OpenStack 10.0
9.x	Fix Released	High	Dmitry Burmistrov	Mirantis OpenStack 9.0

Bug Description

ENVIRONMENT: MOS 9.0 ISO 135
shotgun2: http://paste.openstack.org/show/492858/
STEPS TO REPRODUCE:
The steps to reproduce the bug are the following (see https://bugs.launchpad.net/mos/+bug/1566760 for more details):
1) Reduce token expiration time to 1 min or less
2) try to upload big image (4-5 Gb) through Horizon, uploading must take more than token expiration time
As an alternative you can upload big image with glance v1.
EXPECTED RESULT:
Image created
ACTUAL RESULT:
Image has "Saving" state ~2 days

The root cause of the bug is the following:
Glance uses auth credentials from keystone middleware. Re-authentication in Mitaka upstream requires auth_type to be specified in [keystone_authtoken] section, but it is empty in 9.0. It has only the following options specified: admin_user, admin_password, auth_uri, identity_uri, admin_tenant_name. If auth_type is empty then keystone middleware uses deprecated auth_plugin for authentication. Previously(in 8.0) we used admin credentials to re-authenticate but it was not considered safe in upstream. So we had to use auth plugin configurations and we need to setup auth_type=password and specify all required parameters for that plugin: auth_url, project_domain_id, project_name, user_id, password.

Tags:

Kairat Kushaev (kkushaev) on 2016-04-28

Changed in mos:
assignee:	nobody → MOS Puppet Team (mos-puppet)

Ivan Berezovskiy (iberezovskiy) on 2016-04-28

no longer affects:

mos/8.0.x

Revision history for this message

Dmitry Burmistrov (dmburmistrov) wrote on 2016-05-10:

Related patches:
* https://review.openstack.org/#/c/312966/ (fuel-library)
* https://review.openstack.org/#/c/313545/ (puppet-glance)

Revision history for this message

Dmitry Burmistrov (dmburmistrov) wrote on 2016-05-13:

patch for 9.0: https://review.openstack.org/#/c/316012/

Timur Nurlygayanov (tnurlygayanov) on 2016-05-16

tags:

added: area-glance

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-05-16:

Is it complete fix for 9.0 ?

Revision history for this message

Dmitry Burmistrov (dmburmistrov) wrote on 2016-05-16:

As I see this patch should be enough. I run this patch and problem was solved (I checked only this case).
We can ask QA to make some tests. If you think so, can you ask someone to make some additional tests?

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-05-16:

fix merged https://review.openstack.org/#/c/316012/
We are going to verify it.

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-05-16:

Ok, we are going to verify it on this week.

summary:

- Glance re-authentication doesn't when auth_plugin is not specified
+ Glance re-authentication doesn't work when auth_plugin is not specified

Revision history for this message

Alexey Galkin (agalkin) wrote on 2016-05-20:

Verification on iso #372 (9.0-mos.all) - Invalid fix.
Shotgun report: http://paste.openstack.org/show/497853

Steps:

[on all controllers]
1. Change token expiration from 3600 to 60.
2. Restart apache2,glance-api,glance-registry.

[on client machine by UI]
1. Create new image file by command: mkfile 4G test.tmp
2. Login into horizon, and make image upload.

Excepted result:
Successfully uploaded.

Actual result:
Error with upload. Screenshot: http://i.imgur.com/wr3VDU3.png

[on slave by cli]
1. Create new image file by command: fallocate -l 4G temp.img
2. Upload into glance (use v1): glance --os-image-api-version 1 image-create --file temp.img --progress --container-format bare --disk-format qcow2

Excepted result:
Successfully uploaded.

Actual result:
Successfully uploaded. Report: http://paste.openstack.org/show/497852

Revision history for this message

Dmitry Burmistrov (dmburmistrov) wrote on 2016-05-20:

This information is not enough to work further. Please, give more details and logs.
Maybe the problem now is different (problem about "submitting form" doesn't look like glance issue).

Revision history for this message

Kairat Kushaev (kkushaev) wrote on 2016-05-20:

Dmitry,
Looks like you are right:
I have created another bug: https://bugs.launchpad.net/mos/+bug/1584070.
The problems now with swift driver for glance store. Glance splits big images to chunks but it requires token to be valid when uploading image to Swift. To fix that error we need some changes in Glance configuration. Please see the bug above.
Also cli uploading doesn't work for me as well as uploading through horizon.

When I changes conf like described in bug image uploaded successfully.

Revision history for this message

Dmitry Burmistrov (dmburmistrov) wrote on 2016-05-24:

#10

Because there work is continued in separate bug, I changed mitaka status back to "Fix Commited".

Evgeny Sikachev (esikachev) on 2016-06-14

tags:

added: on-verification

Revision history for this message

Evgeny Sikachev (esikachev) wrote on 2016-06-14:

#11

verified on iso 429, mos 9.0

tags:

removed: on-verification

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1566760

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.