Glance

Enable Authentication for url resources

Bug #1518712 reported by SFERich
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
New
Wishlist
Unassigned

Bug Description

Feature Enhancement.

In https://github.com/openstack/heat/blob/master/heat/common/urlfetch.py url resources can not be collected from sources where authentication is required.

Adding auth=(user,password) to the requests( from http://docs.python-requests.org/en/latest/user/authentication/) would allow resources to be collected from secured resources.

Tags: feature
Revision history for this message
Zane Bitter (zaneb) wrote :

If requests doesn't correctly handle an HTTP BasicAuth username/password in the URL, that sounds like a missing feature (or even a bug) in requests to me. But AFAICT it does:

https://github.com/kennethreitz/requests/blob/master/requests/models.py#L476

Have you actually tried this?

Changed in heat:
status: New → Incomplete
Revision history for this message
SFERich (sferich) wrote :

I have tested this and it does not seem to be working:

~~~
heat_template_version: 2014-10-16

description: A hot template for provisioning an Glance Image

parameters:

  image_name:
    type: string
    default: "Fedora23"

  container_format:
    type: string
    default: "bare"
    constraints:
      - allowed_values: [ "ami", "ari", "aki", "bare", "ova", "ovf"]

  disk_format:
    type: string
    default: "qcow2"
    constraints:
      - allowed_values: [ "ami", "ari", "aki", "vhd", "vmdk", "raw", "qcow2", "vdi", "iso" ]

  location:
    type: string
    #default: "http://USER:<email address hidden>/private/Fedora-Cloud-Base-23-20151030.x86_64.qcow2"
    #default: "http://OPENSTACK.ENV.com/private/Fedora-Cloud-Base-23-20151030.x86_64.qcow2"
    default: "https://download.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.qcow2"

  public:
    type: boolean
    default: false

  protected:
    type: boolean
    default: false

  disk_min:
    type: number
    default: 0

  ram_min:
    type: number
    default: 0

resources:

  image:
    type: OS::Glance::Image
    properties:
      container_format: {get_param: container_format}
      disk_format: {get_param: disk_format}
      is_public: {get_param: public}
      location: {get_param: location}
      min_disk: {get_param: disk_min}
      min_ram: {get_param: ram_min}
      name: {get_param: image_name}
      protected: {get_param: protected}

outputs:
 image_name:
    description: Image Name
    value: { get_param: image_name}
~~~

And as an example the following httpd configuration:

~~~
Alias "/private" "/var/www/test/"
<Directory /var/www/test/>
#<Location "/private">
    #DocumentRoot "/var/www/test/"
    AuthType Basic
    AuthName "Secure"
    AuthBasicProvider file
    AuthUserFile /etc/httpd/test_password
    Order allow,deny
    Allow from all
    Require valid-user
#</Location>
</Directory>
# htpasswd -c /etc/httpd/test_password USER
~~~

With this in place all variations of the location allow for the stack to be created (complete), however only the 3rd (the uncommented) options actually creates an image that is usable.

Changed in heat:
status: Incomplete → New
Revision history for this message
Zane Bitter (zaneb) wrote :

Ah OK, your reference to https://github.com/openstack/heat/blob/master/heat/common/urlfetch.py was a red herring. Heat never downloads the image; Glance does. Heat just passes the URL to Glance:

http://git.openstack.org/cgit/openstack/heat/tree/heat/engine/resources/openstack/glance/image.py#n107

I'll reassign this bug to Glance.

affects: heat → glance
Niall Bunting (niall-bunting)
Changed in glance:
importance: Undecided → Wishlist
Revision history for this message
Niall Bunting (niall-bunting) wrote :

What is heat passing to glance here? Is it doing a copy-from?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.