yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1439666] [NEW] Glance scrubber doesn't work when registry operates in trusted-auth mode

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Hemanth Makkapati <hemanth.makkapati@xxxxxxxxxxxxx>
Date: Thu, 02 Apr 2015 12:29:36 -0000
Reply-to: Bug 1439666 <1439666@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When glance regisry is deployed in trusted-auth mode, it doesn't
authenticate[0] but populates the context based on the identity headers
sent[1]. When the context is populated it is elevated to admin context,
required for scrubber[2], based on the roles sent in identity
headers[3].

When Glance scrubber attempts to talk to registry, it needs to send the
appropriate admin role to gain admin context especially when the
registry is deployed in trusted-auth mode. Without this, scrubber will
fail with 401 every time it runs.

[0]https://github.com/openstack/glance/blob/master/etc/glance-registry-paste.ini#L13
[1]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L77
[2]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/scrubber.py#L326-L328
[3]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L117

** Affects: glance
     Importance: Undecided
     Assignee: Hemanth Makkapati (hemanth-makkapati)
         Status: New

** Changed in: glance
     Assignee: (unassigned) => Hemanth Makkapati (hemanth-makkapati)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1439666

Title:
  Glance scrubber doesn't work when registry operates in trusted-auth
  mode

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  When glance regisry is deployed in trusted-auth mode, it doesn't
  authenticate[0] but populates the context based on the identity
  headers sent[1]. When the context is populated it is elevated to admin
  context, required for scrubber[2], based on the roles sent in identity
  headers[3].

  When Glance scrubber attempts to talk to registry, it needs to send
  the appropriate admin role to gain admin context especially when the
  registry is deployed in trusted-auth mode. Without this, scrubber will
  fail with 401 every time it runs.

  [0]https://github.com/openstack/glance/blob/master/etc/glance-registry-paste.ini#L13
  [1]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L77
  [2]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/scrubber.py#L326-L328
  [3]https://github.com/openstack/glance/blob/bb59c33ffcc6e1cde23c93bb25d38846e84c2cb9/glance/api/middleware/context.py#L117

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1439666/+subscriptions

Follow ups

[Bug 1439666] Re: Glance scrubber doesn't work when registry operates in trusted-auth mode
From: Thierry Carrez, 2015-09-26
[Bug 1439666] [NEW] Glance scrubber doesn't work when registry operates in trusted-auth mode
From: Hemanth Makkapati, 2015-04-02

References

[Bug 1439666] [NEW] Glance scrubber doesn't work when registry operates in trusted-auth mode
From: Hemanth Makkapati, 2015-04-02