yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20821
[Bug 1366911] Re: Nova does not ensure a valid token is available if snapshot process exceeds token lifetime
I think the real issue here is that they clients need to revalidate
tokens, which they don't, so in this case it's really a glanceclient
bug.
** Also affects: python-glanceclient
Importance: Undecided
Status: New
** Changed in: nova
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1366911
Title:
Nova does not ensure a valid token is available if snapshot process
exceeds token lifetime
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Compute (Nova):
Invalid
Status in Python client library for Glance:
New
Bug description:
Recently we encountered the following issue due to the change in
Icehouse for the default lifetime of a token before it expires. It's
now 1 hour, while previously it was 8.
If a snapshot process takes longer than an hour, when it goes to the
next phase it will fail with a 401 Unauthorized error because it has
an invalid token.
In our specific example the following would take place:
1. User would set a snapshot to begin and a token would be associated with this request.
2. Snapshot would be created, compression time would take about 55 minutes. Enough to just push the snapshotting of this instance over the 60 minute mark.
3. Upon Image Upload ("Uploading image data for image" in the logs) Nova would then return a 401 Unauthorized error stating "This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required."
Icehouse 2014.1.2, KVM as the hypervisor.
The workaround is to specify a longer token timeout - however limits
the ability to set short token expirations.
A possible solution may be to get a new/refresh the token if the time
has exceeded the timeout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1366911/+subscriptions
References