openstack/glance-specs
Code Issues Proposed changes
master
glance-specs/specs/liberty/approved/http-proxy-support-for-s3.rst
Brian Rosmaita 459ad922c9 Introduce 'untargeted' specs 
This commit adds an 'untargeted' directory to hold orphaned specs
that were approved but aren't being worked on.  A new index.rst is
added explaining the idea, and adjustments are made to other
appropriate index pages.  Additionally, one glanceclient spec from
liberty was stuck in a non-release-name directory; it was moved to
the liberty directory, which in turn was slightly reorganized to
accommodate both glance and glanceclient specs.

Change-Id: I074fc782eca1c3e3c9a1c504501973300741b110
2017-05-25 14:51:24 -04:00

3.1 KiB
Raw Permalink Blame History

HTTP Proxy Support for Glance S3 Driver

https://blueprints.launchpad.net/glance/+spec/http-proxy-support-for-s3

Currently the S3 store does not allow operators to connect to an S3 backend through a proxy. This can create limitations on the ability to connect to the S3 backend securely from a different network. I propose to add the option to use a proxy to connect to an S3 backend.

Problem description

If glance store is configured to use the S3 backend and the backend is behind a private network and needs to be accessed remotely, there is no secure way to access the S3 backend securely.

Proposed change

Boto, the library that is used to make the connection to the S3 backend, already supports proxy configurations. I propose that we enable the connection to accept additional config options to give users the option to connect through a proxy.

The following configurations would be added:

  • s3_store_enable_proxy: Enables the use of a proxy
  • s3_store_proxy_host: The proxy server (required when proxy is enabled)
  • s3_store_proxy_port: The port to connect to the proxy
  • s3_store_proxy_user: The username of the proxy connection.
  • s3_store_proxy_password: The password to be used to connect through the proxy.

Alternatives

The user can use system wide proxy parameters, but would limit the ability to connect from an outside network.

Data model impact

None

REST API impact

None

Security impact

This would introduce security settings to be modified by user. The ability to connect through a proxy will provide a good way to secure connections.

Notifications impact

None

Other end user impact

This introduces proxy configuration options in the store configuration.

Performance Impact

None

Other deployer impact

This change will have to be explicitly configured in the store options.

Developer impact

None

Implementation

Assignee(s)

Primary assignee:

cpallares

Reviewers

Core reviewer(s):

flaper87 sigmavirus24

Other reviewer(s):

rosmaita

Work Items

  • Add configurations (proxy name, port, user, password, default number of retries to S3, etc).
  • Modify connections made to S3 to optionally accept proxy parameters.
  • Create additional unit tests for connections made to the S3 backend using a proxy.

Dependencies

None

Testing

Unit testing will be needed for testing proxy connection.

Documentation Impact

Documentation for the S3 store will need to be updated to include proxy opts.

References

  • Boto S3 Docs
  • OpenStack Security Guidelines