Open Stack

Someone needs to pick this work up
https://review.openstack.org/#/c/103981/ . I'm running low on cycles at
this point so, any effort here would be appreciated.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1100220

Title:
  Swift+Glance stops working after changing service password

Status in OpenStack Glance backend store-drivers library (glance_store):
  Confirmed
Status in OpenStack Security Advisories:
  New

Bug description:
  Hello!

  We have some trouble with glance+swift storage.

  After changing password for account, used for Keystone authentication
  in Glance and Swift, glance stops working with errors 500
  (HTTPInternalServerError) and 401 (HTTPUnauthorized).

  I investigated this issue and found that Glance stores image or
  snapshot location in database (mysql or sqlite) with _full_ swift URI
  with login and password.

  Example:
  swift+http://admin%3Aadmin:%PASSWORD%@%HOST%:5000/v2.0/glance/357a3fe7-313c-411c-b0b2-bcd6491d12a1

  When we changed password in Keystone, this credentials are outdated
  BUT Glance STILL USE IT for authenticating in Swift, ignoring glance-
  api.conf and glance-api-paste. In result, we got HTTP500 error in
  reply to any request to glance (like glance image-download) and
  HTTP401 error in glance-api.log

  I can find only one method to workaround this - I manually changed
  this credentials in MySQL. In our situation (5 images) this way is
  idiotic, but real. But what if we have 500 or 5000 images and
  snapshots?

  I think, glance MUST have any method to change credentials without
  manual changing thousands of DB records.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1100220/+subscriptions