yahoo-eng-team team mailing list archive

[Ian Cordasco <icordasc+launchpad@xxxxxxxxxx>]

Bobby, it would appear it wasn't resolved.

** Tags added: security

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: glance
     Assignee: (unassigned) => Ian Cordasco (icordasc)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1100220

Title:
  Swift+Glance stops working after changing service password

Status in OpenStack Image Registry and Delivery Service (Glance):
  Confirmed
Status in OpenStack Security Advisories:
  New

Bug description:
  Hello!

  We have some trouble with glance+swift storage.

  After changing password for account, used for Keystone authentication
  in Glance and Swift, glance stops working with errors 500
  (HTTPInternalServerError) and 401 (HTTPUnauthorized).

  I investigated this issue and found that Glance stores image or
  snapshot location in database (mysql or sqlite) with _full_ swift URI
  with login and password.

  Example:
  swift+http://admin%3Aadmin:%PASSWORD%@%HOST%:5000/v2.0/glance/357a3fe7-313c-411c-b0b2-bcd6491d12a1

  When we changed password in Keystone, this credentials are outdated
  BUT Glance STILL USE IT for authenticating in Swift, ignoring glance-
  api.conf and glance-api-paste. In result, we got HTTP500 error in
  reply to any request to glance (like glance image-download) and
  HTTP401 error in glance-api.log

  I can find only one method to workaround this - I manually changed
  this credentials in MySQL. In our situation (5 images) this way is
  idiotic, but real. But what if we have 500 or 5000 images and
  snapshots?

  I think, glance MUST have any method to change credentials without
  manual changing thousands of DB records.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1100220/+subscriptions