[Openstack-security] [Bug 1100220] Re: Swift+Glance stops working after changing service password

Stuart McLaren 1100220 at bugs.launchpad.net
Thu Mar 26 09:59:02 UTC 2015 

You can configure credentials in a different way which avoids the
password being stored in the database (even for the single tenant swift
store).

This can be done via the glance-swift.conf file, eg:

https://github.com/openstack/glance/blob/master/etc/glance-
swift.conf.sample

when you do this, the 'reference' is stored in the database rather than the credentials.
The current username/password are swapped in when required.

I think this means you can do a 'rolling' password change by using two
users in the same tenant. While changing password some glance nodes will
have tenantX:user1 (valid) and some nodes will have tenantX:user2 (also
valid). (Though I haven't tested that).

Should we consider moving to this as the default configuration?

(There is no solution to the previously existing entries with passwords
- but I would see that as a different bug.)

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1100220

Title:
  Swift+Glance stops working after changing service password

Status in OpenStack Glance backend store-drivers library (glance_store):
  Confirmed
Status in OpenStack Security Advisories:
  New

Bug description:
  Hello!

  We have some trouble with glance+swift storage.

  After changing password for account, used for Keystone authentication
  in Glance and Swift, glance stops working with errors 500
  (HTTPInternalServerError) and 401 (HTTPUnauthorized).

  I investigated this issue and found that Glance stores image or
  snapshot location in database (mysql or sqlite) with _full_ swift URI
  with login and password.

  Example:
  swift+http://admin%3Aadmin:%PASSWORD%@%HOST%:5000/v2.0/glance/357a3fe7-313c-411c-b0b2-bcd6491d12a1

  When we changed password in Keystone, this credentials are outdated
  BUT Glance STILL USE IT for authenticating in Swift, ignoring glance-
  api.conf and glance-api-paste. In result, we got HTTP500 error in
  reply to any request to glance (like glance image-download) and
  HTTP401 error in glance-api.log

  I can find only one method to workaround this - I manually changed
  this credentials in MySQL. In our situation (5 images) this way is
  idiotic, but real. But what if we have 500 or 5000 images and
  snapshots?

  I think, glance MUST have any method to change credentials without
  manual changing thousands of DB records.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1100220/+subscriptions

More information about the Openstack-security mailing list