Karbor

authenticate in protection service client

Bug #1566793 reported by yinwei on 2016-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Karbor	In Progress	High	zengchen	Karbor ocata-ms

Bug Description

Currently, all openstack clients in protection service use context (including token) passed by API service.
This implementation will introduce 3 issues:
1. protection plugin will check resource status asynchronously in background, which may take hours. The token in the context may expire.
2. protection plugin requires admin authority to check all tenants resource status, while the context from API is per tenant authority;
3. during restore, protection plugin may restore to a separate openstack, which has independent authentication service from smaug API service. We need have protection plugin to authenticate to this openstack's keystone independently.

To address issues above, we'd better have protection service clients to authenticate independently instead of continuing to use context passed by API service

Yuval Brik (jhamhader) on 2016-06-20

Changed in smaug:
status:	New → Triaged
importance:	Undecided → High

Saggi Mizrahi (ficoos) on 2016-11-07

Changed in karbor:
milestone:	none → ocata

zengchen (chenzeng2) on 2016-11-23

Changed in karbor:
assignee:	nobody → zengchen (chenzeng2)

Revision history for this message

zengchen (chenzeng2) wrote on 2016-11-23:

I will fix the first bug that the token may expire when accessing another openstack service in karbor's protect service.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-30: Fix proposed to karbor (master)

Fix proposed to branch: master
Review: https://review.openstack.org/404644

Changed in karbor:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-07:

Fix proposed to branch: master
Review: https://review.openstack.org/407899

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-07:

Fix proposed to branch: master
Review: https://review.openstack.org/407990

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-08:

Fix proposed to branch: master
Review: https://review.openstack.org/408382

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-08:

Fix proposed to branch: master
Review: https://review.openstack.org/408400

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-08: Change abandoned on karbor (master)

Change abandoned by zengchen (<email address hidden>) on branch: master
Review: https://review.openstack.org/407899
Reason: it is split to several patches.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-22: Fix merged to karbor (master)

Reviewed: https://review.openstack.org/404644
Committed: https://git.openstack.org/cgit/openstack/karbor/commit/?id=6386bf5bf51ba5186fbb248e9fc33e3b4cd0fe87
Submitter: Jenkins
Branch: master

commit 6386bf5bf51ba5186fbb248e9fc33e3b4cd0fe87
Author: zengchen <email address hidden>
Date: Wed Nov 30 16:41:03 2016 +0800

Prepare for refactoring clients used in protect service

    This patch has done the preparation works for refactoring clients,
    such as initiate keystone plugin, generate session etc. There are
    several patches to do for refactoring the clients.

    Change-Id: I61d2a42fb6f0de2d98714a7e19c1a220dec95082
    Implements: blueprint refactor-clients
    Partial-Bug: #1566793

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-23: Fix proposed to karbor (master)

Fix proposed to branch: master
Review: https://review.openstack.org/424005

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-23: Change abandoned on karbor (master)

#10

Change abandoned by zengchen (<email address hidden>) on branch: master
Review: https://review.openstack.org/424005

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-25: Fix merged to karbor (master)

#11

Reviewed: https://review.openstack.org/407990
Committed: https://git.openstack.org/cgit/openstack/karbor/commit/?id=e5a954114c9e66f753de950e554f8a244b3763c1
Submitter: Jenkins
Branch: master

commit e5a954114c9e66f753de950e554f8a244b3763c1
Author: zengchen <email address hidden>
Date: Wed Dec 7 18:12:33 2016 +0800

Update the way of getting endpoint of other service

    Move 'protection/utils.py' to 'protection/clients/utils.py'. Because
    that file is only used by files in clients. Besides, add a new way to
    get endpoint of service in utils.py/get_url.

    Change-Id: I40104d5767c98301fbc30abc33b4ace4c642933e
    Implements: blueprint refactor-clients
    Partial-Bug: #1566793

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-30:

#12

Reviewed: https://review.openstack.org/408382
Committed: https://git.openstack.org/cgit/openstack/karbor/commit/?id=c8b1b89de212c2cb68b19ea2724b7b0a655a0be2
Submitter: Jenkins
Branch: master

commit c8b1b89de212c2cb68b19ea2724b7b0a655a0be2
Author: zengchen <email address hidden>
Date: Thu Dec 8 10:35:30 2016 +0800

Fix token expire wich may happen in using clients

    Add a new way to create clients, which usees session and can solve the
    bug that the token may expire during protecting works. Then we can create
    client once and use it all the time(<48h) without worry that the token may
    expire.

    Change-Id: I8becc6db0b3624039eddaa373965b1ba85066606
    Implements: blueprint refactor-clients
    Partial-Bug: #1566793

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-07: Change abandoned on karbor (master)

#13

Change abandoned by zengchen (<email address hidden>) on branch: master
Review: https://review.openstack.org/408400