HTTP Proxy Support for Glance S3 Driver¶
Currently the S3 store does not allow operators to connect to an S3 backend through a proxy. This can create limitations on the ability to connect to the S3 backend securely from a different network. I propose to add the option to use a proxy to connect to an S3 backend.
If glance store is configured to use the S3 backend and the backend is behind a private network and needs to be accessed remotely, there is no secure way to access the S3 backend securely.
Boto, the library that is used to make the connection to the S3 backend, already supports proxy configurations. I propose that we enable the connection to accept additional config options to give users the option to connect through a proxy.
The following configurations would be added:
s3_store_enable_proxy: Enables the use of a proxy
s3_store_proxy_host: The proxy server (required when proxy is enabled)
s3_store_proxy_port: The port to connect to the proxy
s3_store_proxy_user: The username of the proxy connection.
s3_store_proxy_password: The password to be used to connect through the proxy.
The user can use system wide proxy parameters, but would limit the ability to connect from an outside network.
Data model impact¶
REST API impact¶
This would introduce security settings to be modified by user. The ability to connect through a proxy will provide a good way to secure connections.
Other end user impact¶
This introduces proxy configuration options in the store configuration.
Other deployer impact¶
This change will have to be explicitly configured in the store options.
- Primary assignee:
- Core reviewer(s):
- Other reviewer(s):
Add configurations (proxy name, port, user, password, default number of retries to S3, etc).
Modify connections made to S3 to optionally accept proxy parameters.
Create additional unit tests for connections made to the S3 backend using a proxy.
Unit testing will be needed for testing proxy connection.
Documentation for the S3 store will need to be updated to include proxy opts.