OpenStack-Ansible

Default Values Do Not Allow Image Uploads to Glance from Horizon

Bug #1747684 reported by Tim Way
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Kevin Carter

Bug Description

Focus is on usability, by default in a stable/pike cloud taken with minimal knowledge of openstack-ansible and openstack the user isn't allowed to upload images to Glance from Horizon.

I run stable/pike of openstack-ansible but I don't think this is fixed in Master either.

Default Values:
horizon_images_upload_mode: 'direct'
glance_show_multiple_locations: False
No CORS override in GLANCE

Changes I made:
glance_show_multiple_locations: True
Add ORIGIN to CORS:
# Please define external_horizon_fqdn below
#external_horizon_fqdn:

cors_overrides:
  cors:
    # LP bug 1680062
    allow_headers: origin,content-md5,x-image-meta-checksum,x-storage-token,accept-encoding,x-auth-token,x-identity-status,x-roles,x-service-catalog,x-user-id,x-tenant-id,x-openstack-request-id
    # if you don't define external_horizon_fqdn, this will default to any ip, which is insecure.
    allowed_origin: "{{ external_horizon_fqdn | default('*') }}"
    allow_methods: "GET,POST,PUT,PATCH,DELETE"

## Glance
glance_glance_api_conf_overrides: "{{ cors_overrides }}"
glance_show_multiple_locations: True

## Horizon
horizon_images_upload_mode: 'direct'
# Skip verification of SSL certs (Set to True when using self-signed certs)
horizon_ssl_no_verify: True

The horizon_ssl_no_verify: True was required for me because I used self-signed certs. It'd be nice if we can detect if self-signed certs were gen'd and toggle that to True. Only needed for this bug in the case of glance-api using self-signed certs but if self-signed certs are used for the other api's it may be best to toggle this.

From Freenode #openstack-glance.
<me>
hey, running stable/pike from openstack-ansible ... in glance i have show_multiple_locations = False and i have policy.json configured for "" for (delete, get, set)_image_location and i get 403 Forbidden: It's not allowed to add locations if locations are invisible. (HTTP 403) ... if i set show_image_location to True it all works but it get a log message about deprecation ... at point does show_image_location go away and defer to rbac?
<rosmaita>
idlemind show_multiple_locations will not go away for queens, there are some complications making it difficult to remove that setting and use rbac only ... we plan to come up with a solution during the Rocky planning sessions at the PTG in Dublin at the end of february

So based on the comment from rosmaita this won't be fixed until Rocky. Fixed being relying on RBAC which is configured correctly in policy.json. At which point we could drop glance_show_multiple_locations = True.

Possible Solutions:

glance_show_multiple_locations: {{ horizon_image_upload_mode == 'direct' }}
horizon_ssl_no_verify: {{ <True if Self-Signed Certs Are Used, Self-Signed Certs are the Default, so Default this to True???> }}
Include the CORS blob at least for openstack-ansible stable/pike

See original description
Tim Way (tim.way)
description: updated
description: updated
Revision history for this message
Tim Way (tim.way) wrote :

Similar discussion in https://bugs.launchpad.net/openstack-ansible/+bug/1730722

Not as detailed of a fix and suggests setting the upload_mode to 'remote' which I'm thinking causes it to actually default to 'legacy'

description: updated
description: updated
Tim Way (tim.way)
description: updated
Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Could you please have a look at today's bug triage meeting conversation for workarounds and ideas on how to fix it in our code.

Thank you.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Tim Way (tim.way) wrote :

Discussion from the IRC Bug Triage meeting.

glance_show_multiple_locations: {{ horizon_image_upload_mode == 'direct' }} should be the easiest one to change. We default to direct and therefore should have this set to true for those cases.

The external URL should continue to be displayed and used in Horizon. By default most users will at least start with self-signed certificates generated during their first deployments. In those cases openstack-ansible manages to generate those certificates so we should be able to toggle horizon_ssl_no_verify accurately. This would complete a partial fix for the bug.

The CORS override would require additional input from the community on how to implement that block of code.

Revision history for this message
Tim Way (tim.way) wrote :

http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2018/openstack_ansible_meeting.2018-02-20-16.04.log.html

^^ Link to the IRC ChatLog directly

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/565961

Changed in openstack-ansible:
assignee: nobody → Kevin Carter (kevin-carter)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/565961
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=01d3912af4b22cb22eabbf4d9d97df4b709fdb80
Submitter: Zuul
Branch: master

commit 01d3912af4b22cb22eabbf4d9d97df4b709fdb80
Author: Kevin Carter <email address hidden>
Date: Thu May 3 00:44:04 2018 -0500

    Configure cors for glance for additional usability

    In order to enable image uploads in horizon we need to configure several
    things in glance, namely cors. This change implements default overrides
    allowing the system to provide for direct image uploads through horizon
    which will greatly improve our usability, especially for new users.

    Change-Id: I19f4027dd30b0ba22cbb195c676802ce908d3e8f
    Closes-Bug: #1747684
    Signed-off-by: Kevin Carter <email address hidden>

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/567264

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (stable/queens)

Reviewed: https://review.openstack.org/567264
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=54874018ec48acbd459fab5e09b77994b0c177fc
Submitter: Zuul
Branch: stable/queens

commit 54874018ec48acbd459fab5e09b77994b0c177fc
Author: Kevin Carter <email address hidden>
Date: Thu May 3 00:44:04 2018 -0500

    Configure cors for glance for additional usability

    In order to enable image uploads in horizon we need to configure several
    things in glance, namely cors. This change implements default overrides
    allowing the system to provide for direct image uploads through horizon
    which will greatly improve our usability, especially for new users.

    Change-Id: I19f4027dd30b0ba22cbb195c676802ce908d3e8f
    Closes-Bug: #1747684
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit 01d3912af4b22cb22eabbf4d9d97df4b709fdb80)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible 18.0.0.0b2

This issue was fixed in the openstack/openstack-ansible 18.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible 17.0.5

This issue was fixed in the openstack/openstack-ansible 17.0.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.