Handling auth expiry for long-running deployments (keystone trusts)

Registered by Steve McLellan on 2014-06-24

Long deployments (a long running heat job, or lots of components, slow servers etc) can eventually hit an authorization error as the user's token expires. Murano cannot regenerate the token, and the deployment fails. This isn't a problem specific to Murano (it affects Solum also, and maybe TripleO) but there's no clear solution. Keystone trusts might be a partial solution but (I think) chaining is necessary to pass on responsibility to Heat.

We do need a solution for this, because by its nature it will be possible (or even encouraged) to start large deployments.

Blueprint information

Ruslan Kamaldinov
Steve McLellan
Stan Lagun
Series goal:
Accepted for kilo
Milestone target:
milestone icon 2015.1.0
Started by
Stan Lagun on 2014-08-29
Completed by
Serg Melikyan on 2014-12-18

Related branches



After talking to Steve Hardy, heat supports trust delegation (and it will be the default at some point), so in theory (TM) once the initial stack-create succeeds, Heat should be able to continue functioning.

It should be possible for Murano to do the same; use the initial token to generate a trust that will be valid for e.g. checking heat stack status forever. Since trust chaining is NOT yet implemented, the initial operations still have to be done with a scoped, non-trusted-generated token (e.g. from horizon or from keystone).

[Stan Lagun]
After some research and attempts to implement trusts I discovered that Icehouse Heat has a but that prevents it from doing anything with a token obtained from trust. Because of this bug we cannot issue new token and access stack using it. This bug was recently fixed so I'm trying to set up myself Juno Heat and test on it. Also I need to make config setting to not to use trusts (and make it default) so that Murano could still be used with Icehouse.

Also in order to use trusts with Heat the later needs to be specially configured (trusts are disabled by default) and user need to have special role (that you cannot create/add in Horizon). Thus we also need to update devstack scripts for new configuration because otherwise nothing will work with trusts enabled even on Juno

Gerrit topic: https://review.openstack.org/#q,topic:bp/auth-for-long-running-requests,n,z

Addressed by: https://review.openstack.org/119042
    Use Keystone trusts to get fresh token

[asalkeld] let me know if you need help, i got solum working in this situation:


Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.