Cinder

Abuse of CONF.keymgr.encryption_auth_url in quota

Bug #1511960 reported by Arata Notsu
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cinder
In Progress
Undecided
shravya Gaddam

Bug Description

CONF.keymgr.encryption_auth_url is used in quota code, which is not related to keymgr.

https://github.com/openstack/cinder/blob/71355fdbadb8155743350a182778fe87f0f64e8a/cinder/api/contrib/quotas.py#L183

    def _get_project(self, context, id, subtree_as_ids=False):
        """A Helper method to get the project hierarchy.
        Along with Hierachical Multitenancy, projects can be hierarchically
        organized. Therefore, we need to know the project hierarchy, if any, in
        order to do quota operations properly.
        """
        try:
            keystone = client.Client(auth_url=CONF.keymgr.encryption_auth_url, # <= this
                                     token=context.auth_token,
                                     project_id=context.project_id)
            project = keystone.projects.get(id, subtree_as_ids=subtree_as_ids)
        except exceptions.NotFound:
            msg = (_("Tenant ID: %s does not exist.") % id)
            raise webob.exc.HTTPNotFound(explanation=msg)
        return project

In addition, this usage of keystoneclient will make two request to keystone. The first request to fetch catalog, the second one to get the project. It is inefficient, especially when multiple regions and identity endpoints are listed in the catalog and keystoneclient selects one that is distant from the cinder. It seems that we can pass the "endpoint" parameter instead of the "auth_url" parameter to keystoneclient so that only one request is sent to a specified (nearest) identity endpoint.

shravya Gaddam (shravya-g90)
Changed in cinder:
assignee: nobody → shravya Gaddam (shravya-g90)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/240679

Changed in cinder:
status: New → In Progress
Revision history for this message
shravya Gaddam (shravya-g90) wrote :

I dont think this will impact any change because this is in comments.

Please let me know.

Thanks

Revision history for this message
Arata Notsu (arata776) wrote :

I quoted the current _get_project just to explain which line has the problem, did not meant to show a solution.

Revision history for this message
György Szombathelyi (gyurco) wrote :

Also using a second keystone client this way ignores a lot of settings in [keystone_authtoken], like insecure for self-signed certificates, and so on.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (master)

Change abandoned by Sean McGinnis (<email address hidden>) on branch: master
Review: https://review.openstack.org/240679
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.