[Openstack-security] [Bug 1100220] Re: Swift+Glance stops working after changing service password
Ian Cordasco
sigmavirus24 at gmail.com
Fri Jan 27 19:40:05 UTC 2017
@Brian, perhaps we should do this in Pike instead. ;-)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1100220
Title:
Swift+Glance stops working after changing service password
Status in glance_store:
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Hello!
We have some trouble with glance+swift storage.
After changing password for account, used for Keystone authentication
in Glance and Swift, glance stops working with errors 500
(HTTPInternalServerError) and 401 (HTTPUnauthorized).
I investigated this issue and found that Glance stores image or
snapshot location in database (mysql or sqlite) with _full_ swift URI
with login and password.
Example:
swift+http://admin%3Aadmin:%PASSWORD%@%HOST%:5000/v2.0/glance/357a3fe7-313c-411c-b0b2-bcd6491d12a1
When we changed password in Keystone, this credentials are outdated
BUT Glance STILL USE IT for authenticating in Swift, ignoring glance-
api.conf and glance-api-paste. In result, we got HTTP500 error in
reply to any request to glance (like glance image-download) and
HTTP401 error in glance-api.log
I can find only one method to workaround this - I manually changed
this credentials in MySQL. In our situation (5 images) this way is
idiotic, but real. But what if we have 500 or 5000 images and
snapshots?
I think, glance MUST have any method to change credentials without
manual changing thousands of DB records.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1100220/+subscriptions
More information about the Openstack-security
mailing list