yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20736
[Bug 1366911] Re: Nova does not ensure a valid token is available if snapshot process exceeds token lifetime
My idea is to use trust instead of token for the image upload. Need to
make some discovery in this direction, when I'll update the bug
description.
** Project changed: keystone => nova
** Also affects: glance
Importance: Undecided
Status: New
** Changed in: glance
Assignee: (unassigned) => Nikolay Starodubtsev (starodubcevna)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1366911
Title:
Nova does not ensure a valid token is available if snapshot process
exceeds token lifetime
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Compute (Nova):
New
Bug description:
Recently we encountered the following issue due to the change in
Icehouse for the default lifetime of a token before it expires. It's
now 1 hour, while previously it was 8.
If a snapshot process takes longer than an hour, when it goes to the
next phase it will fail with a 401 Unauthorized error because it has
an invalid token.
In our specific example the following would take place:
1. User would set a snapshot to begin and a token would be associated with this request.
2. Snapshot would be created, compression time would take about 55 minutes. Enough to just push the snapshotting of this instance over the 60 minute mark.
3. Upon Image Upload ("Uploading image data for image" in the logs) Nova would then return a 401 Unauthorized error stating "This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required."
Icehouse 2014.1.2, KVM as the hypervisor.
The workaround is to specify a longer token timeout - however limits
the ability to set short token expirations.
A possible solution may be to get a new/refresh the token if the time
has exceeded the timeout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1366911/+subscriptions
References