HTTP Proxy Support for Glance S3 Driver

HTTP Proxy Support for Glance S3 Driver

https://blueprints.launchpad.net/glance/+spec/http-proxy-support-for-s3

Currently the S3 store does not allow operators to connect to an S3 backend through a proxy. This can create limitations on the ability to connect to the S3 backend securely from a different network. I propose to add the option to use a proxy to connect to an S3 backend.

Problem description

If glance store is configured to use the S3 backend and the backend is behind a private network and needs to be accessed remotely, there is no secure way to access the S3 backend securely.

Proposed change

Boto, the library that is used to make the connection to the S3 backend, already supports proxy configurations. I propose that we enable the connection to accept additional config options to give users the option to connect through a proxy.

The following configurations would be added:

  • s3_store_enable_proxy: Enables the use of a proxy
  • s3_store_proxy_host: The proxy server (required when proxy is enabled)
  • s3_store_proxy_port: The port to connect to the proxy
  • s3_store_proxy_user: The username of the proxy connection.
  • s3_store_proxy_password: The password to be used to connect through the proxy.

Alternatives

The user can use system wide proxy parameters, but would limit the ability to connect from an outside network.

Data model impact

None

REST API impact

None

Security impact

This would introduce security settings to be modified by user. The ability to connect through a proxy will provide a good way to secure connections.

Notifications impact

None

Other end user impact

This introduces proxy configuration options in the store configuration.

Performance Impact

None

Other deployer impact

This change will have to be explicitly configured in the store options.

Developer impact

None

Implementation

Assignee(s)

Primary assignee:
cpallares

Reviewers

Core reviewer(s):
flaper87 sigmavirus24
Other reviewer(s):
rosmaita

Work Items

  • Add configurations (proxy name, port, user, password, default number of retries to S3, etc).
  • Modify connections made to S3 to optionally accept proxy parameters.
  • Create additional unit tests for connections made to the S3 backend using a proxy.

Dependencies

None

Testing

Unit testing will be needed for testing proxy connection.

Documentation Impact

Documentation for the S3 store will need to be updated to include proxy opts.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.