OxDEAD Unicornz

Have you ever seen so many?

OpenStack Glance Authentication and Changed Swift Password

Input data: OpenStack Icehouse, glance with swift backend. Admin username and password for swift service were changed. After this requests to download some images started to fail.

1
# glance --debug image-download <image_id> --file image_store_to --progress

returns 500 error for some image_ids and works for other.

in glance-api service log I see that for some reason previous user/password is still in use:

1
2
3
4
5
6
7
8
9
10
11
...
[glance.registry.client.v1.client]: 2014-12-31 02:49:47,235 DEBUG client.do_requ
est Registry request GET /images/<image_id> HTTP 200 r
equest id req-71062b81-963a-41c9-b6a6-3120f2f6f60b
[keystoneclient.session]: 2014-12-31 02:49:47,236 DEBUG session.request REQ: cur
l -i -X POST http://<keystone_node>:5000/v2.0/tokens -H "Content-Type
: application/json" -H "User-Agent: python-keystoneclient"
[keystoneclient.session]: 2014-12-31 02:49:47,236 DEBUG session.request REQ BODY
: {"auth": {"tenantName": "service", "passwordCredentials": {"username": "<previous_user>"
, "password": "<previous_password>"}}}
...

Was unable to find old credentials in keystone/glance/swift configuration – automation system updated configs properly.

Reason

The problem is that glance stores links to images in its database. Link is created upon image creation and never updated so if you store images in swift after changing admin username/password you need to update entries in database manually. Some images may be cached by glance and can be downloaded bypassing authentication. That is why you may recieve 500s for some images and 200s for other.

Fix/hack

Log into database (assuming MySQL backend)

1
2
use <glance_db>;
UPDATE image_locations SET value = REPLACE(value, '<old_user>:<old_password>', '<correct_user>:<correct_password>') WHERE value LIKE '%<old_user>:<old_password>%';

check if there are still entries with incorrect credentials:

1
SELECT * from image_locations WHERE value NOT LIKE '%<correct_user>:<correct_password>%';

If the list is empty or does not include links to swift you’re all set. Try to fetch image once againg.

1
# glance --debug image-download <image_id> --file image_store_to --progress

Should return 200 and fetch image to ‘image_store_to’ file.