Cinder

This is a specless blueprint for adding service token to be used to solve the user token expiration issue for long running tasks.

Registered by Niraj Singh

Some operations in Cinder could take a long time to complete. During this
time user token associated with this request could expire. When Cinder tries
to communicate with other services using the same user token, Keystone fails
to validate the request due to expired token.
Service token will be passed along with user token to communicate with
cross projects services when dealing with long running tasks like:

Glance service:
Create image by volume
Create volume by image

Nova service:
update_server_volume
create_volume_snapshot
delete_volume_snapshot

Keystone middleware trusts that the service got the user token when
it was valid, don't check the expiry date of cert.

P.S: Service token is already used by nova for interacting with glance which is implemented by this BP: https://blueprints.launchpad.net/nova/+spec/use-service-tokens-pike.
The below long pending blueprint also solves the same problem, but their design is totally different from ours.https://blueprints.launchpad.net/cinder/+spec/image-trust-authentication

Blueprint information

Status:
Complete
Approver:
Jay Bryant
Priority:
Medium
Drafter:
Niraj Singh
Direction:
Approved
Assignee:
Niraj Singh
Definition:
New
Series goal:
Accepted for queens
Implementation:
Implemented
Milestone target:
None
Started by
Eric Harney
Completed by
Eric Harney

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/use-service-tokens,n,z

Addressed by: https://review.openstack.org/524497
    Add service_token for cinder-nova interaction

Addressed by: https://review.openstack.org/526611
    Add service_token for cinder-glance interaction

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.